DORA
A Unified Approach to EU Cyber Resilience

Cybersecurity and risk management have become paramount concerns, especially in the financial services sector. The Digital Operational Resilience Act (DORA) is set to address these issues head-on, bringing standardized risk management regulations to EU-member states.

The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a mandatory, comprehensive information, and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes technical standards that financial bodies and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025.

Objectives of DORA

The financial sector has become increasingly dependent on ICT and digital information. The COVID-19 incident also served as a trigger, as financial institutions increasingly rely on the availability of digital platforms to conduct day-to-day operations remotely. However, this dependence has exponentially increased technological and cyber risk, and the previous few years have demonstrated the importance of digital resilience.

Dora has two main objectives:

  • To thoroughly tackle ICT risk management within the financial services sector and;
  • To streamline the existing ICT risk management regulations that already exist in individual EU member states

Prior to DORA, the main goal of EU risk management regulations for financial institutions was to guarantee that their operations were adequately capitalized. Although various European Union regulators published guidance on ICT and security risk management these rules were not universally applicable to financial institutions and frequently depended on broad guidelines as opposed to particular technological requirements. Member states of the EU adopted their own regulations in the absence of EU-level ICT risk management guidelines. Financial organizations have struggled to navigate the different legislations.

With DORA, the EU wants to create a common framework for controlling and reducing ICT risk in the financial industry. The goal of DORA is to eliminate any potential gaps, overlaps, or conflicts that might exist between various policies in various EU nations by standardizing risk management guidelines throughout the EU. By guaranteeing that all institutions are held to the same standard, a common set of rules can improve the resilience of the EU financial system overall while also making it easier for financial firms to comply.

DORA Scope

DORA is applicable to all EU financial institutions. This covers both conventional financial organizations like banks, credit unions, and investment businesses as well as unconventional organizations like crowdfunding websites and companies that offer services for digital assets.

Interestingly, several businesses that are normally exempt from financial restrictions are also covered by DORA. For instance, third-party service providers—such as cloud service providers and data centers—who provide ICT systems and services to financial organizations are required to abide by DORA regulations. DORA also includes companies that offer vital third-party information services, such as data analytics and credit rating services.

 

DORA Enforcement

Once the rules are finalized and the January 2025 deadline arrives, enforcement will be delegated to authorized regulators in each EU member state, known as “competent authorities.” The appropriate authorities may request that financial institutions implement specified security measures and address vulnerabilities. They will also have the authority to impose administrative — and, in certain situations, criminal — penalties on noncompliant firms. Each member state will determine its own penalties.

ICT providers considered “critical” by the European Commission will be directly supervised by “Lead Overseers” from the ESAs. Lead Overseers, like competent authorities, have the authority to seek security measures and rectification, as well as sanction noncompliant ICT suppliers. DORA enables Lead Overseers to impose fines on ICT providers equal to one percent of the provider’s average daily global turnover in the previous business year. Providers may be punished every day for up to six months until they meet compliance.

Click Here to read the Digital Operational Resilience Act

DORA Requirements

The EU’s intent with DORA is to increase the financial sector’s resilience to ICT-related events by imposing very detailed and prescriptive rules that are consistent throughout EU member states. This new legislation also applies to critical ICT third parties who supply financial institutions with ICT-related services such as cloud platforms, data analytics, and audit services. Organisations must be able to endure, respond to, and recover from the effect of ICT incidents, allowing them to continue delivering key and important tasks while minimizing interruption for customers and the financial system. This can only be accomplished by implementing strong measures and controls on systems, tools, and third parties, as well as having the appropriate operational continuity plans in place and continuously verifying their performance.

This act provides a set of highly detailed standards, templates, and directives that will influence how financial institutions handle ICT and cyber risks. It illustrates that EU authorities intend to be very hands-on on the subject, with a strong emphasis on reporting, communication, and assessments that must occur on a regular basis, made possible by standardised formats. As a result, a consistent supervisory approach will be implemented throughout all relevant industries.

The essence of DORA is separated into five fundamental pillars that address various areas or domains of ICT and cyber security, offering a comprehensive digital resiliency framework for relevant businesses. A summary of the main requirements or aspects is presented below:

ICT Risk Management

The proposal provides a set of requirements for the ICT risk management framework, which include:

  • The implementation and maintenance of robust ICT systems and technologies to reduce the effect of ICT risk.
  • That all sources of ICT risks should be identified on a constant basis to implement protective and preventative measures.
  • A system for promptly detecting unusual actions should be set up.
  • The dedication and completion of business continuity strategies, as well as disaster and recovery plans, should be in place to ensure quick recovery from an ICT-related occurrence.
  • The establishment of systems for learning and evolving from both external events and internal ICT issues.
ICT-related incident reporting

It is requested to establish and implement a management process to oversee and record ICT-related incidents. These incidents are classified based on the criteria outlined in regulations, refined by ESAs such as EBA, EIOPA, and ESMA. Incidents are to be reported to the relevant authorities using a standardized template and unified process to establish the respective supervisory authority. Initial, intermediate, and final reports are to be submitted on ICT-related incidents to both the company’s users and clients.

Digital operational reliance testing

Elements within the ICT risk management framework should be checked on a regular basis. Any weaknesses, deficiencies or gaps must be identified and promptly eliminated or mitigated with the implementation of counteractive measures. Digital operational resilience testing requirements must be proportionate to the entities’ size, business and risk profiles. Conduct Threat Led Penetration Testing (TLTP), also known as a Red / Purple Team Assessment, to address higher levels of risk exposure.

ICT third-party risk

Ensure sound monitoring of risks emanating from the reliance on ICT third-party providers. Harmonising key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring. Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full service level description, indication of locations where data is being processed, etc. Promote convergence on supervisory approaches on the ICT third-party risks by subjecting the service providers to a Union Oversight Framework.

Information sharing

The guidelines encourage collaboration among trusted communities of other financial entities. This collaboration will:

  • enhance the digital operational resilience of financial entities
  • raise awareness on ICT risks
  • minimise ICT threats’ ability to spread
  • support entities’ defensive and detection techniques, mitigation strategies or response and recovery stages.

Through agreements that safeguard the potentially sensitive nature of the information transmitted, financial companies are encouraged to share cyber threat intelligence and information with one another.

Raising standards since 2006.

Kyte Global, with clients in over 65 countries has established itself as a unique company providing a one-stop-shop to all your information security and compliance requirements.

At Kyte Global we attempt to add value in everything we do. Our services have evolved as a result of the growing needs of our clients. Regulations keep getting stricter, compliance requirements keep getting more onerous and clients find themselves spending more time addressing these issues rather than focusing on their business. At the same time, resources with the right knowledge and experience are hard to come by. Kyte Global tries to tackle these issues by providing a one stop shop to all the client’s needs. Kyte Global understands that Compliance is an effective way of ensuring that controls are implemented.

Internally, Kyte Global is organised in teams, each dedicated to a specific service, usually revolving around a specific standard or regulation. Some of these are PCI DSS, ISO 27001, GDPR, Internal Audit, AML, Gaming, Penetration Testing, Training to name a few. Each team is made up of trained professionals, all experts in their own field.

Over the years, Kyte Global has established partnerships with suppliers that develop and implement industry leading solutions so that it can make recommendations to clients who require such services or products. Kyte is proud to have a network of partners that can assist its clients, big or small, in virtually all of the industries it operates in.

>

News & Insights

Stay informed with our dynamic News and Insights section, where we share timely updates, industry trends, and expert perspectives to keep you ahead of the curve and informed about the latest developments in the field. Explore a wealth of valuable resources that empower you with knowledge and actionable insights for informed decision-making.