This is how to comply with the new EU regulation.
Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.
Who Does DORA Apply To? DORA applies to Europe’s 22,000 financial entities and the ICT infrastructure providers that enable them to function. Companies that will need to improve their risk management and enterprise cybersecurity based on DORA include:
Banks, Credit institutions, Credit agencies, Account information service providers, Pension funds, Crypto firms, Investment firms, Insurance providers
Why is DORA needed?
The financial sector increasingly depends on technology and tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.
When not appropriately managed, Information and communication technology (ICT) risks can lead to disruptions of financial services across borders. This, in turn, can impact other companies, sectors, and even the rest of the economy, underlining the importance of the financial sector’s digital operational resilience.
This is where the Digital Operational Resilience Act, or DORA, comes into play.
As the Act’s name implies, its main objective is to strengthen digital operational resilience so that financial markets and services avoid significant disruptions and continue running smoothly if catastrophic events occur.
Crucially, even if those infrastructure providers are in territories outside of the EU but serve companies with a presence within it, they will be required to satisfy specific DORA requirements.
The level of scrutiny they attract and the requirements they need to fulfill will vary according to the risk level, but this means that companies providing cloud services or tracking pixels to EU financial providers will need to comply with the Act’s requirements.
DORA regulations are composed of five key ‘pillars’ which are:
1. ICT Risk Management: This pillar underscores the board of directors’ crucial role in developing and approving the Digital Operational Resilience Strategy (DORS). It involves creating policies to safeguard the confidentiality, integrity, and availability of all data, ensuring effective communication, cooperation, and coordination by implementing an ICT governance framework, and utilizing ICT solutions to prevent breaches of confidentiality, impairment of integrity, lack of availability, and loss of data.
2. Reporting on ICT-related incidents: DORA emphasizes the need for a communication strategy for disclosing ICT incidents as part of the Digital Operational Resilience Strategy (DORS). DORA attempts to streamline the reporting process, encouraging rapid investigation and response to breaches to reduce their impact.
3. Digital Operational Resilience Testing: Companies will need to implement testing assessment programs, which will, out of necessity, involve using automated tools to identify and correct issues before they can threaten operations.
4. Management of Third-Party Risk: addresses managing risks associated with third-party ICT service providers.
5. Information and Intelligence Sharing: This section focuses on developing cyber threat information-sharing processes. Many threat actors targeting the financial industry will attempt to target multiple organizations simultaneously.
DORA encourages organizations to share threat intelligence with peers to improve awareness of evolving cyber threats.
Thank you for visiting my blog.
Follow me on Medium and LinkedIn for more future content about CTFs, Ethical Hacking, Cybersecurity, and more.