As cybersecurity threats and operational disruptions become more prevalent, the need for robust ICT operational resilience is critical. The European Union’s Digital Operational Resilience Act (DORA) sets a new standard for resilience in the financial sector, with a compliance deadline of January 17, 2025.
Giles Inkson, director of services EMEA at NetSPI, delves into DORA and its implications for the financial sector. He highlights the urgency of aligning with DORA’s requirements and the core components that financial institutions need to focus on.
Decoding DORA – An introductory guide to understanding the Digital Operational Resilience Act
Giles Inkson, director of services EMEA at NetSPI
In an era where cybersecurity threats and operational disruptions are becoming increasingly common, the need for robust ICT operational resilience has never been more critical. The European Union‘s Digital Operational Resilience Act (DORA) addresses this need by setting a new standard for financial sector enterprise service resilience.
As discussions about DORA become more widespread, it’s clear that financial institutions must pay close attention to the January 17, 2025, compliance deadline, and many are rightly preparing already.
This date underscores the urgency for organisations to align with DORA’s rigorous requirements, and understand their obligations under them. The following sections will help you understand more of what DORA entails and why meeting this deadline is vital for ensuring the stability and security of the financial sector.
Understanding DORA and its objectives
DORA is a legislative framework designed to ensure that financial institutions can withstand and recover from disruptions to their key services and systems, thereby safeguarding the stability of the broader economy through resilient providers. It is a regulation that introduces standardised processes for managing, reporting and reacting to ICT operational risks in the financial sector.
Its implementation is pivotal in fostering consistency and resilience across the sector, particularly as the sector becomes a more attractive target for cybercriminals. The act encompasses several key components, including the mandatory reporting of ICT-related incidents, rigorous risk management of third-party ICT service providers, and comprehensive operational resilience testing through methodologies such as TIBER-EU and threat intelligence-led penetration testing/red teaming.
One of the primary objectives of DORA is to create a resilient financial ecosystem that can effectively counter threats from various sources, such as cyberattacks, technological failures, and human errors that communicate those threats effectively to each other to enhance the whole ecosystem. By ensuring that financial institutions can maintain their operations under adverse conditions, DORA aims to protect the stability of the financial system and, by extension, the economies of the region.
Keeping accountable with reporting under DORA
This reporting mechanism is vital for understanding the nature and frequency of disruptions, thereby enabling organisations to develop more effective mitigation strategies. By sharing information with each other about incidents and responses or near misses, financial institutions can learn from each other’s experiences and improve their resilience strategies.
This aspect of DORA extends beyond immediate incident management to encompass the management of ICT third-party risks. Financial institutions must ensure that their suppliers, including managed ICT service providers, IT hardware suppliers, and consultancy services, adhere to robust cybersecurity standards. This requirement aims to mitigate the risks posed by supply chain vulnerabilities, which have become a significant concern in recent years.
TIBER-EU impact on DORA
A cornerstone of DORA’s framework is the emphasis on operational resilience testing, particularly through TIBER-EU. This methodology involves conducting threat-led penetration testing and red teaming exercises to simulate real-world cyberattacks and identify vulnerabilities in critical systems. By subjecting financial institutions to rigorous testing, DORA ensures that they are prepared to respond effectively to actual threats.
TIBER-EU testing is mandated at least once every three years, with the possibility of more frequent, self-guided testing in the intervening years. This approach allows organisations to maintain a high level of preparedness while also providing flexibility in how they conduct these tests. The involvement of regulatory authorities in these exercises ensures that the testing is comprehensive and adheres to the highest standards.
Challenges in DORA compliance
Despite its comprehensive framework, the implementation of DORA is not without its challenges. Because the scope of DORA is so broad, businesses may struggle to prepare adequately and might rely on poor advice and may misinterpret DORA’s values or guidance.
This could result in a patchy implementation with numerous organisations believing they are compliant when they are not. There is also a significant amount of organisations that may never have conducted similar tests, that are now subject to them – such as crypto exchanges, as a notable example.
Furthermore, the shift to threat-led methodologies such as TIBER-EU can be stark for organisations unaccustomed to such rigorous testing. The need for collaboration with trusted parties, vendors, and regulatory authorities adds another layer of complexity to the compliance process. However, these challenges underscore the importance of expert guidance and a clear, well-structured approach to implementing DORA.
The race to January 17th 2025
At its core, DORA aims to enhance the stability and security of the digital economy by ensuring that financial institutions can effectively manage and recover from disruptions. By safeguarding the operations of banks, payment providers, and other financial entities, DORA protects the broader economy from the cascading effects of operational failures.
The act’s emphasis on preparedness, resilience, and continuous improvement is vital for maintaining the functionality of financial systems and ensuring a swift return to normalcy following disruptions. In this way, DORA serves as a critical component of the European Union’s efforts to build a more resilient and secure financial sector.
As the compliance deadline of January 17, 2025, approaches, larger organisations are expected to lead the way in adopting these standards. However, all affected entities must start their preparations early to avoid the severe penalties associated with non-compliance. The proactive engagement of regulatory authorities, combined with regular intelligence sharing, will be crucial in achieving DORA’s objectives and enhancing the overall resilience of the financial sector.
In conclusion, DORA represents a transformative shift in how financial institutions approach cybersecurity and operational resilience. By fostering a culture of preparedness and continuous improvement, the regulation aims to protect the stability of the financial system and ensure the vitality of the European economy. Organisations must embrace this change and leverage expert guidance to navigate the complexities of compliance, ultimately contributing to a more resilient and secure digital landscape.
The post Decoding DORA – An Introductory Guide to Understanding the Digital Operational Resilience Act appeared first on The Fintech Times.
