Introducing the Digital Operational Resilience Act (DORA)
Sustaining business operations while facing cyber-attacks and system disruptions is a turbulent challenge for the financial sector, and especially CISO’s. With insider threat topping the list of cybersecurity concerns in CSI's 2022 Banking Priorities Executive Report at 57 percent, largely due to employee-targeted phishing, and data theft, the European Supervisory Authorities (ESA) are taking control with the Digital Operational Resilience Act (DORA).
DORA primarily applies to all EU entities within the finance sector, including collaborations with ICT third-party services:
Image 1: Who does DORA affect?
DORA: What is changing?
The DORA legislation obligates organizations and third-party service providers in the EU to implement an ICT risk-management framework that can 'withstand, respond to, and recover from all types of ICT-related disruptions and threats' according to regulated standards.
Five DORA legal requirements that you need to achieve by 2024.
1.Develop an ICT Risk Management Framework:
- An internal risk-management framework that supports ICT operational resilience through detection, protection and prevention, response, and recovery, learning and evolving.
- Internal governance for this framework must include protocols, tools, and strategies to manage operational processes and controls, compliance oversight, and audit reports.
2.Establish ICT incident classification and reporting:
- Consistent processes that log, monitor, and classify ICT-related incidents according to defined risk parameters and priorities.
- Major incidents must be communicated to supervisory managers, stakeholders, and authorities through regulated reporting.
3.Implement digital operational resilience testing:
- A risk-assessment program that tests operational resilience, readiness, and preparedness in the face of ICT-related incidents. This must include assessments, activities, and tools that identify, monitor, and remediate application and system vulnerabilities.
4.Manage ICT third-party risks:
- A strategy that monitors and manages operational and process risks related to ICT-third party service provider(s) according to regulatory standards.
- Details of third-party contracts must be kept updated and made available for reporting, audits, and inspections.
- Non-EU-based service providers must be affiliated with an EU subsidiary regulated by the ESA oversight framework.
5.Make information sharing arrangements:
- Dora promotes information sharing among organizations and third-party service providers: raising awareness of cyber threats and intelligence, threat detection techniques and strategies.
Recommended next- steps to becoming change-ready
Non-compliance could carry a steep financial penalty, that also applies to third-party service providers. For instance, according to Grant Thornton ‘a periodic penalty payment of 1% of the average daily worldwide turnover of the ICT service provider in the preceding business year can be applied’ daily for up to six months. Therefore, organizations are currently developing and testing their ICT operational resistance to meet DORA’s regulatory framework in the following ways:
- Assessing and reviewing gaps in the existing ICT risk-management framework to analyze the level of compliance required to meet regulation standards by 2024.
- Building up test, reporting, response, and recovery strategies to compliance level.
- Making sure that all ICT third-party contracts are up to date and compliant, while defining whether the services and functions provided are critical or important to business operations.
Although DORA poses the challenge of restructuring and compliance, it provides organizations with the opportunity to better counteract risk and navigate the changing landscape of cybersecurity threats through an improved and unified strategy.
To share thoughts and concerns about structuring your organization's ICT operational resilience framework in line with DORA’s 5 key requirements please contact our experts.