Find out if your organization must comply with DORA, and learn more about the new digital security requirements
If your organization offers financial services within the European Union or provides third-party information and communication technology to EU financial entities, chance are good that you will need to comply with the new 2023 regulation governing the European Union’s financial sector.
The Digital Operational Resilience Act (DORA), which took effect January 16, 2023, is also known as EU 2022/2554. Full compliance with DORA becomes mandatory on January 17, 2025—two years from enactment and just over a year from now.
For organizations outside the EU, whether DORA affects you depends on your footprint in the EU financial industry. For example, organizations in the U.S. who offer financial services within the European Union, or who provide information and communication technology as a third party to financial entities, will be required to demonstrate compliance with DORA by January 17, 2025.
The Reason, Purpose, and Scope of DORA
According to the DORA website, the new regulation solves an important problem in the EU. Prior to DORA, financial institutions managed the main categories of operational risk primarily by allocating budgets to those categories—but they did not manage all components of operational resilience or cybersecurity.
Purpose. The purpose of DORA is to address expanding threats from cyberattacks due to the growing reliance on digital technology within the financial industry in the EU. DORA creates a new, comprehensive regulatory framework for digital and operational resilience, integrating the patchwork of financial regulations related to information and communication technology (ICT) that has made compliance such a challenge in the European Union.
Scope. The scope of DORA is forward-looking as well—encompassing financial, insurance, and investment firms as well as payment processors, exchanges, and the like. DORA also sets an important precedent by requiring direct financial supervision of third-party information and communication technology providers in order to strengthen supply chain security.
Focus. This new Digital Operational Resilience Act focuses specifically on information and communication technology risk and establishes explicit rules for ICT risk management, incident reporting, operational resilience testing, risk monitoring of third-party providers, and information sharing.
Security Topics. Like many of the well-established cybersecurity frameworks and models, the DORA standards encompass topics such as ICT security policies, procedures, protocols, and tools, including requirements for governance, ICT risk management, asset management, encryption and cryptography, ICT operations security, network security, project and change management, physical security, and information security awareness and training.
The DORA security standards also encompass human resources policy and access control, ICT-related incident detection and response, business continuity management, and reporting on the ICT risk management framework review.
DORA Security Requirements
As we’ve noted, the requirements of the Digital Operational Resilience Act focus on information and communication technology—akin to information technology (IT) in the United States. The requirements are organized into five fundamental security categories, which include risk management, incident reporting, resilience testing, third-party risk management, and the sharing of information across financial institutions and countries in the EU.
Following is a high-level outline of these five categories, with a few of the primary requirements in each. Many appear to be based upon the widely adopted NIST framework as well as U.S. financial regulations.
ICT Risk Management
Concerned with best practices for ICT risk management (including identifying, preventing, responding to, and recovering from cyber threats), this category also notes the importance of learning from incidents. Key requirements include:
- Setting up and maintaining resilient ICT systems and tools designed to manage potential ICT risks and their impacts.
- Performing ongoing event monitoring for cybersecurity and ICT to enable risk prevention or response.
- Developing and implementing business continuity and disaster recovery (BC/DR) strategies for ICT-related incidents.
ICT Third-Party Risk Management
Third-party risk management is a core component of DORA, which has set an important and welcome precedent by including third-party providers under the regulation in order to strengthen supply chain security.
One of the central requirements specifies the content of contracts between financial entities and their third-party service providers, especially pertaining to the use of information and communication technology (ICT) services that support critical or important functions at the financial entity. These requirements encompass all phases of the third-party relationship, including:
- The planning and development of contractual arrangements, including the required risk assessment, due diligence activities, and the process for approving new or material changes to third-party contractual arrangements.
- The implementation, monitoring, and management of contractual arrangements for the use of ICT services that support functions considered either important or critical.
- The relationship exit strategy and contract termination processes.
Digital Operational Resilience Testing
DORA encourages EU financial organizations to continually monitor evolving ICT risks and develop methodologies for doing so. In addition, organizations must create programs to identify and address new ICT risks potentially affecting them. Some of these requirements include:
-
Performing periodic tests of their ICT risk management frameworks.
-
Mitigating or eliminating any identified deficiencies, weaknesses, or vulnerabilities.
-
Developing testing appropriate to the size, business, and risk profile of the organization.
-
Addressing higher levels of risk exposure using Threat-Led Penetration Testing (TLTP).
ICT-Related Incident Reporting
Accountability and transparency have become regulatory watchwords in the United States with each new piece of federal and state legislation. In the European Union, where regulatory dynamics are somewhat different, data breach notification is just beginning to emerge as a vital component of information security and cybersecurity. DORA establishes new incident response requirements that include:
-
Creating processes to monitor, log, and classify ICT-related incidents.
-
Reporting incidents to appropriate regulatory bodies using a provided template and procedure.
-
Notification protocols for incidents potentially affecting clients and users, such as the publication of initial, intermediate, and final incident reports.
Information Sharing
Demonstrated repeatedly in the U.S. as transparency and accountability have improved, the sharing of information among organizations within an industry can enhance the prevention, detection, and response to cyberattacks. To encourage the sharing of threat intelligence and cyber risk information, DORA requires that organizations work to determine what data is best shared, how to share it efficiently, and how to digest shared data for optimum results. This is expected to be an industry effort that will evolve over time.
Technical Standards Due in 2024
A group known as the European Supervisory Authorities, founded in 2011 to replace several outdated institutions, was tasked with developing technical standards to provide specific guidance to financial organizations that are governed by DORA. The standards include regulatory technical standards (RTS) and implementing technical standards (ITS).
The European Supervisory Authorities are the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority, all regulatory entities in the jurisdiction of the EU.
Under DORA, the European Supervisory Authorities are required to jointly develop a total of 13 policy instruments in two sets, the first of which must encompass regulatory technical standards for:
- The ICT risk management framework that will govern an organization’s cybersecurity and compliance,
- A simplified framework for smaller financial entities,
- The classification of ICT-related incidents preparatory to incident reporting, and
- The specification of policy for ICT services performed by third-party providers.
This first set also requires an implementing technical standard that establishes information templates required for incident reporting.
According to a joint press release from the European Supervisory Authorities, the first of the two sets of standards has undergone public review and is scheduled to be finalized by January 2024. The second set is due to be finalized by June 2024.
These delivery dates, especially the second, may place pressure on regulated organizations that must comply with DORA by January 2025. One smart approach for potentially affected organizations is to become familiar with the first set of finalized standards when they are published in January. Compare them with your current compliance actions driven by GLBA or FINRA, for example, to identify gaps. And conduct the same process when the second set is published in June 2024. Taking a proactive approach will avoid deadline pressures around this time next year.
Summary
The Digital Operational Resilience Act (DORA) creates a new, comprehensive regulatory framework to address growing threats from cyberattacks and growing reliance on digital technology within the financial industry in the European Union. DORA attempts to integrate the hodgepodge of financial regulations related to information and communication technology (ICT) that has made compliance such a challenge in the EU. Significantly, DORA is the first of its kind to bring third-party providers of ICT services under direct financial supervision in order to enhance supply chain security.
If your organization offers financial services within the European Union or provides third-party ICT services to financial entities in the EU, you are likely to fall within the scope of DORA. With full compliance due by January 17, 2025, it would be wise to learn more about the regulatory requirements of DORA and how they may affect your organization.