DORA – Digital Operational Resilience Act

An Overview of Digital Operational Resilience Act (DORA)

The European Commission issued a package of standards to digitize the financial sector in September 2020, and one of these is DORA. The package is an effort by the Commission to increase innovation and competitiveness in Europe's financial sector.

The economic sector relies heavily on information and communication technology (ICT). Customers' increased reliance on digital services has only exacerbated the spread of the coronavirus. Because of their reliance on information and communication technology, financial institutions are a prime target for cybercrime. 

Also, other businesses, entire industries, and even the economy could be negatively impacted by an attack or disruption at a critical cross-border financial service. For this reason, verifying that the financial sector's digital operations can withstand a crisis is vital. The Commission believes that serviceable accidents in the EU financial sector might cost as much as €27 billion annually in terms of industry inquiries.

Goals

Its overarching goal is to improve the operational resilience of online systems across the EU's financial sector as a whole. The new legislative framework streamlines and reinvents rules and adds new ones. The goal of this idea is to:

• Guarantee that financial institutions evaluate the efficacy of their preventative and resilient manoeuvres and the locations of their ICT exposures to decrease the seriousness of such risks.
• Help commercial regulators learn more about the state of the danger landscape by sharing data on occurrences using information and communication technologies.
• Enhance the outsourcing codification for indirect oversight of ICT third-party service providers
• Let financial institutions keep tabs on the ICT service providers they hire on the spot.
• Encourage financial institutions to share information about cyber risks.

Who Has to Comply with DORA Requirements?

It applies to all fiscal institutions regulated at the EU level. In particular, the rule applies to information broadcasting service providers, managers of alternative financing funds and management companies, central securities depositories, central counterparties, trading venues, trade repositories, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, and reinsurance underwriters. ICT outsourcing companies are also feeling the pinch.

When defining the primary requirements for the various areas of applicability, it is significant to keep the principle of proportionality in mind and account for variations in business model, size, risk profile, or system significance. According to the EU Commission, for instance, less stringent measures for incident reporting and resilience testing will be required of smaller financial entities.

‍

5 Main Requirements of Digital Operational Resilience Act (DORA)

It lays forth its standards across five categories:

1. ICT risk management

The financial sector will soon be subject to principles that order the growth and execution of an IT risk management framework to underpin business continuity strategies, disaster regaining dealings, and information sharing protocols.

Having a consistent method of reaching out to those who have a vested interest is crucial. The EBA's recommendations on information and communications technology (ICT) and security risk management serve as a foundation for this new mandate.

The following responsibilities will fall on the shoulders of stakeholders as they work to safeguard the smooth running of the business:

• ICT disruption risk and impact tolerance.
• Business continuity planning and approval.
• Disaster recovery strategies.
• Securing all essential assets.

Reaction and recovery should go beyond policies. Information and Communication Technology redundancies are needed to preserve business endurance. Stakeholders must approve such an expenditure, which should include backup and restoration networks.

2. ICT Incident Reporting

DORA will simplify ICT incident reporting by consolidating different reporting requirements. Reduce trigger events and standardize reporting formats. This streamline reporting to a single EU-hub instead of many National Competent Authorities (NCAs).

The EU-hub will collect key ICT events affecting financial institutions. The data will show banking sector vulnerability tendencies to improve IT resilience and security.

The new EU reporting principles require all financial firms to produce a root cause report within one month of a large ICT-Incident. Financial institutions must develop accurate ICT disruption early warning indicators to facilitate timely report submission.

3. Digital Resilience Testing

Regular digital operations resilience testing by independent parties - either internal or external - will be required of financial institutions to ensure the efficacy of existing ICT defenses.

A comprehensive digital resistance testing plan should incorporate the following regular checks:

• Approaches to Testing
• Tools and methods for conducting tests
• Testing for resiliency how often
• Method for Ranking Policy Tests

This isn't some brand-new mandate. Certain Financial Market Infrastructures now require Threat-Led Penetration Testing (TLPT) frameworks. It will increase the number of organizations subject to obligatory testing all across the financial services industry.

European Supervisory Authorities (ESAs) will publish a second piece of legislation outlining the specifics of this expanded reporting criterion by the end of 2021.

The European Central Bank's voluntary TIBER-EU framework serves as the foundation for DORA's international test recognition procedure. This promotes the mutual acceptance of dependence test results among EU member states.

For financial institutions already subject to such testing, this might simplify and lower the price of adherence.

4. Information And Intelligence Sharing

It will enable and promote the sharing of information about cyber threats among members of established financial networks. New cyber risks, dependable data protection solutions, and operational resilience strategies should all be discussed in an effort to educate the public.

5. Third-Party ICT Risk Management

This is one of the trickiest aspects of its framework. If CSPs are deemed "essential," they will be required to follow regulations set by government bodies.

For a Third-Party service provider to be considered crucial, they must meet many criteria, including:

• Level of Substitutability - In the case of an interruption in operations (whether internal to the company or external to the vendor's environment), it will be more challenging to replace critical CSPs.
• How many banks or other financial institutes rely on the CSP to keep their operations running smoothly.

Both on-site and off-site audits will be conducted by ESAs to ensure vital CSP are compliant. If compliance is not met, top-level regulators may levy a fine of up to 1 percent of daily global revenue.

Existing regulations, such as the General Data Protection Regulation, will continue to apply in addition to these compliance obligations.

To be clear, essential third-party suppliers are not solely responsible for ensuring DORA compliance. In order to safeguard their operations from supply chain attacks and third-party breaches, businesses in the financial services will need to adopt Third-Party risk policies.

When Will DORA Take Effect?

As of January 16, 2023, the Digital Operational Resilience Act was in effect. All affected financial institutions are subject to the requirements outlined therein immediately, but enforcement cannot begin until 24 months after the document's implementation. Therefore, organizations have two years to comply with the new standards. The ESAs will also develop technical standards to outline the finer points of enforcing the new regulations.

‍

Preparing For the Digital Operational Resilience Act

European Commission-recognized financial institutions have begun getting ready to comply with DORA's risk management criteria.

The following steps will assist your entities in getting ready for this proposed legislation:

1. Complete a Gap Analysis

All of DORA's requirements should be evaluated for compliance gaps using a maturity risk assessment. Because of this, any affected information and communication technology systems will be redesigned more quickly and effectively.

2. Assess Your Criticality

ICT third-party suppliers must assess their criticality. This requires assessing all DORA cruciality features.

Third-party providers in this category must start considering how they will comply with supervision frameworks, which may require dedicated regulatory teams and data security technologies.

Financial institutions must also identify important third-party cloud service providers. Risk valuations and third-party attack surface monitoring software should track crucial vendor DORA compliance.

If an ICT issue affects a vendor, all non-critical vendors should be mapped to alternative outsourcing options.

3. Threat-Led Penetration Testing

Banks and other financial institutions that aren't using TLPT yet will have to find third-party vendors to meet their needs.

Once the specifics of the testing criteria are known, it will be necessary to keep a tight eye on ESA activity.

4. Evaluate Current Recovering Methods

It will be necessary to evaluate current reaction and recovery tactics in light of the incident reporting process mandated by it.

Optimizing current resource allocations and modifying current internal reporting channels are two possible avenues towards conformity with DORA's reporting procedure.

5. Carry out a Needs Assessment

All of DORA's necessities should be evaluated for compliance gaps using a maturity risk calculation. All affected IT systems will benefit from a more streamlined transformation as a result of this.

How Wallarm Will Help with DORA Compliance?

Without adding complexity to your security stack or workflows, Wallarm offers complete protection for your entire portfolio of web apps and APIs (API Security Platform, WAAP, GoTestWAF), regardless of protocols or environment. When it comes to discovering cloud-native APIs and older web applications operating in their environment and detecting and responding to attacks against them, security and DevOps teams select Wallarm. 

Wallarm can serve as a reliable ally in your pursuit of DORA compliance. With the aid of our Infrastructure Protection services, you can establish a solid security posture, protecting your business from every angle.