The Digital Operations Resilience Act (DORA) is the European Union’s attempt to streamline the third-party risk management process across financial institutions.
A draft of DORA was published by the European Commission on 24 September 2020.
Without this act, there isn't an objective Information and Communication Technology (ICT) risk management standard in Europe. To achieve some semblance of unification, various national regulatory initiatives have been attempted, but this has only further fragmented the financial sector's approach to cybersecurity.
DORA aims to replace multiple ICT risk management frameworks, with a single unified approach for mitigating all ICT-related incidents in Europe's financial industry. This is an intentional response to the European Commission’s Digital Finance Strategy.
DORA also aims to bolster operational resilience within the financial industry so that business continuity can be guaranteed even while an organization's ICT is suffering disruptions - such as during a cyberattack.
DORA is also forcing Critical ICT Third-Party providers (CTPPs) to conform to regulatory standards, a requirement that will be supervised by one of the three European Supervisory Authorities (ESAs):
- The European Banking Authority (EBA)
- The European Insurance and Occupational Pensions Authority (EIOPA)
- The European Securities and Markets Authority (ESMA)
Compliance will be assessed through inspections (off-site and on-site), and the request of specific information - such as ICT service details, incident reporting logs, and details of implemented cyber risk defenses.
Why is Digital Operational Resilience Important?
There is an increasing need for operational resilience following the recent proliferation of cyberattacks targeting Europe's financial sector. This is a result of a global rise in cyberattack events.
While cyberattacks cannot be avoided, financial stability in Europe can be still achieved if organizations mitigate the impact of cyber threats on Information and Communication Technology (ICT).
When will the Digital Operational Resilience Act Come into Effect?
The official legislation is currently in draft form and must be submitted for approval by the European Parliament. The final regulation is expected to be published in 2022.
Once adopted, impacted organizations should be given a transitional period to comply with DORA's requirements.
Which Organizations will be Impacted by DORA?
DORA will impact all financial entities regulated at the EU-level including:
- The Financial Services Industry
- Payment institutions
- Investment firms
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Trading venues
- Financial system providers
- Credit institutions
What are the Main Requirements of DORA?
DORA presents its requirements across 5 key pillars.
- ICT Risk Management
- ICT Incident Reporting
- Digital Operational Resilience Testing
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
Pillar 1: ICT Risk Management
Financial entities will be required to create and follow an ICT risk management framework supporting a business continuity strategy, recovery policies, and communication strategies.
It's important to establish a reliable communication channel with stakeholders. This new requirement builds upon existing guidelines, such as the EBA's guidelines on ICT and security risk management.
Stakeholders will shoulder the responsibility of ensuring business continuity by being involved in the following duties:
- Setting the degree of risk and impact tolerance for ICT disruptions.
- Developing and approving business continuity strategies.
- Developing and approving disaster recovery plans.
- Specifying security controls for all critical assets.
Response and recovery strategies should involve more than just a series of policies. The strict expectation of uninterrupted business operations will require the establishment of Information and Communication Technology redundancies to take over disrupted processes.
The investment into such a system, which should also include backup and restoration networks, will require the input of stakeholders.
Pillar 2: ICT Incident Reporting
DORA will create a more streamlined reporting channel for ICT-related incidents which is a welcomed consolidation of the current multiple reporting requirements.
Reporting trigger events should be reduced and reporting templates will be harmonized.
This is a step towards a completely streamlined reporting channel leading to a single EU-hub instead of multiple National Competent Authorities (NCAs).
The EU-hub will collect all reports of major ICT-related events impacting financial entities. The gathered data will reveal any common vulnerability trends across the financial sector to support the further optimization of ICT resilience and security.
According to the new EU reporting rules, all financial firms will need to submit a root cause report within one month of a major ICT-Incident.
To support the timely submission of such reports, financial entities will need to implement reliable early warning indicators of ICT disruptions.
Pillar 3: Digital Operational Resilience Testing
To ensure the reliability of established ICT defenses, financial entities will need to undergo regular digital operations resilience testing conducted by independent parties - either internal or external.
These regular tests should be included in a digital resistance testing program comprising of the following details:
- Testing methodologies
- Testing procedures and tools
- Frequency of resilience tests
- Prioritization strategy for testing policies
This isn't a new requirement. Threat-Led Penetration Testing (TLPT) frameworks are currently mandatory for certain Financial Market Infrastructures (FMIs). DORA will expand testing requirements across the financial services sector, increasing the number of entities required to conduct mandatory testing.
The details of this expanded reporting criteria will be outlined by European Supervisory Authorities (ESAs) in a second legislation expected to be published by the end of 2021.
DORA's builds upon the cross-border testing recognition process of the voluntary TIBER-EU framework developed by the European Central Bank (ECB). This encourages the recognition of reliance tests across EU member states to reduce duplicate testing.
This could also reduce the complexity and compliance cost of financial entities already undergoing this testing process.
Pillar 4: Information and Intelligence Sharing
DORA will permit and encourage the exchange of cyber threat information between entities within trusted financial communities. The objective of such information sharing is to raise awareness of new cyber threats, reliable data protection solutions, and operational resilience tactics.
Pillar 5: ICT Third-Party Risk Management
This is probably the most challenging pillar of the DORA. Cloud Service Providers (CSPs) will be forced to comply with regulators if they are classified as 'critical.'
Some of the factors that would classify a Third-Party service provider as critical include:
- Degree of substitutability - Critical CSPs are more difficult to replace in the event of an operational disruption (either occurring internally or in the vendor's environment).
- The number of financial entities relying on the CSP for operational continuity.
ESAs will monitor the compliance of critical CSP through both on-site and off-site inspections. Lead overseers could impose a non-compliance fine of up to 1% of daily worldwide turnover.
These compliance requirements will not supersede or replace existing regulations such as the General Data Protection Regulation (GDPR).
It's important to understand that the burden of DORA compliance does not completely fall on critical third-party providers. Financial Service entities will need to implement Third-Party risk programs to prevent operational disruptions caused by supply chain attacks and third-party breaches.
How to Prepare for the Digital Operational Resilience Act
2022 is fast approaching and financial entities within the scope of the European Commission need to start preparing for DORA's risk management requirements now.
The following action items will help your organization prepare for this legislative proposal.
1. Perform a Gap Analysis
A maturity risk assessment should be completed against all of DORA's requirements to determine all compliance gaps. This will encourage a more efficient reformation of any impacted ICT systems.
2. Determine If You'll Be Classified as 'Critical.'
ICT third-party providers will need to determine if they'll fall under the critical category. This will require an evaluation of all the characteristics that define criticality according to the DORA.
Third-party providers that fall under this category will need to start planning how they will ensure oversight framework compliance - a strategy that could involve the establishment of dedicated regulatory teams and data security software.
Financial firms will also need to determine which of their third-party cloud service providers will be classified as critical.
The level of DORA compliance of all critical vendors should be tracked through risk assessments and third-party attack surface monitoring software.
All non-critical vendors should be mapped to alternate outsourcing options in the event of an ICT incident impacting each vendor.
3. Implement a Threat-Led Penetration Testing Framework
Financial entities not currently implementing TLPT will need to source independent providers for this service.
The activity of ESAs will need to be closely monitored for advanced exposure to testing requirements when the details become available.
4. Assess Response and Recovery Strategies
Current response and recovery strategies will need to be measured against DORA's requirements with a specific focus on the legislation's incident reporting process.
Alignment with DORA's reporting process could involve the optimization of current resource allocations and modifications to current internal reporting channels.