One cyber security milestone on the horizon is the Defence Against Online Risks Act (DORA), which officially came into law on January 16, 2023. The clock is now ticking, and as of January 17, 2025, DORA will be in full effect for financial institutions. With a one year left to prepare, the time to fortify your cyber security measures is now. In this blog post, we'll delve into the key aspects of DORA and equip you with insights to ensure your organisation understands the key aspects of DORA.
What is DORA?
DORA stands as an EU regulation designed to enforce stringent guidelines, compelling financial institutions to adhere to strict protocols in safeguarding their operational resilience, with a particular emphasis on mitigating ICT risks.
The five pillars of DORA
DORA separates digital operational resilience into five distinct domains: risk management, incident reporting, digital operational resilience testing, third-party risk management for ICT, and the exchange of information and intelligence.
Risk Management: DORA may require modifications to a financial institution's overarching risk management framework. An assessment of governance structures, policies, controls, and risk evaluation and mapping activities may be essential to align existing practices with the specific requirements outlined in DORA.
Incident Reporting: DORA introduces prerequisites for preparing for, responding to, and reporting significant ICT incidents, extending beyond the scope of GDPR by encompassing ICT incidents beyond (personal) data breaches. Consideration must also be given to voluntary arrangements for reporting cyber threats, not just incidents.
Resilience Testing: DORA adopts a comprehensive approach to detecting and mitigating vulnerabilities, adverse events, and cyber-attacks, incorporating threat-led penetration testing on live production systems. As part of a broader digital operational resilience testing program, all ICT systems and applications supporting critical or important functions will undergo testing, with effective follow-up remedial activities.
ICT Third-Party Risk Management: Existing contracts with third-party technology providers may require adjustments to comply with DORA. Unlike other regulatory frameworks, attention must be given to both arrangements typically categorised as outsourcing and those that are not. While some technology providers are familiar with outsourcing regulatory requirements, DORA may be uncharted territory for data and other ICT providers usually considered purchasers. A thorough understanding of DORA's requirements is crucial to address the concerns of these suppliers.
Information and Intelligence Sharing: Financial institutions also can explore increased engagement in threat intelligence sharing with other entities. DORA envisions creating a "trusted community of financial entities" through membership arrangements that facilitate information sharing, potentially involving technology providers and regulatory authorities.
Who does DORA apply to?
The DORA Regulation is applicable to the financial sector within the EU and to providers of ICT services catering to this sector, regardless of the location of these service providers.
Entities within the financial sector subject to the Regulation encompass:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset service providers and issuers of asset-referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
The DORA Regulation casts a wide net of compliance obligations over the EU's financial sector and the providers of ICT services to that sector, regardless of their geographical location.
As organisations within the outlined categories prepare for the imminent implementation of DORA, it is important to engage in a proactive reassessment of risk management frameworks, incident response protocols, resilience testing measures, and third-party contracts.
By embracing these changes and fostering information sharing within the envisioned "trusted community of financial entities," businesses can not only meet regulatory requirements but also strengthen their overall cyber defence posture in the face of evolving digital threats.
At Cybaverse, our comprehensive suite of cyber security and information security services is poised to equip your organisation with the necessary tools and resources. Contact us today to discuss DORA or any of the requirements needed.