Date: 2 August 2024
The EU DORA regulation comes into effect in January, 2025. However, its announcement has already become a sort of watershed moment for the digital operational resilience and cybersecurity world. It has reinvigorated conversations around cyber resilience, business and operational continuity in the EU financial world as well as globally.
It’s worth noting that the implications of the EU DORA go beyond just financial entities in the member states. Since DORA requires exacting standards of risk management by third-parties engaging with EU financial institutions, the snowball effect that DORA is expected to create will be magnificent.
Technology services and cloud service providers beyond the EU will have to take a critical look at their cybersecurity posture and how they process data if they want to continue serving their financial clients in the European Union. The Digital Operational Resilience Act, therefore, is about to bring about a massive global elevation in digital resilience and cybersecurity best practices.
In this article, we’ll look at how DORA will, in all likelihood, achieve this and where do the DORA mandates and cybersecurity best practices intersect.
1. DORA's holistic approach to cyber resilience
2. DORA & Cybersecurity Best Practices
Understanding DORA’s Holistic Approach to Digital Resilience
DORA is designed to address the increasing digital risks that threaten financial stability in the EU. Ultimately, the goal of DORA is to ensure least possible disruption to financial services and protection of citizen data in case of a cyber attack or related event.
DORA aims to achieve this through its technical requirements across 5 main domains:
- ICT Risk Management
- Incident Reporting
- Digital Operational Resilience Testing
- Management of Third-Party Risk
- Information Sharing
Read our detailed blog on the 5 Main Pillars of DORA compliance
Anyone who reads the DORA final text, will be able to appreciate that DORA is basically looking to harmonise existing cyber resilience rules and regulations and create one comprehensive mandate. It is a coming together of different cybersecurity and digital resilience best practices that regulatory bodies worldwide and within the EU have been emphasising.
DORA explicitly states that financial bodies in the EU “must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents”. If you look at this statement closely, you’ll see that this is not very different from what the NIST Cybersecurity Framework recommends or what the NCSC guidance on Cybersecurity Incident Response really is.
DORA, however, is a piece of legislation that all organisations which come under its ambit must adhere to. But essentially, it’s an enforcement of the cybersecurity best practices that are widely recommended already. It, therefore, represents the perfect intersection between digital operational resilience and a strong cybersecurity posture.
DORA Mandates & Cybersecurity Best Practices
1. ICT Risk Management & Third-Party Risk Management: DORA requires the establishment of a risk management framework which is tailored to the digital operational environment of the financial entity. It lays emphasis on identification, classification, and mitigation strategies for all conceivable cyber risks.
Article 6 which focuses on this subject, says, “Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.”
Essentially what this means is that organisations to whom DORA applies must make a concerted effort to minimise risk by all means and must be prepared for operational resilience in the face of a cybersecurity incident.
This encompasses all basic cybersecurity hygiene measures as well, including, implementing appropriate controls and security protocols. Building an effective and robust repertoire of cybersecurity artefacts such as a Cyber Incident Response Plan, Cyber Incident Response Playbooks and a Cybersecurity Policy are all essential practices which DORA reinforces.
DORA has also laid a pretty heavy emphasis on managing ICT Risk arising from third-parties. DORA mandates continuous monitoring and evaluation of the cyber risk posture of the supply chain. It requires incumbent organisations to regularly review their contracts with third-parties, especially with regards to data sharing and cybersecurity best practices.
Given the massive rise in supply chain attacks, third-party risk management has already been a hot topic of conversation in the cybersecurity world. DORA has now formalised that conversation by making it a mandate.
2. Incident Reporting: Incident Reporting has recently taken centre stage on a global level. Last year, the U.S. Securities and Exchange Commission (SEC) also released new rules on Incident Management and Reporting. Amongst many other requirements, it also made it mandatory for companies listed with it to report a cybersecurity incident within 96 hours as a specific line item in an 8-K filing.
The GDPR already requires reporting of any incident that may have impacted personal data of GDPR subjects within 72 hours. This means prompt incident reporting and management has already been a part of recommended cybersecurity best practices. DORA now corroborates this view.
Our NCSC Assured Training in Cyber Incident Planning and Response covers the subject of incident management and response in great detail. Several of our clients, whether they need to become compliant with GDPR, the SEC guidelines or now DORA, have reported a dramatic change in their organisation’s ability to manage cyber attacks and breach notifications effectively after undergoing this training.
Article 19 of DORA also states, “Financial entities shall report major ICT-related incidents to the relevant competent authority... Where a financial entity is subject to supervision by more than one national competent authority referred to in Article 46, Member States shall designate a single competent authority as the relevant competent authority responsible for carrying out the functions and duties provided for in this Article.”
This signifies that DORA is also consistently addressing the current challenges of overlapping regulatory requirements and multiple regulatory authorities. The end-goal is to facilitate a quicker coordinated response which helps in better addressing emerging threats and strengthening the overall resilience of the financial sector.
3. Digital Operational Resilience Testing and Auditing: DORA mandates regular testing and auditing of digital systems to ensure their resilience to disruptions. This includes the use of penetration testing, vulnerability assessments, and scenario-based exercises to assess the effectiveness of security measures.
Chapter 4 of the Digital Operational Resilience Act outlines the prerequisites for conducting digital operational resilience testing. Articles 25 and 26 detail the assessments, tests, tools, and methodologies required for effective resilience testing.
Article 25 specifies the tests that financial organisations are required to perform to demonstrate compliance with the regulation. Among these, scenario-based tabletop testing is highlighted as crucial for ensuring operational resilience. Cyber Crisis Tabletop Testing or scenario-based testing is vital for achieving the levels of business and operational continuity mandated by DORA.
At Cyber Management Alliance, we have been recommending these tests to organisations in all sectors striving to bolster their resilience against cyber threats. Cyber Attack Tabletop Exercises put your team in a simulated attack environment that mimics an actual attack scenario. This forces your team to act and respond like they would in an actual cybersecurity event. Ultimately, this reinforces their familiarity with the Incident Response plans and processes, brushes up their decision-making skills and makes the overall organisation more resilient to digital disruptions.
4. Continuous Improvement & Knowledge Sharing: DORA encourages a culture of continuous improvement in cybersecurity practices and sharing information with peers. This means organisations are compelled to share threat intel and best practices with others in their industry. The idea is that by regularly learning from past cyber attacks and creating a pool of shared knowledge on threats and how to deal with them, the cyber resilience levels of the financial industry, as a whole, can be improved.
Article 45 on 'Information-sharing arrangements on cyber threat information and intelligence,' says: "Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools..."
We have been echoing this message in all our educational endeavours for a while now. In fact, our flagship, Wisdom of Crowds cybersecurity events are based on this very spirit - the idea that the knowledge of many far surpasses the skills of an individual.
We regularly bring together top cybersecurity practitioners and infosec professionals through these events. They brainstorm on challenges, solutions and a better way forward for the cybersecurity community as a whole.
Knowledge sharing and continuous improvement is the cornerstone of progress for the cybersecurity industry and DORA has done a major favour to organisations across the globe by endorsing this as one of its pillars.
Conclusion
The intersection of DORA with effective cybersecurity strategies provides a framework for enhanced operational resilience in the financial sector. However, the effects of this intersection will be felt way beyond just the financial industry in the EU and will benefit organisations in many other sectors and geographies that are associated with DORA subjects by extension.
By mandating comprehensive risk management practices, incident reporting, and resilience testing, DORA not only ensures compliance but also promotes a more resilient digital infrastructure on a global level. Ultimately, this holistic approach under DORA supports the stability and integrity of the financial system in a digital age fraught with cyber threats which are only getting more complex with every passing day.
