Date: 15 March 2024
The Digital Operational Resilience Act (DORA) is a European Union regulation focussed on improving digital operational resilience of financial entities in the EU. In this blog, we discuss the 5 pillars of DORA, what they mean and what they intend to achieve.
5 pillars of the EU DORA Regulation:
1. ICT Risk Management
2. Incident Reporting
3. Digital Operational Resilience Testing
4. Management of Third-Party Risk
5. Information Sharing
DORA takes cognizance of the fact that Information and Communication Technology (ICT) is central to the smooth functioning of Union financial institutions. However, it seeks to address the existing gaps in the digital resilience of ICT infrastructure and integrate this into the broader operational framework.
The regulation’s preamble recognises that post the 2008 financial crisis, much-needed reforms in the financial sector strengthened the overall resilience of the industry. However, certain aspects of ICT security such as digital resilience, ICT-related incident reporting and viewing ICT as a part of operational risk, haven’t been fully addressed.
It is these gaps and overlaps in existing rules that DORA seeks to address and streamline. DORA has established an exhaustive but comprehensive framework which will ensure that financial entities withstand, respond to, and recover from ICT-related disruptions.
With only 10 months to go before DORA becomes fully applicable, several financial businesses have prioritised compliance. But before jumping in, it’s important to understand two things:
- Easy Compliance? Compliance can’t simply be achieved without having a solid understanding of your existing risks and a robust plan for responding to threats. An effective Cybersecurity Incident Response Plan is vital to this step. Prepare for threats that are specific to your organisation. Identify and assess what your most valuable assets for operational continuity are and ensure that your Incident Response Plans and Playbooks are tailored to protect them.
You must test the efficacy of your cybersecurity documents with regular Cyber Crisis Tabletop Exercises. DORA also mandates regular digital operational resilience testing. Without testing your plans, their viability and effectiveness in ensuring operational resilience, you can never be certain about your business’s ability to bounce back after a disruptive incident. - DORA Philosophy: You need to first fully comprehend DORA, its philosophy and its main ambitions before you can achieve compliance. Garnering a complete understanding of the 5 pillars of DORA is critical to this task.
The 5 pillars encapsulate what DORA envisions to achieve and the kind of business vitality it seeks to create. In this blog, we aim to delve into these core principles of DORA. Not only will this allow for a better understanding of their significance, it will also eventually catalyse practical implementation.
The 5 DORA Pillars of Compliance
1. ICT Risk Management
Risk Management is the cornerstone of DORA’s mandate. Chapter II of the Digital Operational Resilience Act, along with its 12 chapters focus entirely on ICT Risk Management. This pillar emphasises the need for financial entities to precisely identify, assess and mitigate ICT-related risks. Businesses under the purview of DORA must have robust frameworks in place to continuously monitor key digital systems, data, and connections.
This pillar underlines the need for financial entities to adopt a proactive approach to risk management. Vulnerabilities should be addressed before they become major issues. Regular risk assessments, continuous evaluation and adaption of Incident Response plans and constant monitoring of the ICT environment are some crucial steps. In the larger scheme of things, ICT Risk Management also creates better risk awareness in an organisation, which ultimately leads to enhanced resilience against cyber and digital threats.
2. ICT-Related Incident Reporting
Incident Reporting and proper Cyber Incident Response are the crux of DORA compliance. This pillar places a strong emphasis on standardising the process of Incident Reporting within the European Union's financial sector. Chapter III titled 'ICT-related incident management, classification and reporting' focusses on this pillar in detail.
Under DORA, financial entities are required to implement management systems that enable them to monitor, describe, and report any significant ICT-based incidents to relevant authorities.
By doing so, DORA seeks to enhance the financial sector's ability to respond to and recover from cyber threats and operational disruptions. This is ultimately meant to reinforce the overall resilience of the financial system.
It’s important to note that the reporting framework must include both internal and external reporting mechanisms. Internal reporting refers to quickly identifying incidents and communicating them to all important internal stakeholders. Their impact must then be evaluated and steps put into action for mitigating damage. Our Cyber Incident Response Playbook Guide covers these triggers and how they must be handled in useful detail. Don’t forget to download it and customise it to your organisational context to get your Incident Reporting mechanisms on track.
External incident reporting refers to alerting regulatory authorities in case of a disruptive incident. For cases such as a data breach, this may also include the affected customers who must be notified if their sensitive financial information has been compromised.
Incident Reporting is vital to create a culture of transparency and prompt response to ICT threats. This, in turn, supports the prevention of systemic risks and enhances the operational stability of the financial system.
3. Digital Operational Resilience Testing
At Cyber Management Alliance, we’ve been highlighting the importance of digital operational resilience testing for years now. All our clients understand that without sufficiently testing your cyber resilience capabilities, it is impossible to know where you stand in the face of a digital crisis. Our scenario-based Cyber Crisis Tabletop Exercises have helped over 300 businesses globally to find assurance in their capability to effectively respond to a cyber incident.
DORA corroborates this view by insisting that financial institutions periodically test their ICT risk management frameworks through digital operational resilience testing. These tests include scenario-based tabletop testing, vulnerability assessments, open source analyses, performance testing and threat-led penetration testing, amongst others.
This pillar also emphasises the need to close the gaps that emerge out of the results of testing. The implementation of recommendations and remediations must also be validated and their effectiveness demonstrated. Chapter IV of the DORA final text is devoted to the subject of Digital Operational Resilience Testing.
4. Management of ICT Third-Party Risk
Chapter V of DORA and its two sections cover the pillar of 'Managing of ICT Third-Party Risk'. This pillar requires financial organisations to thoroughly conduct due diligence on ICT third-parties. Chapter V of the final DORA text is specifically focused on managing ICT third-party risk. The aim is to guarantee that these third parties comply with the same standards of security and resilience as the financial entities themselves.
It essentially mandates that financial entities maintain strong contracts with their third party service providers. They must ensure that their partners adopt high standards of digital security and operational resilience.
DORA requires that contracts with ICT third-party providers include certain obligatory provisions to ensure these providers adhere to EU standards for risk management and operational resilience. The contracts must be reviewed periodically to ensure the highest standards of monitoring. Financial entities are also expected to document any risks observed with their third-party ICT providers. Importantly, DORA highlights the need for financial organisations to implement a multi-vendor ICT third-party risk strategy.
This pillar is tremendously significant given the increasing reliance of the financial sector on external ICT services, especially cloud computing.
5. Information and Intelligence Sharing
In our opinion, this one is a laudable pillar and completely in line with our philosophy at Cyber Management Alliance. This pillar, covered under Chapter VI, promotes sharing of information and threat intelligence amongst the EU financial community. But we strongly believe that the benefits of this pillar will go beyond just the financial sector in the Union.
We are deeply committed to building cybersecurity awareness and collective resilience through knowledge sharing in the community. Our Wisdom of Crowds events embody this spirit and it is heartening to see DORA endorse it.
A collaborative environment benefits the entire industry. It’s the easiest way to join forces against the advanced cyber criminal and stay a step ahead. As organisations in the same industry build a collective pool of knowledge, there is a greater probability of anticipating cyber risks and being prepared to fight against them.
Information sharing can also lead to improved digital operational resilience practices and implementation of proactive measures to fight disruptive events. Ultimately, this leads to a more stable, reliable and secure financial infrastructure in the EU and beyond.
Conclusion
These pillars collectively aim to ensure that the EU financial sector remains resilient in the face of ICT disruptions, thereby safeguarding financial stability. The 5 pillars encompass the complete vision of DORA - from risk management, incident response processes and incident reporting to resilience testing, third-party risk management, and information sharing.
By adhering to these pillars, financial entities can enhance their preparedness for and response to ICT risks better. This will ultimately contribute to the long term robustness of the Union’s financial sector as a whole but will also dramatically improve the global levels of cybersecurity maturity.
