Introduction

The Digital Operational Resilience Act (DORA) is a significant regulatory framework that was passed by the European Union and entered into force on January 16, 2023. DORA aims to enhance the operational resilience of financial entities by addressing cyber threats and ensuring their ability to withstand and recover from cyber incidents. It emphasizes the need for organizations to adopt a proactive approach to cybersecurity, focusing on risk assessment, incident management, and continuous monitoring. DORA also highlights the importance of third-party risk management and the protection of personal data. By implementing DORA's requirements, businesses can strengthen their cybersecurity posture and contribute to the overall resilience of the financial system.

The implementation of DORA involves a gradual rollout of requirements over a specific timeframe. While the act entered into force on January 16, 2023, many of its requirements will be phased in gradually through 2024. This approach allows organizations to adapt and prepare for compliance, ensuring a smooth transition. Leading organizations in the cybersecurity community are taking a proactive approach by initiating early preparations and implementing measures to meet DORA's requirements. By proactively addressing the key areas of change encouraged by DORA, these organizations are positioning themselves ahead of the compliance curve and demonstrating their commitment to operational resilience and cybersecurity best practices.  

What problems is DORA solving: Harmonizing EU Regulations

DORA addresses several problems related to fragmented legal frameworks within the European Union concerning ICT (Information and communication technology) risks and operational resilience. Prior to DORA, member states had the freedom to develop and adopt their own national regulations, standards, and requirements for operational resilience and cybersecurity. This resulted in a fragmented landscape with varying rules across different countries, creating challenges for cross-border financial entities operating within the EU.

To solve this problem, DORA aims to harmonize the rules and eliminate the need for member states to develop their own regulations. By providing a unified framework, DORA brings legal clarity and consistency to digital resilience regulations across the European Union. This harmonization ensures that cross-border financial entities no longer have to navigate a complex web of disparate regulations but can instead adhere to a single set of requirements applicable across EU member states.

DORA goes beyond just harmonization and streamlines existing rules while introducing new requirements. The new legal framework acknowledges the evolving nature of operational resilience and cybersecurity challenges. It modernizes the regulatory landscape by incorporating updated measures and standards that address emerging risks and technologies. This approach allows for a more comprehensive and effective response to the complex and rapidly changing threat landscape faced by financial entities operating in the digital sphere.

Overall, DORA solves the problem of fragmented legal frameworks by providing a harmonized and streamlined regulatory framework for operational resilience and cybersecurity within the European Union. It promotes legal clarity, consistency, and modernization, ensuring cross-border financial entities have clear guidelines to adhere to and facilitating a more resilient and secure digital environment.  ‍

DORA's Scope

DORA applies to a wide range of financial institutions regulated at the EU level. Some of the types of financial institutions affected by DORA include:

• Banks: DORA applies to both traditional banks and online banking platforms, ensuring they have robust cybersecurity measures in place to protect customer data and maintain operational resilience.
• Investment Firms: DORA covers investment firms that provide various financial services, including asset management, brokerage, and advisory services, ensuring they have adequate cybersecurity controls to safeguard client information.
• Market Infrastructure Providers: DORA includes market infrastructure providers such as stock exchanges, clearinghouses, and settlement systems, ensuring the resilience and security of critical financial market infrastructure. ‍
• Insurance Companies: DORA extends its scope to insurance companies, ensuring they have appropriate cybersecurity measures to protect policyholder data and maintain operational continuity. ‍
• Payment Institutions: DORA covers payment institutions, including payment service providers and fintech companies that offer payment services, ensuring secure and resilient payment systems and protecting customer financial information. ‍
• Electronic Money Institutions: DORA applies to electronic money institutions, which issue electronic money and provide related services, ensuring secure handling of electronic money transactions and protecting user funds.

In addition to the financial institutions themselves, DORA also places emphasis on the role of third-party service providers. These third parties serve the financial institutions by providing various services, including IT infrastructure, cloud services, software development, and data processing. DORA mandates that financial institutions assess the cybersecurity posture of their third-party service providers and ensure they adhere to appropriate security standards. This highlights the importance of robust vendor management programs, due diligence exercises, and contractual obligations to ensure the overall resilience and security of the financial system. ‍

Key Cybersecurity Controls for DORA Compliance: There are the following six areas of focus under DORA:  

1. Cybersecurity Governance: DORA places a strong emphasis on cybersecurity governance, with senior management playing a critical role. This control requires organizations to establish a robust governance framework, define policies and procedures, and assign accountability for ICT risk management. It involves defining roles, conducting risk assessments, and implementing appropriate security controls to ensure effective cybersecurity governance.

2. Risk Management: DORA mandates a comprehensive risk management approach for ICT-related risks. This control includes implementing the 3LOD (Three Lines of Defense model) for ICT risk management, developing a digital resilience strategy, and setting risk tolerance levels for ICT risks and disruptive events. It involves regular risk assessments, vulnerability management, threat intelligence analysis, and mitigation measures to address identified risks.

3. ICT Incident Reporting: DORA requires organizations to establish processes for consistent detection and handling of ICT-related incidents. It outlines specific requirements for initial, intermediate, and final notification of incidents. Additionally, DORA establishes a single EU Hub for reporting major ICT-related incidents, ensuring effective communication and coordination in response to significant incidents.

4. Testing and Monitoring: DORA emphasizes a risk-based approach to testing and monitoring. This control encompasses various aspects such as penetration testing, physical security reviews, scenario-based tests, and end-to-end resilience testing. Organizations are required to conduct these assessments regularly to identify vulnerabilities, test response capabilities, and ensure the effectiveness of their cybersecurity measures.

5. Vendor and Third-Party Risk Management: DORA mandates a comprehensive approach to managing vendor and third-party risks. Organizations must identify, assess, and report critical or important functions performed by service providers. This control also includes analyzing potential concentration risks, particularly when using providers in third countries. DORA provides specific requirements and guidelines to ensure robust vendor and third-party risk management practices.

6. Information Sharing: DORA encourages entities to share cyber threat information and intelligence. This control emphasizes the importance of sharing indicators of compromise, tactics, techniques, and procedures to enhance collective cybersecurity defenses. By fostering information sharing, DORA aims to improve situational awareness and facilitate a proactive response to emerging cyber threats.

By implementing these key cybersecurity controls, organizations can align their practices with DORA requirements and enhance their operational resilience and cybersecurity posture.