DORA is a slogan that has been generating justified interest for a year now – both in the financial industry and among cybersecurity experts. It means the arrival of a “new era” in ensuring the security of networks and IT systems – addressed primarily to financial institutions. The acronym DORA stands for the Digital Operational Resilience Act, which applies to the entire European Union and establishes unified requirements for the security of networks and information systems within the financial sector and among providers of key ICT services. Moreover, as long as a financial organization operates in any capacity in the EU market, it will have to comply with DORA, as will its third-party suppliers. This also applies to companies based outside the EU. When we talk about “financial organizations”, we mean primarily banks and insurance companies, but also payment service providers, investment and pension funds and even cryptocurrency companies (and perhaps this is one of the most important – from the security point of view – links in the entire financial trading chain on a global scale). In total, we talk about over 22,000 entities (and countless sub-suppliers of products and services to the group in question).
FIVE PILLARS OF DORA:
- ICT risk management
Proactively protect sensitive data through robust cybersecurity management systems. It’s not just about prevention, but also about detecting, stopping, recovering and remediating.
The need for continuous monitoring and control of ICT security tools. This requirement highlights the importance of adopting advanced data loss protection (DLP) solutions that offer automated incident detection and risk assessment capabilities.
Deconcentration of risk. DORA prohibits organizations from relying on a single provider of services and security for critical processes. In the event of a crisis, the risk for the financial organization is spread and reduced to the minimum.
- Reporting ICT incidents
An obligation to quickly (and therefore more effectively) report serious incidents and cyber threats to the competent authorities. Incidents that affect ICT service providers cooperating with given institutions should also be reported. In this way, everyone becomes aware of the potential threats that may spread throughout the financial system.
- Operational digital resilience tests
The annual tests are designed to ensure that financial entities can withstand, respond and recover from IT disruptions and threats. It will also be necessary to work with external vendors on periodic penetration testing. All parties will be required to address any security vulnerabilities uncovered by these tests.
- ICT risk management of external service providers
Responsibility for managing and mitigating third party risks. This means, for example, carrying out risk assessments for outsourcing contracts or ensuring that contracts with external ICT providers include all necessary details and binding conditions regarding monitoring and availability.
- Sharing information
DORA encourages financial entities and authorities to share information and data on cyber threats and vulnerabilities. Thanks to this, they will be able to respond better to new threats. Financial entities will need to set up systems to review and act on the information provided.
PRINCIPLE OF PROPORTIONALITY
DORA allows for the application of the principle of proportionality at the stage of implementing the requirements. Individual entities may take into account the size, risk profile and nature, scale and complexity of their services, activities and operations. So, although the general DORA recommendations apply to everyone, smaller companies do not have to implement exactly the same solutions as, e.g. large international banks. They can choose simpler safeguards or less expensive procedures that are adapted to their risk profile.
DORA indicates that the size of the institution is not the only criterion to be taken into account when choosing solutions. In the event of an inspection, financial institutions will have to demonstrate to the supervisory authority that the solutions adopted are adequate to the business risk, type of services offered, customer profile or scale of operations.
DORA obliges the supervisory authority to monitor the way the principle of proportionality is implemented and whether the solutions adopted by individual institutions are consistent with each other, thus creating an opportunity to develop and adopt uniform industry standards, and at the same time allowing the regulator to identify those institutions whose solutions significantly differ from the “market average”.
TIME LINE
28/11/2022: The European Council adopted DORA
16/01/2023: Decision to enter into force of DORA after a 24-month preparatory period
2023: The European Supervisory Authorities (ESA) develop the first technical standards
17/01/2024: ESA published the first set of final draft technical standards under the Digital Operational Resilience Regulation (DORA).
17/01/2025: DORA requirements become enforceable
2025: Penetration tests begin
IBM, as a leading provider of a full range of cybersecurity solutions, offers its clients a specific sequence of actions to properly understand and implement the DORA regulation in the shape of a range of services to help financial entities quantify risk and apply supervisory and control procedures. IBM software solutions reduce the time it takes to automate data discovery and management by up to 90%, helping with compliance and reporting. IBM Data Security helps protect the data and automate compliance audits.
More about the use of IBM solutions in the implementation of the DORA regulation: https://www.ibm.com/reports/dora-action-guide
The above text was created using the following sources:
https://safetica.pl/blog/news/czym-jest-dora-i-czego-sie-spodziewac
https://www.digital-operational-resilience-act.com/