Understanding DORA: What It Is and Why It Matters for Financial Entities

In the evolving landscape of digital finance, the importance of robust cybersecurity measures cannot be overstated. The European Union’s Digital Operational Resilience Act (DORA) represents a pivotal step towards safeguarding the financial sector against the growing complexities of cyber threats. If your organization operates within the financial services ecosystem or provides ICT services to this sector, understanding DORA is crucial.

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation specifically designed to enhance and unify the cyber resilience of the financial sector across Europe. Starting January 16, 2023, with full application in January 17, 2025, DORA mandates that financial institutions and ICT service providers supporting these institutions adopt stringent cybersecurity measures. DORA’s primary goal is to ensure that the financial sector remains operationally resilient in the face of severe disruptions, particularly those arising from cyber incidents.

Why Was DORA Created?

In recent years, the financial sector has become increasingly reliant on technology, which has, in turn, made it more vulnerable to cyberattacks. DORA was created in response to the need for an approach to cybersecurity within the EU’s financial sector. By implementing DORA, the EU aims to mitigate the risks posed by the digital transformation of financial services, thereby safeguarding the sector against the potential fallout from cyber incidents.

Key Components of DORA

DORA introduces several key requirements that financial entities must comply with to ensure their digital resilience:

1. ICT Risk Management Framework: Financial institutions must implement an ICT Risk Management Framework that addresses the specific digital risks they face. This framework should be comprehensive and integrated into the overall risk management strategies of the institution.
2. Incident Reporting: Entities must have robust processes for detecting, managing, and reporting significant ICT-related incidents. These incidents must be reported to the relevant authorities in a timely and structured manner.
3. Digital Operational Resilience Testing: Regular testing of an entity’s digital resilience is mandatory under DORA. This includes threat-led penetration testing to assess vulnerabilities and resilience to potential cyber threats.
4. Third-Party Risk Management: DORA emphasizes the importance of managing risks associated with third-party ICT service providers. This is critical because a cyberattack on a supplier can have cascading effects on the financial institution itself.
5. Information Sharing: DORA requires financial institutions to share threat intelligence with other entities within the financial ecosystem. This collaborative approach aims to enhance the overall resilience of the sector by ensuring that entities are better informed and prepared to respond to emerging threats.

To start with DORA compliance, organizations should follow these five essential steps:

1. Conduct a Comprehensive Gap Analysis

• Action: Review your existing ICT risk management and cybersecurity frameworks to identify gaps in compliance with DORA’s requirements. This includes assessing your current incident reporting processes, digital resilience testing, and third-party risk management protocols.
• Why: A gap analysis will help you understand where your organization currently stands in terms of DORA compliance and what areas require improvement or enhancement.

2. Develop or Enhance an ICT Risk Management Framework

• Action: Either create a new ICT Risk Management Framework or update your existing one to meet DORA’s standards. This framework should be integrated into your overall risk management strategy and include policies for vulnerability management, incident response, and regular testing.
• Why: DORA mandates a comprehensive approach to managing ICT risks, which is critical for ensuring your organization’s digital resilience and security.

3. Implement Robust Incident Reporting Procedures

• Action: Establish or refine procedures for detecting, managing, and reporting ICT-related incidents. Ensure that these procedures are in line with DORA’s requirements for timely and accurate reporting to the relevant authorities.
• Why: Effective incident reporting is crucial for compliance with DORA and for mitigating the impact of any cyber incidents on your organization and the broader financial sector.

4. Enhance Third-Party Risk Management

• Action: Assess the cybersecurity posture of your third-party ICT service providers and implement measures to manage and mitigate risks associated with these external relationships. This may include reviewing contracts, conducting regular audits, and ensuring compliance with DORA’s third-party risk management guidelines.
• Why: DORA places significant emphasis on third-party risk management because vulnerabilities in your supply chain can pose substantial risks to your organization’s digital resilience.

5. Plan and Execute Regular Digital Resilience Testing

• Action: Develop a testing schedule that includes regular digital resilience assessments, such as threat-led penetration testing (TLPT). Ensure these tests are conducted by independent parties and cover all critical aspects of your ICT infrastructure.
• Why: Regular testing is a DORA requirement and is essential for identifying and addressing vulnerabilities in your ICT systems before they can be exploited by malicious actors.

By following these steps, your organization will be well on its way to achieving DORA compliance and enhancing its overall cybersecurity posture.

The Impact of DORA on Financial Institutions

For large financial institutions with mature cybersecurity measures already in place, DORA may require only incremental changes. However, for smaller entities or those with less developed security postures, DORA represents a significant regulatory burden. These organizations will need to undertake a thorough gap analysis to identify where their current practices fall short of DORA’s requirements and take steps to address these gaps before the regulation becomes fully applicable in 2025.

Moreover, DORA’s requirements extend beyond traditional financial institutions to include critical ICT service providers. This means that any company providing ICT services to the financial sector must also ensure that their cybersecurity measures are robust and compliant with DORA’s standards.

Why DORA Matters

The introduction of DORA is a clear indication of the increasing importance that regulators place on cybersecurity within the financial sector. As cyber threats continue to evolve in complexity and scale, the potential impact of a successful attack on the financial system could be catastrophic. DORA seeks to prevent such scenarios by ensuring that financial entities are not only aware of the risks but are also actively managing them.
As we approach the 2025 deadline for full compliance, now is the time for financial institutions to assess their current cybersecurity measures, identify any gaps, and implement the necessary changes to meet DORA’s requirements. By doing so, they will be better positioned to navigate the challenges of the digital age and continue to serve their customers with confidence.

Read our eBook  IBM i Encryption 101 to learn more about IBM i encryption and why it’s an essential part of security strategies.