Latest news
DORA – What Does it Mean for Business?
The Digital Operational Resilience Act (DORA) is a European legislative act that will be applied from the 17th of January 2025 and will apply to all financial entities (except for microenterprises).
It is designed to strengthen European financial entities against cyber-attacks and ICT (Information and Communication Technology) disruptions. The full original text (in English) can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=FR
and a second batch of documents which updated those articles were published here:
https://www.eiopa.europa.eu/publications/second-batch-policy-products-under-dora_en
Whilst DORA was written to focus on financial entities, it also applies to some entities typically excluded from financial regulations. For example, third -party service providers that supply financial firms with ICT systems and services—like cloud service providers and datacentres; they must comply with DORA requirements as they are servicing the financial industries and therefore cannot be excluded. DORA also covers firms that provide critical third-party information services, such as credit rating services and data analytics providers.
DORA Requirements
DORA is composed of five pillars. Each pillar lays out requirements and expectations for different aspects of resilience.
Additionally DORA explicitly defines the responsibility of organisation and governance for the compliance of DORA in an organisation.
- Risk Management – Chapter 2, Articles 5 to 16
- Incident Reporting – Chapter 3, Articles 17 to 23
- Digital Operational Resiliency Testing – Chapter 4, Articles 24 to 27
- ICT Third Party Risk – Chapter 5, Articles 28 to 44
- Information & Intelligence Sharing – Chapter 6, Article 45
Governance
The financial entity’s management body is responsible for establishing the organisation and governance structure to effectively manage ICT risk. DORA outlines a set of responsibilities and requirements that the management body must fulfil, one of which is for them to enhance and sustain their understanding of ICT risk.
Risk Management
This pillar underlines the need for financial entities to adopt a proactive approach to risk management.
It requires financial entities to precisely identify, assess and mitigate ICT-related risks with robust frameworks in place to continuously monitor key digital systems, data, and connections.
Incident Reporting
This pillar places a strong emphasis on standardising the process of Incident Reporting within the European Union’s financial sector. Under DORA, financial entities are required to implement management systems that enable them to monitor, describe, and report any significant ICT-based incidents to relevant authorities.
It is important to note that the reporting framework must include both internal and external reporting mechanisms:
Internal reporting refers to quickly identifying incidents and communicating them to all important internal stakeholders. Their impact must then be evaluated, and steps put into action for mitigating damage.
External incident reporting refers to alerting regulatory authorities in case of a disruptive incident. For cases such as a data breach, this may also include the affected customers who must be notified if their sensitive financial information has been compromised.
Digital Operational Resiliency Testing
DORA insists that financial institutions periodically assess their ICT risk management frameworks through digital operational resilience testing. Testing must be conducted by either independent parties, either external or internal, but if internal is used then it will be a requirement that the sufficient resources must be allocated and that conflicts of interest are avoided in the design and execution of the tests.
These tests can include:
- vulnerability assessments and scans,
- open-source analyses,
- network security assessments,
- gap analyses,
- physical security reviews,
- questionnaires and scanning software solutions,
- source code reviews where feasible,
- scenario-based tests,
- compatibility testing,
- performance testing,
- end-to-end testing
- penetration testing
Basic tests like vulnerability assessments and scenario-based tests must be run once a year.
Financial entities however must also undergo threat-led penetration testing (TLPT) at least every three years , and it was confirmed (July 2024) that TIBER-EU framework tests will satisfy this requirement if it incorporates any additional DORA TLPT requirements. The three-year requirement may be relaxed or shortened dependent on the decision of the designated competent authority.
Each threat-led penetration test shall cover several or all critical or important functions of a financial entity, and shall be performed on live production systems supporting such functions. Critical third party service providers are included in the scope of this and are expected to participate; however where participation is reasonably expected to have an adverse impact in the quality of service delivery for customers outside of the financial entity, they can be excluded but only if they enter into a contractual agreement permitting an external tester to conduct a pooled assessment under the director of a designated financial entity.
TLPT can also permits the use internal (if the financial entity is not a significant credit institution) or external testers; however it is a requirement that every three tests, an external provider must be used. Furthermore if internal testers are used, then the threat intelligence provider must be external to the financial entity.
Beyond that, testers must :
- Have high suitability and reputation;
- Possess technical and organisational capabilities and specific expertise in threat intelligence, penetration testing and red team testing;
- Are certified by an accreditation body in a Member State or adhere to formal codes of conduct and ethical frameworks;
- Provide independent assurance or an audit report in relation to TLPT risk management;
- Are insured including against risks of misconduct and negligence.
ICT Third Party Risk
This pillar requires financial organisations to thoroughly conduct due diligence on ICT third parties.
It mandates that financial entities maintain strong contracts with their third-party service providers. They must ensure that their partners adopt high standards of digital security and operational resilience. Furthermore, certain ICT service providers can be designated as “critical” for financial entities. These will have even more obligations (further info below).
Article 30 of DORA has an embedded list of contract requirements that financial services will want to implement for ICT service providers but, the bare minimum is this:
- Clear and complete description of all functions and ICT services to be provided by ICT 3rd parties.
- Locations (regions or countries) where the contracted/subcontracted functions are to be provided, processed, stored and requirement to notify in advance if that changes
- Provisions for the availability, authenticity, integrity and confidentiality of the protection of data
- Provision of ensuring access, recover and return in an easily accessible format of data processed by the financial entity in the event of insolvency of the third party
- Obligation of the third-party provider to support the financial entity in an ICT incident related to the service provided at no additional cost, or at a cost determined ex-ante.
- Obligation of the third-party provider to fully cooperate with competent authorities/representatives of the financial entity.
- Termination rights and min notice period for contractual arrangements
- Conditions for the participation of third-party providers in the financial entities ICT security awareness programmes.
Financial entities are also expected to document any risks observed with their third-party ICT providers. Importantly, DORA highlights the need for financial organisations to implement a multi-vendor ICT third-party risk strategy.
Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs (European Supervisory Authorities). The European Commission is still developing the criteria for determining which providers are critical. However, at the time of this article, under existing law it is defined as: “a function whose disruption would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation”. Those that meet the standards will have one of the ESAs assigned as a lead overseer. In addition to enforcing DORA requirements on critical providers, lead overseers will be empowered to forbid providers from entering contracts with financial firms or other ICT providers that do not comply with the DORA.
Information & Intelligence Sharing
This pillar promotes a collaborative approach to managing cyber threats, ensuring that financial entities can collectively enhance their defences and respond more effectively to incidents.
Supporting Business
Whilst DORA is written with European Financial entities in mind, compliance for organisations outside of the EU providing services to EU Financial Services is a requirement. The designated European authorities and regulators will ultimately oversee the testing and will guide entities in being tested.
At Prism Infosec we are a CREST accredited company, this means we can deliver Threat-Led and Scenario Based Penetration Testing services at the levels expected for DORA compliance. Furthermore we offer GRC, Incident Response, Vulnerability Scanning and Penetration Testing services which align with many of the requirements in DORA’s 5 pillars.
If you want to know more about how we can help with compliance, then please reach out and contact us.