The Digital Operational Resilience Act is a new, critical act within the EU financial regulation. It is designed to improve the cybersecurity and operational resiliency of the financial service entities primarily around the ICT (information and communication technology) area. The objective of DORA is to enhance standards in how financial service organisations manage ICT risk internally and for external suppliers to ensure that the international EU financial system is protected.
Why was DORA created?
DORA was created to strengthen the financial sector’s resilience to cybersecurity incidents in recognition that ICT services and platforms are fundamental to the delivery of modern financial services. Its purpose is to ensure that the financial sector and its suppliers have the safeguards in place to mitigate the risks of a cyber-attack.
When is DORA coming into force?
It is coming into force on the 17 January 2025. There is a 24-month adoption period.
What do Financial Institutions need to do?
The Act requires financial institutions to report data breaches to regulators within a certain time of discovery. Financial institutions will be required to impose the same breach reporting requirements on their suppliers and service providers as part of their contractual obligations. If an organisation is not willing to accept these terms, then DORA prohibits the financial institution from doing business with them.
DORA Framework Requirements
5 Key Focuses within DORA:
Risk Management – This area concentrates on reviewing all internal, external, and critical supplier ICT risks. Taking a deep dive into the different services, platforms, and tools that the organisation needs to produce a robust plan for improving or dealing with any of the risks that have been identified.
Incident Management– Ensuring robust processes and procedures are in place to identify incidents and assess them, evaluate them, manage them, and then report them either to their customers or to the regulator.
A good strategy would be having a Cyber Security Operations Center [CSOC] in place that can detect potential issues or incidents early on, ideally remediate them rapidly through automation or rapid human intervention. They can analyse the root cause to understand what happened, how it happened and what can prevent this happening in the future. This is then reported to the appropriate body or at least internally to ensure that there is good visibility.
Digital Operational Resilience Testing – This is critical but often overlooked. A plan is a good start, but the plan must be tested and amended. If an incident does occur, the relevant teams, internally and externally, must know what actions to take.
ICT Third Party Risk Management – This part focuses on a strategy to successfully risk assess and plan for managing identified risks within your third parties and critical suppliers.
This can be performed on the platform area such as cloud infrastructure from Microsoft, Google or AWS, SaaS providers, or even managed service providers that are tightly integrated with IT teams or within the IT infrastructure. All these different elements will come into scope and need to be understood. Businesses need to make sure that incident management also extends to those services, either directly from the business, and that the incident management, risk management, mitigations, controls, and processes within your third party meet the standards.
The next area of focus is around operational resilience. How do businesses ensure the process and procedures in place to be resilient? What would this look like? With items such as high availability and backup systems that can recover quickly from issues and that can be well tested. Key stakeholders need to be familiar with the plan because the more businesses test, the more a business can be reflective and the better and quicker they can respond.
Information and Intelligence Sharing – A key goal is that financial service entities will share information around incidents, threats vulnerabilities, and best practice’s with each other to ensure that its benefits spread across all different sized entities. Whether that’s a very large financial service who has a very dedicated security ICT team or a smaller supplier who doesn’t have that level of resource.
CWSI is uniquely placed to assist financial organisations with identifying, implementing, and managing the necessary cybersecurity measures that should be taken to secure their operations in an increasingly uncertain technology landscape.
The key areas outlined in the Digital Operational Resilience Act, when deployed effectively, offer security and peace of mind to allow organisations to focus on core business functions.
CWSI intentionally focus on providing modern, managed security solutions, partnering with market leading software vendors, to help clients to get secure and stay secure. We have an unrivalled understanding of modern mobile operating systems – how to secure them, and how to integrate them with today’s cloud-based infrastructure and applications. Our services are flexible, scalable, and responsive, with 24/7 options available. All services are backed by CWSI’s ISO 27001 and Cyber Essentials Plus certifications, which cover all aspects of the business and all the services we offer, reassuring clients that we practice what we preach.