Navigating the Digital Operational Resilience Act (DORA)

The European Union is on the verge of a regulation that will dramatically alter the digital operational framework for financial institutions. The Digital Operational Resilience Act (DORA) is a comprehensive package of rules designed to increase the resilience of financial systems against cyber threats and other risks posed by digital transformation.

The implications of DORA are far-reaching, touching on everything from IT security procedures to incident response plans and customer communication protocols.

As we explore the complexities of DORA, it becomes clear that to prepare, financial organisations must focus on the four pillars of data: availability, authenticity, integrity, and confidentiality.

Understanding Cyber Resilience

Cyber resilience refers to an entity’s ability to deliver the intended outcome despite continuous adverse cyber events. Effective cyber resilience encompasses the ability to withstand, quickly adapt to, and recover from cyber incidents that could compromise the confidentiality, integrity, or availability of digital resources.

A Framework for Cyber Resilience – DORA

DORA is an ambitious legislative proposal that seeks to establish a harmonised framework for overseeing outsourcing arrangements, IT operations, and IT risk management in the financial sector. It applies to various financial institutions, from banks and payment service providers to stock exchanges and clearing houses.

With DORA, the EU is sending a clear message that digital operations cannot be siloed; they must be integrated into the broader context of operational resilience.

The directive demands a holistic approach to digital risk management, beginning with mapping an organisation’s complex digital dependencies. This means understanding not only your primary systems but also the many services and platforms on which they rely.

The goal is to identify and assess the potential vulnerabilities in every chain link and develop robust strategies for preventing, detecting, and resolving incidents. Legacy applications are particularly susceptible to vulnerabilities and may pose heightened risks to operational resilience. When conducting an internal study and analysing all systems, you must encompass the following outcomes.

ICT Risk Management

A robust ICT risk management process ensures that all potential vulnerabilities and threats are identified, assessed, and mitigated in a structured manner. Within this section, companies must define critical responsibilities for the control function, ensuring accountability in implementing and overseeing ICT security measures.

ICT Third-Party Risk Management

With many financial institutions relying on third-party services, rigorous management of these relationships is crucial to maintain resilience and prevent breaches that could stem from external partners.

This part of the framework aligns with the last tasks, where the company must define responsibilities for controlling internal and external risk management.

Oversight of Critical Third-Party Providers

Critical third-party service providers must be subject to thorough oversight to minimise the risk they might pose to the financial sector’s operational resilience. Establishing policies, procedures, protocols, and tools for network security management and securing information in transit, contributing to overall digital and operational resilience.

Digital Operational Resilience Testing

Regular testing of digital operations helps identify weaknesses and enables proactive measures against cyber threats. Emphasizing the importance of maintaining data and systems’ integrity, confidentiality, and availability. Each company will need to implement policies and procedures for assessing the criticality of ICT assets.

ICT-Related Incidents

Proper incident response plans and reporting mechanisms allow for effectively managing any ICT-related security incidents. These plans cover operating procedures, capacity and performance management, vulnerability and patch management, data and system security, and logging.

Information Sharing

Financial entities can benefit from collective intelligence and improve their defence mechanisms by sharing information on risks and breaches, underlining the critical role of encryption in safeguarding sensitive data, and proposing a comprehensive policy for cryptographic controls.

This goes beyond what you share with your providers, clients, or employees. It also involves continuously improving your cyber resilience and facilitating communication with competent authorities.

A crucial implementation of all the above is ensuring your company promotes Cyber Awareness. Incorporating cyber resilience in your company and DORA regulations emphasises the need for ICT security awareness programs and digital operational resilience training to enhance the organisation’s cyber awareness and preparedness.

Preparing for DORA

The European Supervisory Authorities (the EBA, EIOPA, and ESMA) have been tasked with developing a suite of policy products to facilitate the application of DORA. Engaging with the European Union Agency on Cybersecurity (ENISA), they aim to standardise elements such as ICT security policies, access management, anomaly detection, business continuity, and response and recovery plans.

The implementation of DORA is foreseen to occur at the beginning of 2025 and is thus still under construction. Below, we will discuss the four crucial pillars of the act so you can prepare your business to adapt to future policies. 

Availability

In the context of DORA, availability refers to the accessibility of data and IT services. Financial institutions must ensure their systems can be accessed and operated as agreed, regardless of scheduled maintenance or unexpected incidents. High availability is not just about meeting standards; it is about delivering on the fundamental promise of service that underpins trust in the sector.

Ensuring that your data is accessible requires a meticulous audit of your IT systems and services. Identify single points of failure and address them with redundancies and contingency plans. Utilise advanced monitoring tools to constantly monitor system health and performance.

Collaboration is critical to maintaining availability. This means working closely with third-party providers to ensure their services uphold your availability targets. It also means coordinating with other financial institutions to establish industry-wide protocols for maintaining service during crises.

Authenticity

Authenticity is another critical element of DORA. Financial institutions must be able to verify data’s origin and IT processes’ integrity. This is foundational to preventing fraud and maintaining the accuracy of financial information.

Implementing Digital Signatures

Digital signatures play a significant role in ensuring the authenticity of data in a digital environment. By employing cryptographic solid techniques, financial institutions can create a digital ‘fingerprint’ of their documents that is virtually impossible to forge.

Strengthening Identity Verification

In addition to data, the authenticity of transaction participants is also critical. Robust identity verification processes are essential. This includes multi-factor authentication for customers and comprehensive access controls for employees.

Integrity

Data integrity ensures that information is complete, accurate, and up-to-date. Data integrity is non-negotiable in the financial sector, where decisions are made based on the latest and most precise information.

Monitoring for Manipulation

Detecting and preventing unauthorised data changes is a constant battle. Implement tools and processes that monitor unusual activity and take proactive steps to secure critical data.

Employing Robust Change Management

Changes to IT systems can introduce new risks to data integrity. A stringent change management process is necessary to evaluate and authorise updates and to back out of changes that cause unexpected issues.

Confidentiality

Financial institutions handle sensitive information, including personal data and proprietary business data. Maintaining the confidentiality of this information is vital to compliance with DORA and to preserving the trust of customers and stakeholders.

Employ best practices for the secure storage and transmission of data. This includes encryption, access controls, and secure communication channels. Human error is one of the leading causes of data breaches. Thus, there must be controlled access to all sensitive data.

Organisational Strategies for Resilience

For financial institutions, crafting an organisational resilience strategy is about compliance with DORA and safeguarding the trust of their customers and stakeholders. This strategy should incorporate ICT security policies and procedures that secure networks, protect data integrity, and ensure continuity of services.

Financial entities must tailor these strategies to address their specific risk profiles, nature, scale, and complexity of services. Customisation is critical, considering the organisation’s size and the distinct nature of activities across different financial sectors.

Proactive Risk Assessments

Conducting proactive risk assessments can provide a quick overview of your organisation’s digital operational resilience. This information is critical in prioritising compliance efforts and resources.

Partnering for Preparedness

Strategic partnerships with compliance experts and technology providers can accelerate the implementation of necessary changes and ensure that your institution is well-positioned to meet the rigorous demands of DORA.

Legacy Systems

A considerable challenge in the journey towards DORA compliance is the prevalence of outdated legacy systems within the financial sector. While integral to current operations, these systems must be revised to meet DORA’s stringent requirements.

Legacy systems present two problems. First, they are more vulnerable to cyber-attacks due to outdated security protocols. Second, they are harder to update or maintain due to age and difficulty finding qualified personnel to support them.

Deciding to Modernize or to Archive

For many financial institutions, the question is not whether to modernise but how and when. Modernisation efforts may be massive undertakings involving changes to core systems and processes. They require a long-term commitment and a carefully phased approach to minimise disruption.

The most cost-effective way is to archive the information needed to continue operational activities or comply with audits. Within DORA standards, everything must be available, authentic, maintain its complete integrity, and be completely confidential. This means you must look for an archiving system that allows you to comply with all four pillars. 

Understanding the need for legacy systems to communicate with newer platforms and services also means that when archiving, it needs to be available long-term, and the system in place should provide the ability to export documents in the newest technological forms. 

The Importance of Change Management

Effective change management is crucial in rapidly adopting new processes and technologies. Clarity in communication, stakeholder involvement, and rigorous testing can ensure that changes are implemented successfully and with minimal disruption to operations.

In the rush to meet technical compliance requirements, it can be easy to overlook the human and process elements of operational resilience. Successful adaptation to DORA will require an understanding that people and their roles within processes are just as critical as the systems they operate.

Embracing the Opportunities

While the challenges of DORA are significant, so are its opportunities. Financial institutions can gain a competitive edge by investing in operational resilience, building greater trust with customers and stakeholders, and protecting themselves against the ever-evolving landscape of digital risks.

Ultimately, DORA is not just a mandate for change but a call to action for the entire financial sector. Its implementation will be complex and demanding, but it also promises greater digital operational resilience that is both secure and forward-thinking. By preparing now, financial organisations can ensure that they not only survive these changes but also emerge stronger and more resilient than ever.