The Digital Operational Resilience Act (DORA) is an EU Regulation that enforces better digital resilience and business continuity requirements for EU financial institutions. These requirements also apply to third parties that provide important ICT (Information & Communication Technology) services to financial institutions.
Enhanced ICT Incident Response and Management is one of the core pillars of DORA. This requires incumbent businesses to ensure that they have necessary effective incident response processes and infrastructure in place to handle digital disruptions.
The goal behind ICT Risk Management is quite straightforward. When an EU financial entity, inevitably, encounters an ICT related incident, it should be able to bounce back from it as quickly as possible. This means that the disruption of service delivery to EU citizens should be minimal. And most importantly, their sensitive financial information must stay secure iif a cyber incident occurs.
If you want to become DORA compliant by January, 2025, you’re definitely focussed on your ICT Risk Management Framework. Along with this, you’re probably also working on your Information Security Incident Response plan and processes.
In this blog, we give you a high-level summary of DORA’s ICT Incident Response Requirements. You’ll then find quick tips from our cybersecurity experts on how to achieve compliance and prepare for future incidents.
Topics covered in this article:
1. Top 20 DORA Incident Response Requirements
2. How to achieve DORA compliance with Cyber Management Alliance?
Top 20 DORA ICT Incident Response & Management Requirements
Chapters II and III are specifically focussed on ICT Risk Management, Response and Reporting. In this blog, we focus on the Risk Management and Incident Response requirements.
Next, in our DORA educational series, we’ll delve into Chapter III that dives deeper into Reporting, Harmonisation of Reporting, Templates etc.
Here’s a look at the top 20 takeaways from Chapter II and what it says about managing risk effectively:
- The organisation must have a robust Risk Management framework in place. The framework should have policies, protocols, and procedures in place to protect all information and ICT assets.
- The management must implement policies that ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality of data.
- Roles and responsibilities of all team members related to ICT-related functions must be clear.
- Implementation and regular review of Business Continuity and Incident Response and Recovery plans is essential.
- Management needs to keep up with ICT risks and dedicate time and resources to training on managing these risks.
- ICT Risk Management Framework must be reviewed once every year. The framework should be improved upon regularly and based on lessons learned post incident.
- Financial entities need to continuously identify all ICT related risks, vulnerabilities and assess cyber threats. Regular Risk assessments are critical as is continuous monitoring and control of ICT systems.
- Financial entities must have robust mechanisms for detection of anomalies and monitoring user activity.
- A comprehensive ICT Business Continuity Policy must be part of the overall business continuity policy of the financial entity. The ICT business continuity policy has to be implemented through well-documented plans, procedures and mechanisms.
- The ICT Incident Response Plan and Business Continuity Policy must ensure
- Quick resumption of critical business activities post incident
- Response to all ICT related incidents is quick and effective
- Plans for containment are activated quickly to limit damage
- There are clear crisis communications and management actions to ensure information is transmitted to all stakeholders, including competent authorities smoothly.
- The financial entities must test the viability and effectiveness of their Business Continuity and Incident Response plans regularly. Read our blog on DORA’s Digital Operational Resilience Testing Requirements for a full understanding of this subject.
- It’s important to keep a record of all activities before and after the disruption which triggered the activation of ICT business continuity plans and IR plans.
- To ensure minimum downtime, DORA requires financial institutions to have clear backup policies. These backup policies have to specify:
- Data that is subject to backup
- Frequency of the backup
- Recovery and Restoration Methods
- The backup policy should ensure that backups don’t jeopardise security, availability and authenticity of the network. It’s also essential to regularly test the backup and recovery procedures.
- Financial organisations should use separate and secure ICT systems for restoring backup data. They must have additional ICT capacities with adequate resources to meet business demands.
- Central securities depositories should have at least one secondary processing site. This site should be far enough from the primary site to avoid shared risks. But it should also be close enough to be quickly accessible by staff if the primary site is unavailable.
- Learning and Evolving is a key component of Cyber Risk Management. DORA expects the entities under its ambit to have adequate resources to gather information on vulnerabilities, risks, and recent cyber attacks. It should also have the ability to analyse their potential impact.
- Comprehensive reviews after every ICT-related incident are a must. These reviews should assess the effectiveness of the Incident Response plans and processes. The takeaways from these reviews, coupled with the results of the Digital Operational Resilience tests, must be incorporated into the ICT Risk Management framework on a regular basis. The goal is continuously improving digital operational resilience capabilities.
- Cyber Security Awareness Training and Digital Operational Resilience testing must mandatorily be a part of staff training schemes. The security training for business executives and senior management must be customised towards the complexity of their roles in ICT Incident Response.
- After recovering from an ICT-related incident, a financial institution must conduct thorough checks to verify data integrity. This is also applicable when rebuilding data received from external partners to ensure consistency.
Back To Top
How to Comply with DORA’s ICT Incident Response Mandate?
DORA’s ICT Incident Response requirements canbe overwhelming at first. But it doesn’t have to be so. In fact, we assist our clients across all these requirements on a regular basis - whether they’re looking to become DORA compliant or not.
This is simply because many of the Incident Handling mandates DORA has laid out, should be a part of your cyber resilience strategy in any case. Following this guidance, can unlock superior levels of cybersecurity maturity and digital operational resilience for any business.
But if you’re looking for specific DORA compliance, our Virtual Cybersecurity Consultancy services are just right for you. In a very cost-effective, flexible and completely remote way, our Virtual Cyber Assistants and Virtual Cyber Consultants can help you tick off pretty much everything on your DORA Incident Management checklist. Let’s take a quick look at how we help you do this:
- Risk Management Framework: Our deeply experienced cybersecurity experts will help you implement a robust risk management framework. They will work with you to identify your critical assets, vulnerabilities in your system and prioritise the biggest risks.
- Cyber Incident Response Planning: We are the creators of the NCSC Assured Cyber Incident Planning and Response training. That means we’re best equipped to assist any organisation to elevate their ICT Incident Response management standards. Our cybersecurity experts work with you to create your essential Incident Response documents - plans, policies and procedures. They also help you review and refresh your existing artefacts to align them better with your evolving threat landscape.
- Cybersecurity Training: Regular staff and executive training is one of the mandates of DORA. And again, we have you covered here. Not only is our NCSC Assured course in Incident Response Planning highly sought-after, it’s also the ideal way to start working towards DORA compliance. We run specialised Cybersecurity Training for Executives with the goal of enhancing cybersecurity leadership. In line with DORA specifications, these trainings are curated specifically for senior management and are aimed at better cybersecurity decision-making in case of a disruption.
- Digital Operational Resilience Testing: From Penetration Testing to Scenario-based Tabletop Testing, Cyber Management Alliance is amongst the world leaders in conducting exercises that truly test operational resilience in a digital world. Our expertise in cybersecurity enables us to guide you in conducting thorough resilience tests as required by DORA, ensuring that your systems remain resilient and operational despite digital disruptions.
Back To Top