Preparing for DORA Compliance: A Comprehensive Checklist

The importance of compliance with this regulation cannot be overstated, as it is a significant and challenging task that requires immediate attention.

In this article, we will explain the Digital Operational Resilience Act, how it works, and why it is so important. We will also offer you a detailed and proactive DORA compliance checklist that covers all aspects of the regulation, ensuring you are fully prepared for compliance. Let's go!

What is DORA?

DORA is an abbreviation for The Digital Operational Resilience Act, which came into effect in January 2023. This act is a major part of the EU Commission's strategy for increasing digital resilience in the European banking and financial sector.

In essence, the Operational Resilience Act DORA is designed to ensure that financial institutions can uphold secure and reliable operations during significant ICT outages. DORA EU compliance sets out a comprehensive risk management framework for information and communication technology across the financial industry, providing a robust system to mitigate potential disruptions.

Affected entities have the transition period to fully comply with its requirements – until January 17, 2025. By the DORA compliance deadline, both financial organizations and their essential third-party technology service providers must adhere to specific technical standards within their ICT systems. Non-compliance can lead to severe penalties and reputational damage, making it crucial for all entities to prioritize DORA compliance.

Who Will Be Affected by DORA?

Let’s take a look at organizations that must comply with this act.

Financial institutions within the EU

• Traditional banks that offer deposit accounts, loans, and other financial services.
• Firms that provide various types of insurance, including life, health, and property insurance.
• Entities engaged in activities like trading securities, investment management, and brokerage services.
• Companies facilitating payment transactions, including payment processors and electronic money institutions.
• Organizations managing retirement savings and pension plans.

Critical third-party providers

DORA also extends its reach to critical third-party service providers that financial institutions rely on. This list includes:

• Companies offering cloud computing services, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
• Firms providing IT infrastructure, software solutions, and technical support.
• Facilities that house critical data and IT infrastructure.
• Technology firms providing financial services and solutions, including blockchain technology and digital payment systems.

Regulators and supervisory authorities

• National Competent Authorities – regulatory bodies in each EU member state responsible for overseeing compliance with DORA.
• European Supervisory Authorities (ESAs). These are institutions such as the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). They all play roles in ensuring that the regulation is uniformly applied across the EU.

What Are DORA’s Key Objectives?

DORA has three primary objectives, and they are central to improving the stability and security of the financial sector.

Better operational resilience

The act aims to improve the resilience of financial institutions and their suppliers to ICT-related attacks. The main aspect is that even in the event of significant digital trouble, essential services should not be interrupted.

Consequently, financial institutions must have in place strong systems and tools as well as third-party risk management frameworks for business continuity purposes. They also must be aware of professional managed cyber security services for a strong security posture within the organization.

Strengthening cybersecurity

The document establishes particular requirements for ICT and cyber risk management for a specific reason. DORA's standardized criteria and protocols ensure that financial institutions and their critical third-party providers do implement effective cybersecurity measures.

This focus helps protect against technological and cyber risks that have become more noticeable due to the growth of digital dependence.

Creating an effective risk management system

DORA offers a clear, comprehensive framework for managing ICT risks. It also includes detailed requirements for major ICT related incidents reporting and communications.

The act requires proper security testing services and regular testing of business continuity plans and requires firms to adopt standardized approaches to reporting and risk assessment. This coordinated system of supervision in the EU aims to harmonize practices and improve overall risk management in the financial sector.

DORA and NIS2

The Commission Guidelines from 18 September 2023 clarify the relationship between the NIS 2 Directive and the Digital Operational Resilience Act. Article 1(2) of DORA states that for financial entities covered by both the NIS 2 Directive and its national transposition rules, DORA takes priority as a sector-specific Union legal act. This is confirmed in the recital (28) of the NIS 2 Directive's preamble.

In other words, DORA's rules on ICT risk management, incident reporting, digital resilience testing, information-sharing, and ICT third-party risk management override the related requirements in the NIS 2 Directive. Member States should not enforce the cybersecurity risk-management and reporting obligations, as well as supervision and enforcement measures from the NIS 2 Directive, for financial entities covered by DORA.

Key Requirements of DORA

DORA compliance requirements can be divided into several groups. Let’s take a look at them.

ICT (Information and Communication Technology) risk management

The Digital Operational Resilience Act emphasizes the management body's role in relation to digital resilience. Management must ensure that it safeguards against ICT disruptions and cyber-attacks.

Under DORA, the establishment of a clear-cut ICT risk management framework is vital for the identification, assessment, control, and monitoring of ICT risks. It would enable financial institutions to address and contain the cost of damage from ICT-related problems with minimal disruption.

DORA’s streamlined approach to managing ICT risks includes

• Building and maintaining robust ICT systems and tools created to minimize the influence of potential risks. This is the way to ensure that disruptions have a limited impact on operations.
• Continuous risk identification, including all sources of ICT risks. This ongoing process helps to implement timely protection and prevention measures.
• Setting up mechanisms for prompt detection of unusual or anomalous activities. Early detection is key to mitigating potential threats before they turn into a serious problem.
• Developing and maintaining comprehensive business continuity policies and disaster recovery plans.
• Creating processes to learn from both external events and internal ICT incidents. This helps evolve and strengthen the ICT risk management framework over time.

The approach towards ICT risk management largely aligns with European regulations, where substantial rule-making is delegated to European supervisory authorities (ESAs). While the European Parliament (EP) mandates annual disclosure of ICT-related incidents, the Council focuses on business impact analysis for severe disruptions.

For critical ICT providers, a Lead Overseer will evaluate their risk management processes, including their policies and recovery plans.

Incident reporting and management

One of the goals of implementing DORA is to standardize and streamline the obligation to report serious ICT incidents across the European financial industry. The document establishes conditions that will strengthen the response to these incidents and improve the effectiveness of cooperation between national and European authorities.

This applies to different areas, but in general, it is about the implementation of uniform procedures for monitoring, classifying ICT incidents, and reporting them to the relevant authorities.

Here are the key points of this requirement.

• Development and implementation of a reliable management process for monitoring and recording ICT incidents.
• Correct classification of incidents according to ESA (European Supervisory Authorities) regulation criteria, including EBA, EIOPA, and ESMA.
• Establishing a process for reporting incidents to relevant authorities using a standard template and agreed procedure.
• Transparent communication, including timely submission of initial, interim, and final reports on ICT incidents to users and customers of the organization.

Financial entities operating in several sectors or EU Member States no longer have to use parallel reporting regimes such as NIS2. Thanks to unification, regulators get the necessary information, while financial institutions can focus on other critical aspects of incident response.

Digital operational resilience testing

Regular testing and evaluation of the ICT risk management framework are essential. Here’s an overview of key testing requirements.

• Elements within the ICT risk management framework should be regularly tested to assess their preparedness. This way, organizations can identify any weaknesses or gaps that need to be addressed.
• The opinions on frequency differ: the European Parliament suggests every three years, while the Council may delegate this decision to authorities. The European Supervisory Authorities (ESAs) will develop advanced testing methodologies in Regulatory Technical Standards (RTS). Until then, firms can refer to the ECB’s Threat Intelligence-Based Ethical Red-Teaming (TIBER-EU) framework for guidance.
• Any identified flaws or gaps must be mitigated promptly. This must happen through the implementation of counteractive actions. This way, potential issues will be resolved before they impact operations.
• Testing should be proportionate to the size, business, and risk profiles of the entity. This means that the scope and intensity of testing can vary based on the entity’s specific features.
• Organizations must conduct Threat-Led Penetration Testing (TLPT), also known as Red/Purple Team Assessments, to address higher levels of risk exposure. Penetration testing services simulate real-world attacks to assess how well the systems can resist threats. For instance, firms may need to conduct penetration tests on live production systems at least every three years to uncover vulnerabilities and address potential attack vectors.

Managing third-party risks

This section of key requirements include

• Implementing proper monitoring practices for risks associated with ICT third-party providers.
• Ensuring oversight extends to all critical aspects of the service relationship to maintain comprehensive risk management.
• Standardizing key elements of the service agreement with ICT third-party providers. This includes assuring complete monitoring capabilities, defining clear service level descriptions, and specifying data processing locations in the contracts.
• Aligning actions with Union Oversight Framework. It promotes consistency in supervisory approaches and helps harmonize the monitoring and managing of third-party risks across the EU.

The Oversight Framework

It is important as it addresses the significant role providers play in the operations of financial institutions and the potential risks involved. Through this framework, DORA mandates that certain ICT providers are designated as "critical" based on their importance to financial entities and the potential impact of service disruptions on the financial system.

Union Oversight Framework harmonizes oversight activities across the EU, so all critical providers are subject to the same standards and supervisory practices. It highly reduces regulatory inconsistencies.

The European Supervisory Authorities develop Regulatory Technical Standards (RTS) to implement the oversight process, including criteria for critical designation and joint examination procedures. DORA establishes a network for coordination among ESAs to unify the approach to overseeing critical ICT providers.

The Oversight Framework enhances the digital operational resilience of the EU financial sector by ensuring that all critical ICT providers adhere to stringent, harmonized standards.

Information sharing and threat intelligence

This is the most straightforward requirements section of the DORA compliance framework. It encourages collaboration among financial entities. This leads to enhancing digital operational resilience and raising awareness of ICT risks.

This part also helps to facilitate cyber threat information and intelligence exchange among financial entities and providers. It must happen through arrangements that are designed to protect the potentially sensitive data shared.

This approach aims to minimize ICT threats’ ability to spread and support entities’ defensive techniques, detection activities, mitigation, response, and recovery steps.

ICT providers should participate in information-sharing arrangements to safeguard sensitive information.

How to Ensure DORA Compliance? Best Practices

Compliance DORA ensures the strategic embedding of these best practices within your organization. Here are the key steps that, as our experience shows, really make the road to compliance easier and shorter.

Establish a culture of resilience and cybersecurity awareness

You probably, hear this a lot. However, from our experience, executives may need to take it more seriously.

So, pay attention to this point and set up a system of regular staff training on good cybersecurity practices. All your staff members must understand how they can contribute to protecting the company's operational resilience.

Engage stakeholders and get executive buy-in

Top management and key stakeholders need to be committed to allocating resources and priorities and implementing the DORA compliance measures across the enterprise. This is compulsory for DORA compliance.

Stay current with regulatory developments and directives

It is essential to be aware of any changes or additions to DORA and related regulations. Here is a short list of actions that will help you achieve this.

• Monitor regulatory bodies: check updates from European Supervisory Authorities (ESAs) and other relevant regulatory bodies.
• Subscribe to regulatory newsletters: newsletters and alerts from regulatory agencies will help you to receive timely updates on new guidelines, interpretations, and amendments.
• Engage with DORA certified compliance specialist: work with compliance consultants or legal advisors who specialize in DORA to interpret complex regulations and ensure that your practices are up-to-date with the latest requirements.

Leverage technology and automation for compliance management

From our experience, these are the best points of how to harness technologies and tools for better compliance management.

Automated risk assessments

Start with implementing automated systems that monitor, at a continuous level, your ICT infrastructure for vulnerabilities and risks. Such systems will be able to provide real-time alerts and updates that help one to remain ahead in the face of possible challenges.

Also, there are numerous technological solutions that are already applied in automated risk scoring against predefined criteria and threat intelligence. This can enable prioritization of the risks and focus resources on areas of critical concern.

Automated incident management

Find proper incident monitoring tools that make use of artificial intelligence and machine learning to detect anomalies and probable incidents. From our experience, automation really aids in early detection and prompt response.

We also recommend integrating the use of automation into incident response and reporting workflows. Workflows can ensure an incident is documented, escalated, and reported at all levels of authority where required and regulatory mandated without human intervention.

Threat intelligence

Integrate threat intelligence practices into your systems to remain up-to-date on new dangers and vulnerabilities. Predict potential threats and risks using predictive analytics from historical data and trends. This will make the response more proactive, efficient, and effective.

Final Thoughts

Achieving DORA compliance isn't just about ticking off a regulatory checklist; it's about building sustainability and resilience into the very fabric of your organization's operations. Your ICT systems don't just need to meet certain requirements; they also need to be truly robust to withstand complex threats.

Do not perceive DORA as an unpleasant necessity. It is designed to unify and simplify compliance processes, from risk management to third-party oversight. If your company has a culture of resilience and a responsible attitude towards cyber security, the process of achieving compliance will not be too difficult.

Remember, the goal is to create a dynamic structure that not only meets today's standards but also adapts to tomorrow's challenges. Timely DORA compliance consulting, regular penetration testing, and managed security services will help keep the system state up to date. We, for our part, will be happy to provide you with these services and help you be ready before the final DORA compliance date.

FAQ

1. Why is DORA compliance important?

   DORA compliance ensures that financial institutions and ICT service providers within the European Union can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It enhances the overall security and operational resilience of financial systems, protects sensitive data, and mitigates the risk of financial instability due to technological failures or cyberattacks.

2. What are the key requirements of DORA?

   The key requirements of DORA include the development and implementation of a risk management framework, conducting digital operational resilience testing, managing third-party risks, incident reporting, and maintaining an effective information-sharing and threat intelligence framework. They aim to standardize the approach to operational resilience across the EU financial sector and ensure that all entities are prepared to handle and recover from ICT-related incidents.

3. How can I assess my organization’s readiness for DORA compliance?

   To assess your organization’s readiness for DORA compliance, you should start with a comprehensive gap analysis to identify areas where current practices fall short of DORA's requirements. This includes reviewing your risk management practices, incident reporting processes, third-party risk management, etc. We will be happy to assist you in this process and provide security testing services.

4. What is involved in developing an ICT risk management framework?

   Developing such a framework under DORA involves identifying and assessing ICT-related risks that could impact your organization’s operations. This includes setting up policies and procedures to monitor and manage these risks continuously. It should also include regular risk assessments, the implementation of controls to mitigate identified risks, and a plan for response and recovery in the event of an incident.

5. How should incidents be reported and managed under DORA?

   Incidents should be reported promptly to relevant authorities, with a focus on transparency and accuracy, but the timeframe depends on the type and features of the entity. The management of incidents should follow a predefined process that includes detection, containment, eradication, recovery, and post-incident review.

6. What is digital operational resilience testing?

   Digital operational resilience testing under DORA refers to the continuous and systematic assessment of an organization’s ability to withstand and recover from ICT-related disruptions. This includes stress testing, penetration testing, and other exercises designed to simulate different types of threats and disruptions.

7. How should third-party risks be managed?

   Third-party risks should be managed by conducting thorough due diligence on all ICT service providers, including assessing their operational resilience, security practices, and compliance with DORA requirements. Contracts should clearly outline the responsibilities of third parties in maintaining operational resilience and reporting incidents.

8. Why are information sharing and threat intelligence important for DORA compliance?

   Information sharing and threat intelligence are crucial for DORA compliance as they enable organizations to stay informed about emerging threats and vulnerabilities. Sharing information with other entities and relevant authorities can help prevent incidents and improve the collective resilience of the financial sector. Effective threat intelligence allows organizations to proactively address risks before they materialize into significant issues.

9. What are some best practices for ensuring DORA compliance?

   Best practices for ensuring DORA compliance include regularly updating your risk management framework, conducting frequent digital resilience tests, maintaining clear communication channels for incident reporting, and continuously monitoring third-party risks. Additionally, staying informed about the latest regulatory updates and participating in industry-wide information-sharing initiatives can help maintain compliance and enhance operational resilience.

10. Where can I find more resources on DORA compliance?

    You can find more resources on the websites of regulatory bodies such as the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA). Industry associations, cybersecurity forums, and consultancy firms specializing in financial services compliance also offer valuable insights and guidance on DORA.