Intro
Hello and welcome to the second part of our two-part blog post where we take a deep dive into the Digital Operational Resilience Act (DORA). For those of you who join us now, I would advise you to check Part I to get the whole picture of this pivotal regulatory framework.
For the rest of you, let’s get stack in.
DORA’s Detailed Impact and Operational Requirements
This part delves into the practical requirements for financial entities to comply with DORA, specifically focusing on the internal processes needed to manage ICT risks. It explains cost-effective approaches to ICT risk management, the role of cyber threat intelligence sharing, and improvements in incident management. It also covers critical areas like ICT system resilience, digital resilience testing, and how DORA addresses third-party risks, including microenterprise considerations.
What must financial entities do to manage ICT risks internally?
To manage ICT risks, DORA requires financial entities to implement risk management frameworks that address security, availability, and continuity of ICT services. The management body is ultimately responsible for overseeing ICT risk management, ensuring the resilience of critical functions and reviewing policies for business continuity and third-party services. DORA also emphasizes the importance of continuous risk assessments, monitoring critical ICT assets, and maintaining effective incident management protocols.
Non-microenterprise entities must designate roles to oversee third-party ICT risks and ensure ongoing training on ICT risks.
How does DORA ensure a cost-effective approach to ICT risk management?
A central aspect of DORA is the proportionality principle, requiring financial entities to tailor their ICT risk management practices based on their size, risk profile, and operational complexity. Competent authorities assess compliance to ensure entities implement appropriate ICT risk management measures for their specific context. This approach ensures that smaller entities can comply without being burdened by excessively complex or costly requirements.
What role does cyber threat intelligence sharing play under DORA?
Cyber threat intelligence sharing is vital under DORA as it allows financial entities to exchange information about cyber threats, tactics, and mitigation strategies.
Entities must gather information on vulnerabilities and cyber threats, conducting post-incident reviews to assess disruptions’ causes and improve ICT operations and continuity. Lessons from resilience testing and real-life incidents should inform the ICT risk assessment process, and ongoing staff training should enhance cyber maturity. Crisis communication plans should manage the responsible disclosure of ICT incidents, with designated staff overseeing public relations during incidents.
Financial entities may exchange cyber threat intelligence to improve resilience, ensuring business confidentiality, data protection, and compliance with competition laws. Information-sharing arrangements must outline participation conditions, include public authorities and ICT third-party providers, and specify how information will be shared.
How does DORA improve incident management?
Monitoring and controlling ICT systems is mandatory, with protective measures to safeguard data and maintain access controls. Change management processes should be documented and tested regularly, and the ICT infrastructure must be designed for rapid disconnection to prevent risk spread. Detection mechanisms must identify ICT anomalies, network issues, and cyber threats promptly, triggering incident response processes and alerts.
Entities must classify ICT-related incidents and cyber threats based on factors like affected clients, incident duration, geographical spread, data losses, and economic impact. Classification ensures accurate and consistent severity assessments. When major incidents occur, entities must report them to authorities, providing detailed updates throughout the incident lifecycle. Payment-related incidents must follow the same management and reporting requirements, ensuring consistency across sectors.
To harmonize incident reporting, common standards will be developed across the financial sector, guiding what information should be included, submission time limits, and incident categorization. A centralised EU Hub for ICT incident reporting may be created to streamline processes and enhance supervisory oversight, reducing costs. Competent authorities will provide feedback on reported incidents, offering guidance, anonymized information, and risk mitigation suggestions. Annual reports will track major ICT incidents’ nature and impact.
How does DORA address ICT system resilience and protection?
A comprehensive ICT risk management framework must protect all ICT assets from risks such as damage or unauthorized access. Regular reviews and internal audits are required, and entities must align their digital operational resilience strategy with business objectives, testing it periodically. Financial entities are responsible for compliance, even when using a multi-vendor ICT strategy.
ICT systems deployed by financial entities must be reliable and resilient, handling peak transaction volumes and adapting to new technologies while ensuring security, data integrity, and business continuity. Entities must identify, classify, and document all ICT-supported business functions and assets, continuously assessing risks, particularly those linked to third-party service providers. Mapping and regular updates of critical ICT assets are necessary to manage risks effectively.
To ensure continuity of critical functions, entities must implement ICT business continuity and recovery plans, including containment measures, crisis communication strategies, and recovery objectives. Regular testing, impact assessments, and post-incident reviews should lead to policy improvements. Backup policies must ensure timely recovery of ICT systems and data, with regularly tested backup systems and redundant capacities to maintain business resilience during disruptions.
What digital resilience testing is required under DORA?
Financial entities, except microenterprises, must establish a comprehensive digital operational resilience testing program. This program assesses preparedness, identifies weaknesses, and implements corrective measures through tests such as vulnerability assessments, network security reviews, and penetration testing. Testing must be done by independent parties to avoid conflicts of interest, and ICT systems supporting critical functions must be tested at least once a year.
Test results must be reported to authorities with remediation plans in place. Testers must have expertise in threat intelligence and penetration testing, be certified, and covered by insurance. Internal testers must be approved, have sufficient resources, and avoid conflicts of interest.
How should microenterprises approach digital resilience testing?
Microenterprises should apply a risk-based testing approach, balancing available resources with risks. Advanced testing, using Threat-Led Penetration Testing (TLPT), is required every three years for non-microenterprises, focusing on critical functions and services from third-party ICT providers. TLPT involves simulating real-world cyber-attacks on ICT systems and services to identify vulnerabilities that could lead to operational disruptions, and it ensures that systems are robust and resilient against potential cyber threats and disruptions.
How does DORA address third-party risks?
Financial entities must manage ICT third-party risks within their broader ICT risk management framework, ensuring compliance for critical services. This includes risk management strategies, due diligence on providers, and maintaining a register of contracts. Contracts must meet high security standards, with access, audit, and inspection rights. In cases of issues, contracts may be terminated, and exit strategies for business continuity must be implemented.
Entities must assess ICT concentration risks, considering reliance on non-substitutable providers or multiple connected providers. When third parties subcontract critical services, risks like data recovery and compliance with Union data protection laws must be evaluated. Contracts for critical services should include SLAs, security measures, audits, inspections, and participation in penetration testing.
The ESAs should develop regulatory standards, focusing on subcontracting and risk management. Critical ICT providers will be designated based on their potential financial stability impact and subject to oversight. Providers outside the EU must establish a subsidiary in the Union.
Outro
We hope this article helped you to grasp the basics regarding DORA, and gave you a starting point if you want to research the subject in depth.
Until next time.
References
https://eur-lex.europa.eu/eli/reg/2022/2554/oj
https://www.digital-operational-resilience-act.com/
https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
https://www.regulation-dora.eu/
https://www.enisa.europa.eu/topics/cybersecurity-of-critical-sectors/finance
https://finance.ec.europa.eu/news/digital-finance-2024-12-19_en
https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en?filename=5_2023-10-10_EIOPA%20Reporting%20event.pdf
https://advisera.com/dora-regulation/
https://www.openkritis.de/eu/dora-digital-operational-resilience-act_nis-2_en.html