Introduction to DORA
The European Union is set to improve ICT resilience standards within the financial sector through the introduction of the Digital Operational Resilience Act (DORA). The legislation, applicable to all companies indirectly dealing with the financial sector, aims to harmonise digital resilience throughout the European Union by introducing requirements on ICT risk management, third-party lifecycle management and ICT-related incident reporting.
DORA will form a regulatory framework on digital operational resilience, with in-scope entities required to ensure they can withstand all types of ICT-related disruptions and threats. The act’s core objective is to subject financial system participants to a common set of standards to manage ICT risks and ensure safeguards are in place to protect, detect, identify, respond, and recover from cyber-attacks.
ICT Risk Management
Entities subject to DORA must adopt ICT governance and control frameworks, including an IT risk management framework that is documented and reviewed annually. The framework must incorporate identification, protection and prevention, detection, response and recovery, learning, and evolving. The aim is to ensure entities can manage ICT risks effectively.
ICT Incident Reporting
DORA streamlines ICT incident reporting through the logging and classification of ICT incidents, reporting of major incidents to competent authorities using common templates and procedures.
Digital Operational Resilience Testing
DORA requires basic digital operational resilience testing at least yearly for all financial entities and advanced threat-led penetration testing at least every three years. The aim is to ensure entities can perform under stress.
Management of ICT Third-Party Risk
Entities must monitor third-party contractual arrangements at all stages and enable European Supervisory Authorities (ESAs) oversight of ICT third-party service providers deemed ‘critical’ by ESAs. This is to ensure that the entities’ systems are not affected by a third party’s lack of security protocols.
Information-Sharing Arrangements
Entities must participate voluntarily in intelligence sharing through the exchange of cyber threat information among financial entities, including tactics, procedures, and signs of compromise. This information exchange will help entities to detect and respond to threats.
Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.
Impact on the Financial Sector
The DORA act will impact those who operate within the financial sector. The regulation aims to strengthen the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that are homogenous across EU member states. Critical ICT third-parties which provide ICT-related services to financial institutions, such as cloud platforms, data analytics, and audit services, are also subject to this new regulation.
Organisations need to be able to withstand, respond and recover from the impact of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and the financial system. This is only achievable by establishing robust measures and controls on systems, tools and third parties, by having the right operational continuity plans in place, while testing their effectiveness on a continuous basis.
By adopting established standards such as ISO27001, ISO 22301, and ISO 27036, organisations will be able to demonstrate compliance under the DORA regulation. A first step towards compliance is to undertake a gap analysis to measure the organisation’s state of readiness and preparedness.
NDC Certification Services and our trusted partners can help organisations meet the challenge with confidence as we are specialists in ISO integrated management systems. ISO27001, ISO 27036, and ISO 27035 are all designed to align and integrate to help organisations consolidate and manage multiple ISO standards. Our software platform, ISOcomply, helps organisations manage multiple standards using our customisable platform.
ISO Standards
ISO27001, ISO 27036, and ISO 27035 are all designed to align and integrate to help organisations consolidate and manage multiple ISO standards. ISO27001 provides a framework for establishing, implementing, maintaining, and continually improving information security management systems.
ISO 27036-2 provides guidance on the process of managing information security risks associated with supplier relationships. It is designed to be used in conjunction with ISO27001.
ISO 27035-3 gives guidelines for information security incident response in ICT security operations. It focuses on information security incident response in ICT security operations, including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery, and conclusion.
Conclusion
The Digital Operational Resilience Act (DORA) is set to introduce a regulatory framework on digital operational resilience, with entities subject to the act required to ensure they can withstand all types of ICT-related disruptions and threats. The act’s core objective is to subject financial system participants to a common set of standards to manage ICT risks and ensure safeguards are in place to protect, detect, identify, respond, and recover from cyber-attacks.
Entities that operate within the financial sector must adopt established standards such as ISO27001, ISO 22301, and ISO 27036 to demonstrate compliance under the DORA regulation. NDC Certification Services, along with trusted partners, can help organisations meet the challenge with confidence, as we are specialists in ISO integrated management systems.
The introduction of DORA is a significant step towards ensuring the resilience of the financial sector in the face of increasing cyber threats. Its requirements are comprehensive and specific, and entities that comply will be better equipped to withstand, respond, and recover from cyber-attacks.