What is DORA?
Cyber threats are everywhere. The EU is determined to protect businesses and is soon to roll out DORA – the Digital Operational Resilience Act. The aim is to ensure that all players in the financial sector can withstand, respond to and recover from technology-related disruptions.
Why Does DORA Matter?
In our digital world, the operational resilience of a business is as crucial as its financial health. DORA sets out stringent standards for digital operational resilience.
To comply, organisations will have to bolster their IT infrastructures, enhance their incident reporting mechanisms and ensure that their service providers are up to scratch.
Who Needs to Pay Attention?
If your business is in the financial sector – a bank, an insurance company or a fintech startup – DORA is speaking directly to you. But related businesses will be affected too. Indeed, any business that provides critical services to the financial sector will need to align with DORA’s standards.
The following businesses will be targeted first:
- Banks and other lending institutions.
- Firms offering insurance and reinsurance services.
- Companies providing investment services and activities.
- Entities engaged in payment services.
- Firms issuing electronic money.
- Crypto-asset service providers.
It is expected that DORA’s reach will expand and could include the following:
- Firms managing investment funds and portfolios.
- Financial market infrastructures such as clearinghouses and securities depositories.
Some businesses may fall into DORA’s scope because of their relationship with regulated firms:
- Companies providing IT and cloud services to financial entities.
- Consultants and advisors working with financial institutions.
- Suppliers of goods and services to the financial sector, especially if they play a critical role in the operational chain.
- Firms providing data analysis and processing services to financial institutions.
- Data centres or facilities that house critical IT infrastructure for financial entities.
Get Ready for DORA Now
Prepping for DORA is a smart move for any business linked to the financial world. It’s not just about avoiding the penalties. It’s about setting your business up for success. Here’s why:
- DORA’s net is set to widen. Getting on board now means you’ll be ahead of the curve. You’re future proofing your business.
- DORA’s standards will fortify your business against cyber shocks that could otherwise cripple your business.
- DORA early adopters will send a clear signal to customers, partners and investors that you’re serious about safeguarding their interests.
- DORA embeds a culture of vigilance and resilience throughout your business, transforming risk management from a headache into a habit.
- DORA builds trust, telling the world your business is a safe pair of hands. That opens doors, builds relationships and keeps your business growing.
To sum up:
Embracing DORA now is a strategic ace up your sleeve.
What’s Next?
Start by assessing your current cyber security practices and identify where changes are needed. Remember, this is about more than avoiding penalties. It’s about ensuring you can withstand and recover from cyber incidents. Focus on the following key areas:
ICT Risk Management
- Map ICT Systems, identifying all assets, systems, processes and dependencies.
- Classify critical assets and functions within your ICT infrastructure.
- Conduct continuous risk assessments to identify potential threats and vulnerabilities.
- Implement robust cybersecurity measures, including identity and access management, patch management and security controls.
- Document your risk management activities, including assessments, threat classifications and mitigation strategies.
Incident Response and Reporting
- Establish systems for the monitoring and management of ICT-related incidents.
- Develop a framework for classifying incidents based on severity and impact.
- Define protocols for reporting incidents, ensuring compliance with DORA’s requirements.
- Create and regularly update incident response plans, detailing roles, responsibilities and procedures for addressing incidents.
Digital Operational Resilience Testing
- Conduct regular tests of your ICT systems to identify and address vulnerabilities.
- For critical entities, plan and execute advanced penetration testing at least every three years.
- Document and report the findings from tests, along with any remediation plans, to the relevant authorities.
Third-party Risk Management
- Ensure your ICT third-party service providers meet DORA’s standards.
- Negotiate and maintain contracts that clearly define expectations, responsibilities and compliance requirements.
- Monitor and review the performance and compliance of third-party providers.
Board of Directors’ Responsibilities
- The board should participate in developing a comprehensive Digital Operational Resilience Strategy.
- The board should implement policies that maintain the confidentiality, integrity and availability of data.
- The board should establish a governance framework which reviews the ICT strategy and its effectiveness.
ICT-related Incident Reporting
- Define what constitutes a “major” incident in the context of your operations and DORA’s requirements.
- Develop a process for the efficient and timely reporting of incidents.
- Review the effectiveness of incident reporting and make improvements where necessary.
What if my business is not listed?
While DORA’s initial focus is on the financial sector, its principles are relevant for any business which uses digital technology. Operational resilience is critical, and DORA is your ally. We urge you to begin the journey now.
- Start with Cyber Essentials, the UK government-backed scheme which provides a solid foundation in cybersecurity. It covers basic cyber hygiene practices which protect against common online threats.
- After mastering the basics, move on to Cyber Essentials Plus. This provides a higher level of assurance through external testing of your cybersecurity measures.
- Advance to IASME Governance Gold, a comprehensive certification that includes aspects of GDPR, risk assessment and staff awareness, in addition to the Cyber Essentials controls.
- Next, target ISO/IEC 27001, an international standard for information security management.
AND …
- Incorporate DORA’s principles which can provide a competitive edge and ensure preparedness for potential future regulations.
The All-Important Takeaway
DORA is more than just a new set of rules. It’s a wake-up call. As cyber threats evolve and proliferate, businesses must prioritise digital operational resilience.
DORA will ensure your business is prepared, protected and resilient.
Appendix
DORA Compliance Checklist
Phase 1: Preparation and Planning
- Review the Digital Operational Resilience Act (DORA) to understand its scope and implications for your business.
- List all internal and external stakeholders involved in DORA compliance, including IT, compliance, risk management and third-party service providers.
Phase 2: ICT Risk Management
- Document all ICT systems, assets and dependencies.
- Identify and categorise critical assets and functions.
- Perform thorough risk analyses of ICT systems.
- Establish and deploy robust cybersecurity protocols and measures.
- Maintain detailed records of all risk management activities and decisions.
Phase 3: Incident Response and Reporting
- Create a comprehensive plan for responding to ICT-related incidents.
- Define procedures for internal and external incident reporting.
- Regularly test and update the incident response plan.
Phase 4: Digital Operational Resilience Testing
- Plan and execute regular testing of ICT systems to identify vulnerabilities.
- For critical entities, ensure that advanced penetration testing is carried out.
- Record test results and remediation actions, and report to relevant authorities as required.
Phase 5: Third-party Risk Management
- Evaluate all ICT third-party service providers for compliance with DORA standards.
- Ensure contracts with third parties align with DORA requirements.
- Regularly review third-party performance and compliance.
Phase 6: Board of Directors’ Involvement
- Ensure active board participation in developing and overseeing the Digital Operational Resilience Strategy.
- Establish a framework for ICT governance and risk management at the board level.
Phase 7: ICT-related Incident Reporting
- Establish what constitutes a major incident and the thresholds for reporting.
- Create efficient processes for reporting major incidents to authorities.
- Continuously assess and refine the incident reporting mechanism.