If you’re looking for answers to your ‘How to comply with DORA?’ questions, then this article is for you.
With so much confusion around DORA, we explain what the five pillars of DORA are, how each area applies to specific financial service entities and ICT third-party service providers, plus what you can do to achieve DORA compliance.
So let’s dive in…
Introduction to the Five Pillars of DORA in the Financial Sector
The Digital Operational Resilience Act (DORA) is a groundbreaking regulation by the European Union, designed to bolster the digital security and operational resilience of financial entities. Much like the GDPR revolutionised data privacy, DORA is set to create a unified, comprehensive framework that ensures financial organisations can withstand, respond to, and recover from information and communication technology (ICT) related incidents. With its inception on January 16, 2023, and compliance deadline set for January 17, 2025, DORA aims to standardise the approach to ICT risk management across the financial sector, impacting over 22,000 entities, including credit institutions, investment companies, and even crypto-asset service providers.
The increasing frequency and sophistication of cyber threats pose significant risks to financial stability, as highlighted by the European Systemic Risk Board. DORA’s implementation will mitigate these risks by introducing clear guidelines, stringent reporting requirements, and robust resilience testing. This regulatory framework is critical not only for ensuring the operational continuity of individual entities but also for safeguarding the integrity of the entire financial system from systemic vulnerabilities that can propagate through interconnected ICT systems.
In this blog series, we will delve into the five foundational pillars of DORA:
1. ICT Risk Management
2. ICT-Related Incident Management
3. Digital Operational Resilience Testing
4. Managing ICT Third-Party Risk
5. Information Sharing.
Each pillar represents a vital component of the comprehensive resilience framework that DORA mandates, and understanding them is essential for financial entities aiming to achieve compliance and secure their operations against digital threats.
DORA’s timeline
16th Jan 2023
DORA has already entered into force
17th Jan 2024
A number of Final Reports on draft Regulatory Technical Standards (RTS) were released providing guidance on the implementation of DORA
17th Jul 2024
Additional Regulatory Technical Standards (RTS) are due to be released providing additional guidance on areas including, but not limited to, the format of reports for major incidents and the criteria used to designate third-party service providers as critical (CTPPs)
17th Jan 2025
Organisations have been granted a transition period until January 2025 to achieve full compliance
1. ICT Risk Management – Monitoring & Mitigating Risk
ICT Risk Management is the first pillar of DORA and forms the backbone of a financial entity’s digital resilience strategy. It requires entities to establish a comprehensive framework that not only identifies and documents critical ICT functions but also continuously monitors and mitigates risks.
A key aspect of ICT Risk Management under DORA is the emphasis on proactive measures. Financial entities must implement robust controls to prevent ICT incidents and minimise their impact. This involves setting up systems to detect anomalous activities, conducting regular risk assessments, and maintaining business continuity and disaster recovery plans.
One of the most critical elements of DORA’s ICT Risk Management framework is the management body’s responsibility. Senior management must play an active role in overseeing the ICT risk management framework, ensuring adequate resources and governance structures are in place. This includes conducting independent annual assessments and ensuring compliance with DORA’s stringent requirements, which align closely with international standards like ISO 27001 and NIST.
To comply with DORA, financial entities must also establish a range of policies covering everything from asset management and data encryption to incident management and business continuity. These policies serve as a guide for maintaining operational resilience and must be regularly reviewed and updated to address evolving threats.
In essence, ICT Risk Management under DORA is about building a robust defence that not only protects against current threats but also ensures long-term resilience in an ever-changing digital landscape.
2. ICT-Related Incident Management – Effective Response and Recovery
The second pillar of DORA, ICT-Related Incident Management, focuses on establishing a standardised approach to managing and reporting ICT-related incidents. This pillar is crucial for ensuring that financial entities can quickly detect, assess, and respond to incidents, minimising their impact on operations and financial stability.
DORA mandates that all major ICT incidents must be reported to National Competent Authorities (NCAs) within strict timelines: an initial report within four hours of classifying the incident as major, an intermediate report within three working days, and a final report within 20 working days after normal operations resume. This standardised reporting framework ensures that authorities are promptly informed and can coordinate responses to mitigate wider systemic risks.
Financial entities must develop a comprehensive Incident Management Policy that outlines the procedures for incident detection, classification, escalation, and resolution. This policy should also detail the roles and responsibilities of personnel involved in incident management, ensuring clear communication and efficient incident handling.
DORA emphasises the need for entities to inform affected clients about significant ICT incidents, providing details on the incident’s impact and steps taken to address it. This transparency helps maintain client trust and ensures that appropriate protective measures are implemented.
Overall, effective ICT-Related Incident Management is about being prepared to respond swiftly and effectively to any ICT incident, minimising disruption and protecting the financial ecosystem from cascading effects.
3. Digital Operational Resilience Testing – Ensuring Preparedness
The third pillar of DORA, Digital Operational Resilience Testing, requires financial entities to conduct regular, comprehensive tests of their ICT systems to ensure they can withstand and recover from disruptions. This proactive approach is essential for identifying weaknesses and implementing corrective measures to enhance overall resilience.
Under DORA, financial entities must perform various types of tests, including vulnerability assessments, network security reviews, and scenario-based tests. These tests help entities evaluate the effectiveness of their controls and identify potential areas for improvement.
A critical component of this pillar is Threat-Led Penetration Testing (TLPT). High-risk financial entities are required to conduct TLPT every three years to simulate real-world cyber-attacks and assess their ability to detect, respond to, and recover from such threats. This rigorous testing approach provides valuable insights into an entity’s preparedness and highlights areas where additional measures may be needed.
The results of these tests must be documented and reviewed regularly, with any identified weaknesses addressed promptly. This ensures that financial entities maintain a high level of operational resilience and are prepared to handle ICT incidents effectively.
By emphasising regular testing and continuous improvement, DORA’s Digital Operational Resilience Testing pillar ensures that financial entities are not only compliant but also capable of sustaining operations in the face of evolving digital threats.
4. Managing ICT Third-Party Risk – Safeguarding Against External Threats
In today’s interconnected financial ecosystem, the reliance on third-party providers for critical ICT services has become commonplace. However, this dependency introduces significant risks, which is why Managing ICT Third-Party Risk is one of the key pillars of the Digital Operational Resilience Act (DORA).
DORA mandates a comprehensive approach to Third-Party Risk Management (TPRM), ensuring that financial entities not only select trustworthy third-party providers but also continuously monitor and manage the associated risks throughout the relationship.
Key Requirements for Managing Third-Party Risk:
ICT Third-Party Risk Management Policy: Financial entities must develop and maintain a robust ICT Third-Party Risk Management Policy. This policy should outline the process for assessing potential third-party providers, specifying how risks will be managed and mitigated throughout the lifecycle of the contract.
Due Diligence and Risk Assessments: Before entering into any agreement, financial entities are required to perform thorough due diligence on prospective third-party providers. This includes evaluating the provider’s financial stability, technical capabilities, and security measures. The goal is to ensure that the provider can meet the entity’s security and operational requirements.
Contractual Obligations: Contracts with ICT third-party providers must include specific clauses to ensure compliance with DORA. These include:
- Detailed service descriptions and performance metrics.
- Obligations to report and manage incidents.
- Requirements for business continuity planning and testing.
- Provisions for monitoring and auditing third-party services.
Ongoing Monitoring and Reporting: Once a contract is in place, financial entities must continuously monitor the performance and security of the third-party provider. This includes regular audits, performance reviews, and incident reporting. Entities must keep a comprehensive register of all third-party agreements, which can be inspected by regulatory authorities.
Critical Third-Party Providers: DORA identifies certain third-party providers as critical, meaning they provide essential services that, if disrupted, could significantly impact financial stability. These providers are subject to additional oversight and must comply with stricter regulatory requirements.
Steps to Effective Third-Party Risk Management:
- Pre-Contract Planning: Establish criteria for selecting third-party providers and conduct a thorough risk assessment to ensure they can meet your operational resilience requirements.
- Contract Management: Ensure all contracts include the necessary clauses for compliance with DORA, and regularly review and update these agreements to address any new risks or regulatory changes.
- Ongoing Oversight: Maintain continuous monitoring of third-party performance and compliance. Regular audits and performance reviews should be conducted to identify and address any issues promptly.
- Exit Strategies: Develop clear plans for exiting agreements with third-party providers to ensure continuity of services and compliance with DORA’s requirements, including provisions for transitioning to alternative providers if necessary.
By adhering to these guidelines, financial entities can effectively manage the risks associated with third-party providers and ensure compliance with DORA. This not only protects their own operations but also contributes to the overall resilience of the financial sector.
5. Information Sharing – Enhancing Cyber Resilience Through Collaboration
In an era where cyber threats are increasingly sophisticated and pervasive, Information Sharing has become a crucial element of digital operational resilience. As the fifth pillar of the Digital Operational Resilience Act (DORA), information sharing promotes a collaborative approach to managing cyber threats, ensuring that financial entities can collectively enhance their defences and respond more effectively to incidents.
The Goal of Information Sharing:
- Collective Intelligence: By sharing information about cyber threats and incidents, financial entities can gain a comprehensive understanding of the threat landscape. This collective intelligence helps organisations to stay ahead of emerging threats and adopt proactive measures to mitigate risks.
- Improved Incident Response: Information sharing enables financial entities to quickly learn from the experiences of others, improving their own incident response capabilities. Understanding how other organisations have addressed similar threats can provide valuable insights into effective strategies and solutions.
- Regulatory Support: DORA encourages financial entities to exchange information within trusted communities and provides a framework for secure information sharing. Regulators also contribute to this effort by sharing anonymised threat intelligence, which entities can use to enhance their own security measures.
Key Components of DORA’s Information Sharing Framework:
- Trusted Communities: Financial entities are encouraged to participate in trusted communities where they can share and receive information about cyber threats and incidents. These communities provide a secure environment for exchanging sensitive information and fostering collaboration.
- Regulatory Information: Regulators will disseminate relevant, anonymised information about cyber threats and vulnerabilities. Financial entities must establish mechanisms to review this information and take appropriate actions to strengthen their defences.
- Reporting Obligations: DORA requires financial entities to report significant ICT-related incidents to their National Competent Authorities (NCAs). This information is used to improve the overall resilience of the financial sector and ensure that all entities are aware of potential threats.
- Proactive Measures: Entities must implement processes to review and act on shared information. This includes integrating threat intelligence into their risk management frameworks and updating their security measures to address new vulnerabilities.
Steps for Effective Information Sharing:
- Join Trusted Networks: Participate in industry groups and networks that facilitate the sharing of cyber threat intelligence and best practices. These networks provide valuable opportunities to collaborate with peers and stay informed about emerging threats.
- Implement Secure Sharing Mechanisms: Use secure communication channels and platforms for sharing information about threats and incidents. Ensure that any shared information is handled in accordance with data protection and privacy regulations.
- Integrate Intelligence into Risk Management: Incorporate shared threat intelligence into your organisation’s risk management framework. Use this information to identify potential vulnerabilities and strengthen your security measures.
- Educate, Train and Audit Staff: Regularly update your staff on the latest threats and best practices for cyber resilience. Ensure that they understand the importance of information sharing and how to handle shared information securely.
Information sharing is a powerful tool for enhancing cyber resilience across the financial sector. By working together and leveraging collective intelligence, financial entities can better protect themselves against cyber threats and contribute to the overall stability and security of the financial ecosystem.
Adopting a proactive approach to information sharing, as outlined by DORA, will help ensure that financial entities are not only compliant but also resilient in the face of evolving digital challenges.
Where can I learn more?
If you would like to know more about the DORA and understand how you can achieve compliance efficiently, contact us today.
The Regulation’s official reference is Regulation (EU) 2022/2554.
The text of the regulation is available from here.
A more user-friendly, hyperlinked, and searchable (unofficial) version has been published here.
Find more of our latest news posts here.
Are you looking to implement DORA successfully?
The Adoptech team can provide:
Expertise
Adoptech professionals offer extensive expertise in compliance, legal, information security, operational resilience and third-party risk management to both the financial sector and ICT providers. The team offers comprehensive solutions to help companies navigate the complexities of DORA implementation and establish robust frameworks for ongoing compliance and resilience.
Our services are underpinned by secure, state-of-the art technology solutions that ensure ongoing compliance is effective and efficient.
Automation
We believe that the future of compliance is automated. The founding team spent many years automating trading flows and building automated RegTech solutions. The same approach, combining a technology-first mindset with expertise is being applied to DORA.
Within our platform, users can conduct a gap analysis, define roles and responsibilities, assign tasks, monitor risks, track controls, oversee third-parties, and generate various mandatory DORA reports and policies.
Audit & Compliance
Demonstrate your organisation’s commitment to digital operational resilience and provide valuable insights and assurance to senior management, regulators and stakeholders with a comprehensive DORA report.
Trusted audit companies conduct an independent audit covering the five areas of DORA, generating a detailed DORA audit report. This independent report, along with the annual review on ICT risk management, forms a robust demonstration of your organisation’s dedication to DORA compliance.
Insights & Value
Cost-effectiveness. Despite the imposition of an audit, consider the potential cost of a data breach. In 2021, a single data breach cost, on average, $4.2 million—a figure that continues to rise annually.
Regulatory compliance. Unlike SOC 2, ISO 27001, and NIST compliance, DORA compliance is mandatory by law. Non-compliance can lead to substantial fines. Critical third-party technology providers can face fines of up to 1% of their average daily worldwide turnover, per day until compliance is achieved, with fines possible for up to six months.
Peace of mind. Successfully passing a DORA audit provides assurance that your organisation has implemented controls to ensure operational resilience, safeguarding your business and customer data.
Customer demand. Protecting data from unauthorised access is a priority for your clients, having a DORA report can help build trust with customers whether you are a financial institution or a fintech.
A DORA report offers valuable insights into your organisation’s risk and security posture, management of third-party risks, governance of internal controls, readiness for incidents and more.