Digital Operational Resilience Act
The financial services industry is focused on the upcoming EU regulation known as the Digital Operational Resilience Act (DORA). This regulation aims to enhance the operational resilience of financial institutions, with a comprehensive approach that goes beyond managing third-party IT service providers. With the enforcement date of January 17, 2025, approaching, it’s imperative for organisations to start their preparations now.
UK Impact
UK entities, though not directly bound by this EU regulation, will still be impacted due to their operations within the EU market or with EU clients. UK firms must align their resilience and compliance strategies with DORA to remain competitive and ensure seamless cross-border operations. This involves adopting similar standards, ensuring compatibility with EU regulations, and preparing for potential EU supervisory scrutiny.
What’s The Deal With DORA?
DORA is designed to establish a robust framework for managing IT risks within the EU financial sector. It mandates companies to develop capabilities for protection, detection, containment, recovery, and repair in response to IT-related incidents. While some technical standards have been adopted, many of DORA’s security control requirements are still being finalised. It’s anticipated that DORA will align with the European NIS2 directive, which is an evolution of the ISO 27001/2 control framework. This means that many organisations may already meet some of the forthcoming requirements, but additional adjustments will be necessary.
Notably, the UK is also in the process of adopting a similar regulation, CP26/23, which will override NIS2 in its financial sector, just as DORA will in the EU.
What You Need to Know About DORA Compliance Without Jargon
DORA’s approach is holistic, requiring institutions to:
- Secure Critical IT Systems – To ensure operational resilience against IT disruptions and cyber threats, organisations must implement a comprehensive strategy for identifying critical IT services,
- Conduct Risk Assessments and Threat Modelling – Organisations must perform regular risk assessments and threat modelling to identify vulnerabilities and potential threats. This approach ensures that institutions can anticipate and mitigate risks before they materialise into significant issues.
- Develop Incident Response Plans and Recovery Procedures – It’s essential for organisations to have comprehensive incident response plans and recovery procedures in place, which include mechanisms for reporting breaches or other cyber incidents to their respective supervisory authorities. These plans should detail the steps to be taken in the event of a security breach or IT incident, ensuring quick containment and recovery to minimise operational disruption.
- Maintain a Register of Critical Functions and Dependencies – Companies must maintain a detailed register of critical functions and dependencies, including both internal and third-party resources. This register helps in identifying and categorising essential services and their interdependencies, facilitating better risk management and resilience planning.
- Register of Information – Companies must provide detailed reports to the Supervisory Authority, categorising IT services that support critical and important functions.
- Prioritise Contractual Security – For lasting business resiliency, organisations must prioritise enforcing required security controls through robust contractual agreements with IT providers. This includes developing a comprehensive exit strategy for all partnerships.
Getting Ready for DORA Compliance
To prepare for DORA, organisations should start by analysing their current risk management processes, identifying gaps, and exploring potential solutions. Here are some steps to guide your preparation:
- Adopt Strong Security Frameworks – Begin by implementing or enhancing your Information Security Management System (ISMS) to align with ISO 27001/2 standards. This establishes a strong foundation for your security controls.
- Conduct Comprehensive Risk Assessments – Regularly assess risks and conduct threat modelling to identify vulnerabilities and potential threats. This helps in anticipating risks and implementing mitigation strategies effectively.
- Develop Robust Incident Response Plans – Create detailed incident response plans and recovery procedures to ensure quick and effective response to IT incidents. These plans should be tested and updated regularly.
- Maintain a Register of Critical Functions – Compile and maintain a register of all critical functions and dependencies, including internal operations and third-party services. This register should be kept up to date and reviewed periodically.
- Monitoring and Reporting – Implement continuous monitoring of IT services and establish mechanisms for incident reporting. This ensures that you can quickly gather and report information in case of a breach, maintaining compliance with DORA’s requirements.
Strengthening the Resilience of Financial Services
The frequency of cyberattacks on European financial services is rising. In 2023 alone, the number of attacks doubled, making the industry one of the most targeted within the EMEA region. Additionally, a significant portion of organisations has experienced third party-related business interruptions in recent years. Given this landscape, it’s no surprise that many organisations see security threats as a top priority. The impending DORA compliance requirements, although not fully detailed yet, offer a structured approach to mitigating these risks.
Not Just a Tick Box
The implementation of DORA is a significant step toward ensuring the operational resilience of the financial sector in the EU. As the enforcement date draws nearer, it’s imperative for organisations to start preparing by understanding the regulation, but also fortify their defences against the ever-increasing threats in the digital landscape and gain additional benefits such as improved customer trust and reduced business disruptions.
Start your preparation today to stay ahead of the curve and secure your organisation’s future.
Our guest author is Andrew Trovalusci an experienced and versatile Global IT Director within Financial Markets with a strong focus on IT risk and resilience.