DORA: mitigating ICT risks and strengthening digital resilience

The EU’s new regulation DORA will broadly influence how financial entities improve ICT governance, manage ICT risks, disclose incidents, and strengthen their resilience. The financial sector is increasingly dependent on digital services and technology to deliver their services. This digital transformation has made financial entities more vulnerable to cyberattacks and incidents.

Melissa Parsons

An article from

Melissa Parsons
Technical Writer
Published
April 4, 2024
Updated
Reading time
minutes
DORA regulation - C-Risk

The financial entities and the ICT services that support the financial entities represent a vital component of the EU’s critical infrastructure. When not managed properly, ICT risks can cause disruptions across borders and across sectors, having an impact on the economy at large. It is also an opportunity for intelligence sharing related to threats and vulnerabilities.

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, i.e., DORA) is a European regulation introduced by the European Commission in September 2020. DORA entered into force on January 16, 2023, and will apply as of January 17, 2025. The regulation is part of the EU’s digital strategy, which aims to strengthen the digital operational resilience of financial entities operating in Europe and their ICT third parties by establishing a common set of rules and standards to mitigate Information and Communications Technology (ICT) risks. 

Harmonization for the financial sector across Europe

Prior to the introduction of DORA, the financial services sector in the EU operated without a common framework for ICT and cybersecurity. The regulatory landscape was characterized by a complicated patchwork of both European and national standards that were not harmonized. Additionally, financial institutions had to navigate the complexities of data protection as mandated by the EU's General Data Protection Regulation (GDPR), alongside the necessities of safeguarding critical infrastructure as per the Network and Information Systems (NIS) directive. With no EU regulation, it was left to each Member State to implement and enforce their own laws to address these multifaceted risk management issues.

What is a regulation in the EU?

Before diving into the Digital Operational Resilience Act, it is important to understand what the term “regulation” means when discussing EU policies and other types of EU legislative acts.

 

Outside the EU, their meanings vary from country to country. In the EU, there are five types of legislative or legal acts that enable the EU treaties to achieve their goals. These are regulations, directives, decisions, recommendations, and opinions.  

 

Regulation: A binding legislative act that must be applied directly and in its entirety in all Member States.

 

Directive: a legislative act that determines goals that must be achieved, but the way it is enacted is left to each EU Member State. The NIS2 Directive came into force in 2023 and every Member State must implement the Directive into national law.

 

Decision: a binding act only on those to whom it is addressed and is directly applicable. For example, when the Council issues a decision on a Member State adopting the euro, it only concerns a specific country.

 

Recommendation: a non-binding text issued by an EU institution to express their views on a subject and suggest actions to be taken without any legal implications or obligations on those addressed in the recommendation.

 

Opinion: a non-binding text issued by an EU institution to express their views on a subject.

 

What is a regulation in the EU?

What is the scope of DORA?

DORA applies to all financial institutions in the EU which includes traditional financial entities, such as banks, investment firms and credit institutions, as well as non-traditional entities, such as crypto-asset service providers. Article 2(1) of DORA sets out the exhaustive list of covered entities for the EU’s financial sector, with exceptions listed in Article 2(3). In addition, ICT third-party service providers do not have to be based in Europe to come under the regulation. Any third party providing services to a European company is concerned. The specific provisions for the FEs and third-party services providers will be addressed in another post.

 

The five key pillars of DORA

The text of the regulation defines five pillars that cover different domains and aspects of ICT and cyber risks that must be addressed by the financial entities to ensure compliance. 

ICT Risk Management

Financial entities must have robust governance and control frameworks for effective ICT risk management. This includes, but not limited to, preparing for ICT risks, maintaining up-to-date systems, and implementing digital operational resilience strategies.

ICT-Related Incident Management, Classification and Reporting

Financial entities must establish a process for identifying and managing ICT-related incidents, with major incidents reported to the relevant authority.

Digital Operational Resilience Testing

Regular testing of ICT systems and tools to identify and correct weaknesses or gaps in digital operational resilience. This includes third-party penetration testing and threat-led penetration testing.

Managing of ICT Third-Party Risk

This pillar focuses on the sound management of risks associated with ICT third-party service providers, including due diligence, contractual provisions, and ICT concentration risk. 

Information Sharing

Information-sharing with the authorities and among financial entities contributes to the digital operational resilience, particularly in the context of cyber threats and vulnerabilities.

Regulatory compliance is only the first step to digital operational resilience

C-Risk can help you effectively communicate the financial and operational impact of cyber risks, ensuring strategic resource allocation that aligns with your business objectives.

European Supervisory Authorities and DORA

The European Supervisory Authorities (ESAs) work primarily on harmonizing financial supervision in the EU with a set of prudential standards for financial institutions. The ESAs help to ensure compliance and “create a level playing field”. They are also mandated to assess risks and vulnerabilities in the financial sector. The ESAs are:

 

·  the European Banking Authority (EBA)

·  the European Insurance and Occupational Pensions Authority (EIOPA)

·  the European Securities and Markets Authority (ESMA)

 

To operationalize the application of DORA, the ESAs though Joint Committee and in consultation with the European Central Bank (ECB) and European Union

Agency for Cybersecurity (ENISA) are mandated to develop 13 policy products in two batches. These policy products include regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines (GL). These policy instruments are necessary to provide detailed technical specifications for the implementation of the legislation. 

 

The first batch of policy products includes:

·  RTS on ICT risk management framework and RTS on simplified ICT risk management framework

·  RTS on criteria for the classification of ICT-related incidents

·  ITS to establish the templates for the register of information

·  RTS to specify the policy on ICT services performed by ICT third-party providers

 

The second batch includes:

·  RTS and ITS on content, timelines and templates on incident reporting

·  GL on aggregated costs and losses from major incidents

·  RTS on subcontracting of critical or important functions

·  RTS on oversight harmonization

·  GL on oversight cooperation between ESAs and competent authorities

·  RTS on threat-led penetration testing (TLPT)

 

The first set of final draft technical standards was published on January 17, 2024, by the ESAs. The European Commission will review these technical standards with the objective to adopt them. The second batch of technical standards will be submitted to the European Commission and issue the guidelines by July 17, 2024.

 

Even without the final texts from the ESAs, it is necessary for organizations to move forward with compliance measures using the five pillars of DORA as a roadmap.  

Challenges for DORA compliance

Key challenges for achieving compliance under DORA run parallel to the five pillars of the regulation. Organizations concerned by the regulation need to focus on implementing risk-based policies and procedures to identify, measure, monitor, report, and mitigate ICT and cyber risks. In addition, an essential component for overall digital operational resilience is the regular assessment of ICT and cyber capabilities and security in the event of an ICT-related incident or cyberattack.

 

Do you have a digital business resiliency strategy? Have you implemented an ICT third-party service provider policy? How are you documenting your policies? How are the critical stakeholders from different departments within your organization communicating on ICT and cyber risk?

Data-driven risk management using quantitative analysis

Compliance is a great starting point for building a secure organization, but it does not guarantee the effective management of risks, productivity or growth.

 

Cyber risk quantification using the Open FAIR™ model helps security teams measure, manage and communicate risk from a business perspective, in financial terms. It is an effective way to help build a high level of digital operational resilience. Recently, the FAIR Institute introduced extensions to the standard that address controls, materiality, third party risk and AI, all of which can play a role in DORA compliance.

 

The first pillar of DORA is ICT Risk Management. This pillar requires boards to have the knowledge and skills necessary to assess cybersecurity risks and evaluate ICT policies and solutions. This can prove to be a challenge when there is a communication breakdown between security teams and executives, which can lead to less effective oversight by the board. Risk quantification using FAIR gives security teams the language to communicate ICT risks in business terms that the board will understand.

 

In addition to governance, the first pillar also requires control frameworks that ensure effective management of all ICT risks. The FAIR extension FAIR-CAM addresses “control physiology”. This is described as “how a system of controls works and interacts, as well as what the units of measurement are”.

 

By leveraging data and analytics using the FAIR model, financial entities can gain a data-driven perspective of their risk exposure and take proactive measures to mitigate ICT risks.

 

Financial entities can determine the impact of ICT-related incidents based on factors such as the number of clients affected, data losses, and the economic impact, including replacement costs, staff costs, various fees, losses due to forgone revenue, communication and advisory costs, etc. Quantitative analysis can determine the probable impact of a risk scenario, enabling quicker and more accurate reporting.

 

The management of ICT third-party risks also falls on financial entities. The FAIR-TAM extension to the FAIR model focuses on risk-based prioritization, comprehensive, continuous monitoring and actionable mitigations. By adopting a data-driven approach, financial entities can assess level of risk posed by critical ICT third-party providers based on historical data and current trends. These insights provide decision-makers with comprehensive information to make informed decisions regarding third-party relationships. This includes decisions related to vendor selection, contract negotiations, and monitoring.

 

Regulators expect transparent, defendable and consistent decision making. Cyber risk quantification using FAIR is fundamentally transparent, defendable and consistent. It can be implemented easily and quickly. It is a standalone capability which is not dependent on the overall organizational maturity.

 

As the DORA compliance deadline approaches, C-Risk can help you navigate these ICT risk management challenges.

 

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.