The Digital Operational Resilience Act (DORA); Challenges and Solutions

Owing to the rapid digitization of banking and transactions, the frequency and severity of cyber threats and scams in the financial domain is severe. Scams are executed through various channels, including emails, social media, refund companies, phone calls and texts, and are relatively easy/quick to deploy. This is why it is crucial to have a plan of action in place to address these vulnerabilities.  

That is where the Digital Operation Resilience Act, or DORA, comes in.  

Financial entities in the European Union and their ICT providers must comply with DORA by January 17, 2025. As the clock is already ticking, you should start learning more about it.

What is DORA? 

As a part of the legislative framework of the European Union, the Digital Operational Resilience Act (DORA) aims to set a common standard for managing operational risks, such as cyber threats, system failures, and other operational disruptions posed by digital information and communication technologies. With an aim to foster the potential of digital finance, the act ensures that financial entities, including banks, crypto asset providers, data reporting providers, and cloud service providers have robust and effective risk management practices to manage, mitigate, and prevent these risks. 

To improve operational resilience, DORA mandates regular risk assessments and well-defined lines of accountability for all financial institutions. It requires these entities to identify and assess their key business services and their corresponding IT systems, processes, and dependencies. In addition, they also need to have solid backup plans in place in case of an unexpected halt in operations. 

The 5 Key Pillars of DORA 

To provide a thorough digital resiliency framework for financial entities, DORA is structured around 5 major pillars that encompass various domains of ICT and cyber security. 

1. ICT Risk Management 

This pillar of the DORA requires firms to update their technology risk management governance. The revised approach requires firms to identify critical business functions, dependant risks, and TSP (Technology and Data Service Providers) assets that run them. 

2. Incident Management, Classification, and Reporting 

This pillar ensures that financial market participants and infrastructure providers have efficient incident-detecting and management systems to inform regulatory authorities of major operational disruptions. 

3. Resiliency Testing 

Companies must undertake extensive scenario testing/simulations that focus on technical testing and encompass a wide range of procedures, evaluations, and tests. 

4. Third-party Risk Management 

Risks posed by TSPs must be monitored by financial institutions, and the regulatory requirements cover the aspects of the third-party relationship that are vital to thorough monitoring. 

5. Information Sharing 

Enhance the resilience of financial institutions by sharing information about cyber threats such as signs of compromise, tactics, techniques and procedures (TTP), and cybersecurity alerts. 

Challenges of Implementing DORA  

Implementing DORA can be challenging for some companies as it requires compliance with the following requisites: 

Designing an Architecture for DORA Compliance 

Financial institutions must build a digital operational resilience strategy to comply with DORA. The company-wide plan would address ICT risks and goals from both internal and external perspectives. That being said, DORA’s requirements are more complex than those of the ICT guidelines. 

Handling Cyber Risks 

Although the UK’s banking system is adept at mitigating cyber risk, DORA will require your organization to classify, report, and respond to threats and occurrences. While it is only required to report major incidents to your national regulator, it should be done within strict deadlines.  

Discovering System Vulnerabilities 

Since most vulnerabilities come down to poor network management systems, regular testing is the best way to address risks, which necessitates a wider range of digital testing, such as vulnerability scans, network assessments, and penetration tests. As a result, organizations will need to ensure that their testing strategy adequately covers all of their crucial operations over time.  

Managing Third-Party Risk 

DORA’s focus on Critical ICT Third Party Providers (CTPPs) reflects the ecosystem’s rising reliance on outsourced providers and the systemic risk they may pose. To ensure DORA-compliant contracts and risk management, your organization should regularly monitor third-party providers, as non-compliance can have serious financial repercussions. 

The Solution to Key Challenges 

While the DORA strives to consolidate current frameworks and standards, the planned implementation timeframe is ambitious and demands organizations to take a more proactive approach towards navigating these challenges. It begins by streamlining the company’s security architecture. Organizations must be able to quickly report cybersecurity issues, understand their reliance on third parties, and handle audit requests from customers and regulators in order to comply with the requirements of the Data Opinions and Risk Assessment Act (DORA). 

To make the entire process seamless, SecurityHQ is committed to working with you to understand your vulnerabilities and to navigate the growing threats and compliance processes for your firm.  

Take a look at our comprehensive list of services to learn how we can address your unique cyber security concerns.