DORA is a new regulation that’ll affect tens of thousands of organizations providing financial services in the EU. But that’s not all – third-party information and communications technology (ICT) providers are also being brought into the mix, making working towards data security in the financial sector a bigger task than it has ever been before.
The clock has already started ticking on the 24-month preparation period, so the time to start getting ready is now.
What is DORA?
The Digital Operational Resilience Act, or DORA, is a major regulation that’s sweeping across the European Union to ensure that financial institutions and their tech partners step up their game when it comes to protecting themselves from the ever-rising risks of relying on technology.
But brace yourself, because DORA brings some serious challenges. From closely managing risks with third-party providers to keeping a constant eye on data security systems and spreading out the ICT-related risks, implementing DORA is no walk in the park. It's a whole new level of effort and commitment required to stay compliant.
DORA’s timeline at a glance
28 November 2022: The European Council adopted DORA
16 January 2023: DORA enters into force with 24-month preparation period
2023: the European Supervisory Authorities (ESA) will develop the first technical standards
2024: ESA will communicate the standards and give guidance to affected financial entities
17 January 2025: DORA requirements become enforceable
2025: Penetration testing will begin
What is the purpose of DORA?
The purpose of DORA is to strengthen digital resilience within the European Union. In other words, DORA sets out to protect sensitive data available to financial institutions and their ICT providers from the bad guys in the online world.
DORA creates a set of rules for anyone in the financial industry, hoping to harmonize data security efforts across EU member states, filling in the gaps and fixing the inconsistencies in the current EU laws.
Cyber threats are and most likely always will be on the rise, so DORA wants to make sure that the financial sector is ready for whatever digital dangers are thrown at it in the future. It recognizes the previously ignored dangers that come from within the supply chain, and doubles down on ICT service providers as well.
What is the scope of DORA?
In a nutshell, DORA applies to a wide range of financial entities involved in the EU's financial system, and the ICT service providers that support them. As long as the financial organization operates in any capacity within the EU market, they’ll need to comply with DORA, and so do their third-party providers. This is true even for companies based outside of the EU.
Which financial organizations does DORA apply to?
All of them! For example:
- payment service providers
- crypto firms
- investment firms
- pension funds
- insurance companies
DORA’s scope extends beyond just financial institutions to their third-party service providers, regardless of their location. Why? Because quite logically, even if a financial institution is up to their teeth in data protection measures, it can’t influence what it’s providers do. Not effectively, anyway. It’s actually a surprise that DORA wasn’t created sooner, really! The implications of DORA for the ICT providers are different, but they still fall within DORA’s scope.
It's worth noting that DORA doesn't limit its regulatory framework to only EU-based entities. It covers non-EU financial entities operating within the EU market as well. This means that even if a financial entity is based outside the EU but operates within its borders, it is still subject to the regulations outlined in DORA.
To give you an example, let's say you are an ICT provider based in Canada, offering services to a Canadian bank. If that bank has even a single branch or office in the EU, both you as the ICT provider and the bank fall within the scope of DORA.
What are DORA’s key objectives?
So, how exactly does DORA aim to achieve this EU-wide digital resilience? Let's explore its most important objectives to understand the regulation more deeply.
These are the five key pillars of DORA:
ICT risk management
DORA wants organizations to be proactive in protecting sensitive data with robust security management systems in place. Financial entities will need to not only focus on prevention but also on detection, containment, recovery, and repair capabilities. Risk-based security policies will be mandatory.
One provision in DORA emphasizes the need for continuous monitoring and control of ICT security tools. This requirement underscores the importance of adopting advanced data loss protection (DLP) solutions that offer automated incident detection and risk evaluation capabilities.
The concentration of risk is another consideration. DORA prohibits organizations to rely on one service provider for critical processes, preferring a range of security vendors. This way, when one system or vendor is affected, the risk for the financial organization is spread out and minimized.
Financial entities are required to report major ICT-related incidents and significant cyber threats to competent authorities. The goal is to improve transparency and coordination when it comes to cyber incidents. A fast response is a more effective response. This means if something goes wrong with their digital systems, they need to let the authorities know right away.
Additionally, incidents that impact the ICT service providers financial organizations rely on must also be reported. This way, everyone can be aware of any potential risks that could spread through the interconnected financial ecosystem.
Operational resilience testing
This annual advanced testing ensures that financial entities can withstand, respond to, and recover from various ICT disruptions and threats. Third-party providers will need to cooperate with periodical penetration testing as well. All parties will then have to eliminate any vulnerabilities that these tests uncover.
Third-party risk management
One of the major objectives of DORA is that financial entities will be responsible for managing and mitigating third-party risks – a challenging task, to say the least.
This means, for example, conducting risk assessments for outsourcing contracts or ensuring that contracts with ICT third-party providers include all necessary monitoring and accessibility details, as well as binding contractual terms.
DORA encourages financial entities and authorities to share information and intelligence about cyber threats and weaknesses. By working together, they can better respond to new risks. Financial entities will need to set up systems to review and act upon the information shared.
How organizations can start preparing for DORA now
Even though ESA won’t fully develop and communicate DORA’s technical standards and requirements until next year, there are steps financial institutions can take to ensure smoother compliance with DORA when the time comes.
The most important step will be a gap assessment during which financial institutions can reference other existing regulations and make sure they are up to speed with current security expectations. The assumption is that DORA will include most existing standards and rules, so this is the basic step organizations can take to ensure they aren’t too far behind when DORA’s implications are specified.
One such regulation is the NIS2, the “Network and Information Security” EU directive.
Institutions can also review their information security management system using the ISO 27001 international standard.
It is vital that institutions keep their data security policies agile enough to be able to implement any extra implications that DORA will have.
How can Safetica help you comply with DORA?
Do you feel that waiting for DORA to define regulatory and implementing technical standards somewhat shortens the already short preparation period? You aren’t wrong. Having an experienced partner may help to give you peace of mind. Using a robust DLP solution will also make dealing with data loss protection easier, more effective, and less time-consuming.
For example, manual monitoring and evaluation of ICT security would be an enormous undertaking, prone to oversight and delays. But by leveraging DLP solutions such as Safetica’s, financial entities can enhance their risk management capabilities and stay ahead of emerging threats in a more streamlined and effective manner.
By embracing DLP solutions with rapid-response features, financial entities can strengthen their ability to quickly identify and react to potential security incidents. With real-time alerts and automated risk evaluation, financial entities can take swift action to mitigate threats and protect sensitive data.