Navigating the Digital Operational Resilience Act (DORA)
The European Union is on the verge of a regulation that will dramatically alter the digital operational framework for financial institutions. The Digital Operational Resilience Act (DORA) is a comprehensive package of rules designed to increase the resilience of financial systems against cyber threats and other risks posed by digital transformation. The implications of DORA are far-reaching, touching on everything from IT security procedures to incident response plans and customer communication protocols. As we explore the complexities of DORA, it becomes clear that to prepare, financial organisations must focus on the four pillars of data: availability, authenticity, integrity, and confidentiality. Understanding Cyber Resilience Cyber resilience refers to an entity’s ability to deliver the intended outcome despite continuous adverse cyber events. Effective cyber resilience encompasses the ability to withstand, quickly adapt to, and recover from cyber incidents that could compromise the confidentiality, integrity, or availability of digital resources. A Framework for Cyber Resilience – DORA DORA is an ambitious legislative proposal that seeks to establish a harmonised framework for overseeing outsourcing arrangements, IT operations, and IT risk management in the financial sector. It applies to various financial institutions, from banks and payment service providers to stock exchanges and clearing houses. With DORA, the EU is sending a clear message that digital operations cannot be siloed; they must be integrated into the broader context of operational resilience. The directive demands a holistic approach to digital risk management, beginning with mapping an organisation’s complex digital dependencies. This means understanding not only your primary systems but also the many services and platforms on which they rely. The goal is to identify and assess the potential vulnerabilities in every chain link and develop robust strategies for preventing, detecting, and resolving incidents. Legacy applications are particularly susceptible to vulnerabilities and may pose heightened risks to operational resilience. When conducting an internal study and analysing all systems, you must encompass the following outcomes. ICT Risk Management A robust ICT risk management process ensures that all potential vulnerabilities and threats are identified, assessed, and mitigated in a structured manner. Within this section, companies must define critical responsibilities for the control function, ensuring accountability in implementing and overseeing ICT security measures. ICT Third-Party Risk Management With many financial institutions relying on third-party services, rigorous management of these relationships is crucial to maintain resilience and prevent breaches that could stem from external partners. This part of the framework aligns with the last tasks, where the company must define responsibilities for controlling internal and external risk management. Oversight of Critical Third-Party Providers Critical third-party service providers must be subject to thorough oversight to minimise the risk they might pose to the financial sector’s operational resilience. Establishing policies, procedures, protocols, and tools for network security management and securing information in transit, contributing to overall digital and operational resilience. Digital Operational Resilience Testing Regular testing of digital operations helps identify weaknesses and enables proactive measures against cyber threats. Emphasizing the importance of maintaining data and systems’ integrity, confidentiality, and availability. Each company will need to implement policies and procedures for assessing the criticality of ICT assets. ICT-Related Incidents Proper incident response plans and reporting mechanisms allow for effectively managing any ICT-related security incidents. These plans cover operating procedures, capacity and performance management, vulnerability and patch management, data and system security, and logging. Information Sharing Financial entities can benefit from collective intelligence and improve their defence mechanisms by sharing information on risks and breaches, underlining the critical role of encryption in safeguarding sensitive data, and proposing a comprehensive policy for cryptographic controls. This goes beyond what you share with your providers, clients, or employees. It also involves continuously improving your cyber resilience and facilitating communication with competent authorities. A crucial implementation of all the above is ensuring your company promotes Cyber Awareness. Incorporating cyber resilience in your company and DORA regulations emphasises the need for ICT security awareness programs and digital operational resilience training to enhance the organisation’s cyber awareness and preparedness. Preparing for DORA The European Supervisory Authorities (the EBA, EIOPA, and ESMA) have been tasked with developing a suite of policy products to facilitate the application of DORA. Engaging with the European Union Agency on Cybersecurity (ENISA), they aim to standardise elements such as ICT security policies, access management, anomaly detection, business continuity, and response and recovery plans. The implementation of DORA is foreseen to occur at the beginning of 2025 and is thus still under construction. Below, we will discuss the four crucial pillars of the act so you can prepare your business to adapt to future policies. Availability In the context of DORA, availability refers to the accessibility of data and IT services. Financial institutions must ensure their systems can be accessed and operated as agreed, regardless of scheduled maintenance or unexpected incidents. High availability is not just about meeting standards; it is about delivering on the fundamental promise of service that underpins trust in the sector. Ensuring that your data is accessible requires a meticulous audit of your IT systems and services. Identify single points of failure and address them with redundancies and contingency plans. Utilise advanced monitoring tools to constantly monitor system health and performance. Collaboration is critical to maintaining availability. This means working closely with third-party providers to ensure their services uphold your availability targets. It also means coordinating with other financial institutions to establish industry-wide protocols for maintaining service during crises. Authenticity Authenticity is another critical element of DORA. Financial institutions must be able to verify data’s origin and IT processes’ integrity. This is foundational to preventing fraud and maintaining the accuracy of financial information. Implementing Digital Signatures Digital signatures play a significant role in ensuring the authenticity of data in a digital environment. By employing cryptographic solid techniques, financial institutions can create a digital ‘fingerprint’ of their documents that is virtually impossible to forge. Strengthening Identity Verification In addition to data, the authenticity of transaction participants is also