Get Ready for the Digital Operational Resilience Act
Table Of Contents:
Financial service organisations will be challenged to improve their operational resilience with an incoming set of regulations whose impact will expand far beyond the sector.
The Digital Operational Resilience Act (DORA) consolidates and extends existing cybersecurity and operational resiliency rules for financial services firms operating in the European Union.
More specifically, DORA introduces specific and prescriptive requirements on Information and Communications Technology (ICT) risk management and incident reporting. The regulations were approved by the EU Council in January 2023, starting the clock on a 24-month implementation period.
Both financial sector firms and their ICT technology suppliers (such as cloud platforms and data analytics providers) have until January 17, 2025, to become compliant with the new regulations.
Will Richmond-Coggan, a partner at UK law firm Freeths and a specialist in data protection and cyber litigation, commented: “The need for this regulation was driven by the increasing dependence of financial institutions on their digital systems and the inter-connectedness of those systems across the entire financial sector.
Banks have long been required to manage operational risk through audits, control and access to sufficient capital. Measures to assure operational resilience in the face of the growing problem of malware attacks and criminal hacking are less mature, a shortcoming the DORA regulations seek to address.
“It is clear that the key driver behind the legislation is creating consistency and certainty as to the technological resilience of every entity within the European financial sector, together with their intermediaries, subsidiaries and third-party suppliers,” Richmond-Coggan told ISMS.com. “The legislation aims to drive an improvement in incident transparency and system robustness by raising the minimum expectations on financial services businesses.”
Five Pillars
The five key pillars under the legislation cover issues such as risk management, incident reporting, standardised resilience testing, intelligence sharing and the management of third-party risk.
The regulation offers the opportunity to improve the sector’s robustness as a whole but only if “organisations embrace the opportunities to pool information and threat intelligence to assist one another to identify and address points of weakness,” Richmond-Coggan concluded.
Luke Dash, chief exec of ISMS.online, commented: “One of the critical tenets of DORA is that organisations must adopt a proactive approach that involves continuous risk identification and the establishment of robust protection and prevention measures.”
Dash continued: “This will enable organisations to promptly identify and eliminate any weaknesses, deficiencies, or gaps within their digital operations, safeguarding the integrity and security of their systems.”
John Elliott, a security advisor at web security tools vendor Jscrambler, said that the introduction of DORA will mean that instead of simply establishing preventative controls, organisations will be obliged to take a “more holistic view encompassing detection, response, and recovery”.
“It also requires entities not just to have resilient systems but to test and prove their resilience,” Elliott added.
Laying the Foundations
Standards such as ISO 27001 can play a crucial role in assisting organisations towards compliance with the Digital Operational Resilience Act (DORA).
ISO 27001 covers various areas relevant to DORA compliance, including risk assessment, incident response, business continuity, and operational resilience. “Organisations that have already achieved ISO 27001 certification or have implemented its principles will have a solid foundation in place to address many of the security and resilience aspects required by DORA,” ISMS. online’s Dash explained.
“Furthermore, ISO 27001’s emphasis on a risk-based approach and continual improvement aligns with the spirit of DORA, as both standards promote proactive risk management and the continuous enhancement of operational resilience,” he added.
Dash continued: “Implementing ISO 27001 can help organisations identify and address potential vulnerabilities, strengthen their security posture, and establish the necessary processes and controls to comply with DORA requirements.”
Other experts agreed that applying ISO 27001 lays the groundwork for the more ambitious goal of moving towards compliance with DORA.
Jscrambler’s Elliott explained: “As Article 5(4) [of DORA] requires organisations to implement an Information Security Management System or ISMS, following standards like 27001 will be the natural choice for most organisations to both give them a structure for their information security and to be able to demonstrate to a regulator that they have an ISMS in place.”
ISMS.online’s Dash added that by using 27001 as a stepping stone, “organisations can streamline their compliance efforts and demonstrate a proactive commitment to information security and operational resilience”, an essential aspect of moving towards compliance with DORA.
“ISO 27001 can also enable organisations to layer other standards on top over time, simplifying compliance more generally for organisations as the risk landscape adapts,” Dash concluded.
Anglo-File
DORA is an EU regulation, and since the UK is not in the EU, there is no direct effect – at least on UK law. UK-based entities offering their services to clients in the EU, however, must comply with DORA.
“The government has indicated it will legislate in respect of the operational resilience of third parties, and the BOE [Bank of England]/PRA and FCA [Finacial Conduct Authority] have jointly consulted on this area although no formal regulation has yet appeared,” according to Jscrambler’s Elliott. “The bank has other programs in place that align with some aspects of DORA, for example, the requirement for threat-lead penetration testing in CBEST.”
ISMS.online invited the Information Commissioner’s Office (ICO) to comment on how quickly DORA might be adopted by UK organisations and whether or not the ICO will have a role in promoting or enforcing the regulation. It declined to comment.
Obstacles
Achieving compliance with DORA is likely to be a major project.
Jscrambler’s Elliott commented: “The largest problem I foresee is for mid-sized financial institutions that are too large to take advantage of the exemptions for small firms and micro enterprises, but who have not previously had to have such a sophisticated approach to cyber security. They do not have much time to make the technical and philosophical changes required by the regulation.”
How quickly affected organisations can comply with DORA will be influenced by many factors, including “company size, infrastructure complexity, and organisational readiness to embrace new ways of working” ISMS. online’s Dash explained.
“The DORA regulation has many requirements, including conducting risk assessments, bolstering operational resilience, and establishing robust incident response procedures,” Dash concluded. “Working towards these goals and embedding these processes sufficiently may span several months to a few years.”
Compliance professionals and platforms can “help streamline the implementation process and ensure ongoing compliance,” Dash concluded.
15-Step DORA Checklist
Download this handy, 15-step checklist to help get you started on your journey to compliance. With just 18 months left before The Digital Operational Resilience Act comes into force, there’s never been a better time to get started!