The evolving threats and risks of the digital landscape are having a rapid and significant impact on security regulations and governance. While every business must now adhere to higher data protection standards, some industries face more complex guidelines than most.
The DORA EU (Digital Operational Resilience Act) approved by the EU Parliament in November 2022 demonstrates how regulatory compliance is changing in the financial sector. Once implemented fully, this act will help to align the security and privacy strategies of financial institutions with evolving expectations for digital resilience, and ICT risk management.
DORA will push companies to focus on implementing a digital resilience strategy accompanied by an ever-evolving framework for risk and security assessment.
Here’s what financial companies need to know about the impending DORA regulation.
What is DORA (digital operational resilience act)?
The Digital Operational Resilience Act is a new set of regulatory guidelines established by the European Union for the EU financial service sector.
The European Supervisory Authority established these data management and cybersecurity rules to help upgrade and consolidate ICT risk resilience throughout the financial system. With the DORA regulation, every financial entity throughout the EU will be subject to the same standards for reducing, auditing, and mitigating cyber risk.
The supervisory authorities behind the act will be evaluating each financial institution based on their ability to implement the necessary safeguards for digital security. Companies will need to be able to demonstrate an ability to withstand various business continuity and ICT-related threats.
The act also introduces an oversight framework for companies to better secure their connections with third-party service provider companies, such as cloud and technology companies.
Who does DORA apply to?
The DORA regulation applies to a wide variety of financial firms, both inside and outside of the European Union. According to the report issued by the European Parliament, around 22,000 ICT service providers and financial entities will be affected.
The list of companies required to upgrade their risk management and enterprise cybersecurity based on DORA includes:
- Banks
- Credit institutions
- Credit agencies
- Account information service providers
- Pension funds
- Crypto firms
- Investment firms
- Insurance providers
- Crowdfunding providers
- Alternative investment fund managers
- Intermediaries
- ICT service providers
While the DORA requirements for companies offering ICT services are slightly different, any company providing these services to financial institutions will also need to rethink its approach to managing cyber threats.
Notably, while DORA is an EU regulation, overseen by the European Banking Authority and other European Council members, it can also apply to companies outside of the EU. Any organizations that provide services to the EU, or have offices within the EU may be subject to the regulation, similar to the General Data Protection Regulation (GDPR).
What are the requirements for digital operational resilience?
The Digital Operational Resilience Act regulations, released in an official journal published by the EU parliament cover a host of security and ICT risk management recommendations.
Primarily, however, DORA states that companies must be able to monitor security and ICT tools consistently, to minimize risk. This means every financial institution will need to take proactive steps towards risk management, constantly reviewing their third-party risk levels and security measures.
DORA requires companies to organize response measures to security threats, implement strategies to control operational risk, and invest in new tools, policies, and procedures.
Notably, the DORA regulation EU also requires organizations to constantly expand, and evolve their risk-based policies to ensure continuous resilience. This means businesses will need to proactively measure KPIs throughout their security landscape.
What are the Pillars of Operational Resilience?
DORA establishes a framework for every financial sector service provider and their suppliers to follow to maintain operational resilience. Some of the key pillars for risk reduction include:
- Proactive risk management and governance: DORA lays out guidelines for minimizing risk in the financial sector. These guidelines encourage companies to build more mature programs for risk management, and leverage tools for monitoring ICT services.
- Resiliency testing: To preserve resilience in the financial services sector, companies will be required to implement testing and assessment programs. This may involve the use of automated tools to identify and correct issues before they threaten operations.
- Intelligence sharing: Many threat actors working in the financial industry may attempt to target multiple organizations simultaneously. DORA encourages the sharing of threat intelligence to improve awareness of potential cyber threats.
- Supply chain management: DORA places strict requirements on financial institutions for managing their relationships with suppliers, such as ICT providers. Every financial firm must have strategies in place for managing the risks of critical third-party connections.
- Incident reporting: DORA attempts to streamline the reporting process, encouraging rapid investigation and response to reduce breach impact. Breach insights can also be used to help detect intrusions in other network environments.
- Audit access: With the DORA regulations, regulators and financial institutions are empowered to perform audits throughout the financial sector supply chain. This means companies must be able to generate reports on demand.
- Retrospective analysis: DORA encourages studying and revising policies based on both internal and external incidents. This is intended to reduce the risk of multiple financial companies being hit by the same kinds of attacks.
How can Businesses Stay Compliant with DORA regulations?
The requirements of the DORA regulation will place increased pressure on financial services providers to rethink their ICT risk management framework. To adhere to DORA regulations, companies will need to create a comprehensive strategy that details all the elements put in place to protect information and ICT assets.
For most companies, adhering to the regulations set by the European Commission will start with a comprehensive audit or compliance risk assessment. Business leaders will need to show they understand their ICT third-party risk with policies, procedures, tools, and protocols that cover the full supply chain and operational workflow.
Importantly, business leaders will also need to be prepared to constantly update and report on their risk management strategies. Financial sector companies will be subject to internal auditors on a “regular basis” according to DORA. What’s more, teams will be required to monitor the effectiveness of their third-party risk management and digital operational resilience strategy over time.
DORA places emphasis on follow-up in the event of cyberattacks, as well as comprehensive analysis, evaluation, and insight sharing.
What is the status of DORA?
At present, the official DORA status is “pending”. Although the regulatory guidelines have been approved, the rules will not be implemented until the 17th of January 2025. This means companies will have had approximately 24 months after DORA was published to ensure they’re compliant.
After this deadline, authorities will begin to examine the risk and compliance strategies of financial service firms, and those who don’t comply may be subject to significant fines.
How can RiskRecon help me?
RiskRecon by Mastercard is an innovative solution provider, ready to support companies in the quest to become DORA compliant. The RiskRecon technology provides automated risk assessments tuned to the risk appetite of each user.
With RiskRecon, companies can comprehensively evaluate their third-party and supply chain risks, and proactively monitor their threat landscape, ensuring they’re in line with the latest regulations. The convenient ecosystem provides comprehensive visibility, valuable reporting tools, and in-depth analytics to businesses throughout a range of industries.
To learn more about how RiskRecon can help your business to achieve DORA compliance, access your 30-day free trial of the RiskRecon platform here.