
As the clock ticks down for EU member states to adopt final implementations of the Digital Operational Resilience Act (DORA), financial entities across the European Union have limited time to ensure compliance. With only 113 days remaining until DORA comes into full effect, it’s crucial to understand the core components of the legislation, what has changed in the months leading up to now, and what companies need to focus on during this critical period.
Understanding DORA: The Core Components
DORA was introduced as a comprehensive regulatory framework to enhance the digital operational resilience of financial entities within the EU. Given the increasing reliance on digital technologies, the legislation aims to ensure that financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions, whether from cyberattacks, technical failures, or other operational risks. DORA encompasses five key pillars:
1. ICT Risk Management and Internal Governance Arrangements
Financial entities must establish a robust ICT governance framework. This involves assigning clear responsibilities to senior management and ensuring that ICT risks are effectively managed across the organisation. Updates and finalisations pertaining to Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) for DORA emphasise the need for a dedicated ICT risk management function, highlighting the importance of having specialised teams or roles within the organisation responsible for overseeing digital resilience. DORA mandates that ICT risk management should be integrated into the overall corporate governance structure, ensuring that it is not treated as a siloed function but as a core aspect of business strategy.
DORA requires entities to establish and enforce comprehensive ICT security policies. These policies should cover everything from data encryption and access controls to incident response procedures. Unlike ISO 27001 and other information security frameworks, DORA places more stringent requirements for data protection, particularly in the context of cross-border data flows and third-party service providers.
Entities are required to implement a risk management framework that identifies, assesses, and mitigates ICT risks. This includes recognising critical assets and establishing a clear strategy for protecting these assets. Additional emphasis is placed on the need for regular risk assessments, ensuring that financial entities are continuously monitoring their assets and related risks, and are able to readily adapt to new threats. To do this, their framework must include mechanisms for continuous monitoring of ICT systems, with a focus on detecting vulnerabilities and potential threats in real-time.
2. ICT-Related Incident Management, Classification and Reporting
Financial entities are required to establish robust ICT incident management plans. These plans must include procedures for detecting, managing, and recovering from ICT-related incidents. DORA also introduces a standardised approach to classifying ICT-related incidents based on their severity and potential impact. This classification system helps entities prioritise their response efforts and ensures that more critical incidents receive immediate attention.
The legislation also outlines strict reporting requirements, with entities required to notify relevant authorities within specific timeframes, as well as clarifying the need for a more streamlined reporting process, reducing the administrative burden on companies while ensuring that critical information is communicated promptly. Specifically, new details of what information should be included in incident reports was defined, which includes: the type of incident, affected entities, and contact details.
- Initial notification reports should at least include the date and time of detection and classification, a description of the incident, and classification criteria.
- Intermediate incident reporting includes additional data points, such as a detailed impact assessment, actions taken, and any updates on the incident’s status.
- The final incident report focuses on root cause analysis, resolution measures, and includes an economic impact assessment.
3. Digital Operational Resilience Testing
DORA mandates that financial entities conduct regular digital operational resilience testing to ensure that their ICT systems are secure and resilient. This includes a variety of tests, such as vulnerability assessments and penetration testing. Recent updates to RTS and ITS standards place particular emphasis on Threat-Led Penetration Testing (TLPT), a rigorous testing method that simulates real-world cyberattacks to identify potential vulnerabilities in ICT systems, which is a necessary requirement for critical financial entities.
The legislation also requires that these tests be conducted or overseen by independent assessors to ensure objectivity and reliability. Latest updates to DORA implementation guidelines emphasise stricter guidelines on the qualifications and independence of these assessors, ensuring that the testing process is both credible and effective.
4. Managing ICT Third-Party Risk
DORA recognises the significant risks posed by third-party ICT service providers. As such, it requires financial entities to implement comprehensive third-party risk management practices. This includes conducting thorough due diligence on all vendors, assessing their security measures, and ensuring they comply with DORA standards. Continuous monitoring of third-party risks helps ensure that vendors maintain robust security practices throughout the duration of the contract. With regard specifically to contract management and third-party due diligence, companies must also ensure that their contracts with third-party vendors include specific clauses related to ICT risk management and digital resilience. New guidelines on these contractual obligations have been published, which demonstrate the need for clearer terms that allow for regular audits, reporting, and, if necessary, the termination of contracts if vendors fail to meet organisational security requirements, as well as DORA requirements.
5. Information-Sharing Arrangements, Supervision and Enforcement
DORA promotes the establishment of information-sharing arrangements among financial entities. These arrangements facilitate the exchange of threat intelligence, best practices, and lessons learned from ICT-related incidents. The importance of these collaborative efforts stems from the need of encouraging financial institutions to participate in industry-wide information-sharing initiatives to enhance collective resilience.
What Should Organisations Focus on with 113 Days to Go?
With the DORA deadline fast approaching, financial entities must prioritise their efforts to ensure full compliance.
Strengthen Third-Party Risk Management
Given the enhanced focus on third-party risk management, companies should immediately begin conducting thorough assessments of their vendors. This includes evaluating their compliance with DORA, reviewing their security practices, and ensuring they meet the latest contractual obligations. If existing contracts with third-party vendors do not meet the new DORA requirements, companies should renegotiate these agreements. This may involve adding new clauses related to ICT risk management, resilience, and reporting obligations.
Enhance Incident Management and Response
Companies should review and update their incident response plans to align with the latest DORA requirements. This includes ensuring that reporting processes are streamlined, and that the organisation is prepared to meet the real-time reporting requirements. To meet the enhanced focus on continuous monitoring and real-time threat detection, companies should invest in advanced monitoring tools. This may involve upgrading existing systems or implementing new technologies such as AI-driven threat detection platforms.
Participate in Cyber Resilience Exercises
With the new guidelines making cyber resilience exercises mandatory, companies should actively participate in these simulations. This will not only help them meet regulatory requirements but also improve their ability to respond to real-world threats. During these exercises, companies should take advantage of the opportunity to collaborate with regulators, sharing insights and learning from their experiences. This will help build stronger relationships with supervisory authorities and enhance the overall resilience of the financial sector.
Prepare for Increased Supervision and Enforcement
With increased supervision and enforcement mechanisms in place, companies should review their existing compliance frameworks to ensure they are aligned with the latest DORA requirements. This includes conducting internal audits and assessments to identify any gaps or areas of non-compliance. Financial Entities should proactively engage with their supervisory authorities, seeking guidance and clarification on any areas of uncertainty. This will help ensure that they are fully prepared for the increased scrutiny that will come with the full implementation of DORA.
Checklist for DORA Readiness
1. ICT Risk Management and Internal Governance Arrangements
- Review ICT Risk Management Framework:
- Ensure the framework is comprehensive and includes risk identification, assessment, and mitigation strategies.
- Update the framework to reflect the latest threat landscape and regulatory requirements.
- Strengthen Internal Governance:
- Integrate ICT risk management into the overall corporate governance structure.
- Assign dedicated ICT risk management roles at the senior management level.
- Establish Clear Reporting Lines:
- Ensure that there are clear reporting lines for ICT risks and incidents to senior management and the board.
2. ICT-Related Incident Management, Classification, and Reporting
- Update Incident Management Plans:
- Review and update incident management procedures to align with DORA requirements.
- Ensure plans include procedures for incident detection, management, recovery, and reporting.
- Implement Incident Classification System:
- Adopt a standardised approach to classifying ICT incidents based on severity and impact.
- Train staff on how to classify incidents effectively.
- Streamline Reporting Processes:
- Implement standardised reporting templates and automated tools to meet real-time reporting requirements.
- Ensure staff are trained on the new reporting procedures and timelines.
3. Digital Operational Resilience Testing
- Conduct Regular Resilience Testing:
- Schedule and perform regular digital operational resilience tests, including vulnerability assessments and penetration testing.
- Ensure all tests are conducted or overseen by independent assessors.
- Implement Threat-Led Penetration Testing (TLPT):
- Include TLPT if it applies to your organisation within your testing schedule to simulate real-world cyberattacks and identify vulnerabilities.
- These tests take a fair amount of time to carry out properly and in accordance with related RTS/ITS standards published, so it is important to ensure comprehensive planning and senior management involvement, as well as any third party involved where required for the test of a critical function they relate to.
- Review Testing Results and Remediate:
- Analyse the results of all resilience tests and address any identified vulnerabilities promptly.
4. Managing ICT Third-Party Risk
- Conduct Vendor Due Diligence:
- Perform thorough assessments of all third-party ICT service providers.
- Evaluate vendors’ security practices, resilience measures, and compliance with DORA standards.
- Review and Renegotiate Contracts:
- Ensure that all contracts with third-party vendors include clauses related to ICT risk management, resilience, and reporting obligations.
- Renegotiate contracts where necessary to align with DORA requirements.
- Establish Continuous Monitoring of Third-Party Risks:
- Implement processes for ongoing monitoring of third-party risks throughout the duration of the contract.
5. Information-Sharing Arrangements, Supervision, and Enforcement
- Join Information-Sharing Initiatives:
- Participate in industry-wide information-sharing initiatives to exchange threat intelligence and best practices.
- Prepare for Increased Supervision:
- Review and update your compliance frameworks to ensure alignment with DORA requirements.
- Conduct internal audits to identify and address any areas of non-compliance.
- Engage with Supervisory Authorities:
- Establish regular communication with your supervisory authorities to stay informed about enforcement expectations.
- Seek clarification on any areas of uncertainty regarding DORA compliance.
6. Final 113-Day Focus Areas
- Vendor Assessments and Contract Updates:
- Prioritise the assessment of third-party vendors and update contracts as necessary.
- Real-Time Monitoring Tools:
- Invest in and deploy advanced monitoring tools for real-time threat detection.
- Cyber Resilience Exercises:
- Participate in mandatory cyber resilience exercises and collaborate with regulators during these simulations.
- Compliance Reviews and Engagement:
- Conduct final reviews of your ICT risk management frameworks, incident response plans, and third-party risk management practices.
- Engage with regulators to ensure you are fully prepared for DORA’s implementation and enforcement.
Additional Tips:
Testing & Simulation: Conduct regular tabletop exercises to simulate incident response scenarios and test the effectiveness of your ICT risk management and reporting processes.
Documentation: Ensure all processes, frameworks, and incident management procedures are well-documented and easily accessible for review by regulators.
Training: Provide ongoing training to all relevant staff to ensure they are familiar with the latest DORA requirements and how to implement them.
To find out how Sapphire can help your organisation prepare for DORA, please contact Sapphire on 0845 58 27001.