DORA explained: Requirements, penalties, and steps to compliance

What is DORA?

DORA stands for the Digital Operational Resilience Act. It is the framework introduced by the European Commission to manage ICT risks and incident management, along with the management of risks related to third-party service providers. The legislation was introduced in September 2020 and formally adopted in 2022.

Purpose of DORA?

Before the introduction of DORA, the traditional focus of financial institutions was on managing operational risks with capital allocation, resulting in a reactive approach to operational risk.

With the faster growth in technology and their interconnection with the financial system the new and emerging threats that were not adequately addressed by the traditional risk management approaches, the need for the proactive approach leads to the development of a regulatory framework like DORA, with the DORA EU (European Union) aims to establish the framework for managing and mitigating the risks in the financial sector.

Applicability

The regulatory framework is applicable to various entities, including:

  • Credit institutions: Institutions that accept deposits from the public and provide loans.
  • Examples include commercial banks and savings banks.
  • Electronic money institutions: Entities issuing electronic money typically stored electronically.
  • Examples include prepaid card issuers.
  • Crypto asset service providers: Entities dealing with crypto assets.
  • Examples such as crypto exchanges, wallet providers, and asset custodians.
  • Payment institutions: Entities offering payment services, including facilitating payment transactions.
  • Examples include online payment service providers.
  • ICT third-party service providers: Entities providing ICT services to one or more financial entities.
  • Example such as IT services, cloud services, and data centre services.

The framework also extends to other entities, including but not limited to:

  • Investment firms
  • Account information service providers (AISPs)
  • Trading venues and repositories
  • Funding organizations
  • Insurance companies.

For further applicability queries, refer to the link: https://www.digital-operational-resilience-act.com/Article_2.html

DORA requirements

Outlined below are the primary requirements for financial entities and providers under the Digital Operational Resilience Act (DORA):

  • ICT Risk Management
  • Incident Management, classification and reporting
  • Resilience Testing
  • Risk related to ICT third party and service providers.

Here is a quick guide how to meet the DORA compliance.

ICT Risk Management

  • Establish a document for the ICT risk management framework, review it annually, and upon major ICT-related incidents; include it as part of the risk management strategy.
  • The framework should encompass policies, procedures, protocols, and tools to protect ICT and information assets.
  • Establish mechanisms for the prompt detection of anomalous activities, performance issues, and ICT-related incidents.
  • Develop backup policies and procedures based on the criticality or confidentiality of the data, including methods for recovery and restoration.
  • The framework shall include communication plans and at least one dedicated personnel to communicate ICT-related incidents.

Incident management, classification, and reporting

  • Develop and implement an ICT plan along with procedures for detecting, managing, and notifying ICT-related incidents.
  • Classify incidents based on the evaluation of affected areas, duration, examination of data loss, and the criticality of affected services.
  • Financial entities are required to notify and share a report with the competent authority, including details of the incident and other relevant information for identification of significance.
  • Entities should share immediate notifications, intermediate reports (including updates based on new incident information), and a final report after completing the root cause analysis.
  • Outsourcing reporting to a third-party service provider is permissible, but financial entities remain responsible for fulfilling reporting requirements.

Resilience Testing

  • Conduct comprehensive digital operational resilience testing, encompassing a variety of assessments, tests, methodologies, practices, tools, and aiming to address a range of scenarios and potential weaknesses.
  • Perform annual testing of ICT systems and applications that support critical or essential functions.
  • Adopt a risk-based approach with testing independence, whether conducted internally or externally. Entities must allocate resources and ensure the segregation of duties.
  • Financial entities should uphold robust digital resilience through regular and strategic testing, effectively mitigating risks in the rapidly evolving digital landscape.
  • Testing should incorporate various test, including but not limited to
  • Vulnerability assessments and scans
  • Source code reviews where feasible.
  • Penetration testing
  • Physical security reviews

Risks related to ICT third party service provider.

  • Develop a strategy for managing third-party ICT risks, incorporating a policy on the use of ICT services.
  • Regularly assess risks associated with contractual agreements for ICT services.
  • Establish and document exit strategies, periodically testing plans to ensure minimal disruption, compliance with regulatory requirements, and continuity of services.
  • Conduct due diligence on potential ICT third-party service providers, ensuring suitability and identifying and assessing relevant risks.
  • The leading overseer has the authority to request information from critical ICT third-party service providers and oversee the actions taken by the entity.

Enforcement and penalties

  • Enforcement Start Date: January 17, 2025
  • Responsible Entities: Financial entities and third-party ICT service providers within the EU
  • Oversight: Respective national competent authorities are responsible for ensuring compliance.
  • Penalties: Fines and other measures can be imposed for non-compliance.

Conclusion

The DORA Digital Operational Resilience Act is a crucial legislation that aims to enhance the operational resilience and cybersecurity measures of financial institutions. By understanding the key provisions, impact, implementation challenges, and future outlook of the DORA Act, financial firms can ensure compliance and mitigate risks effectively. Stay informed and prepared to navigate the changing regulatory landscape with the insights provided in this article.

FAQs:

  • What is the main objective of the DORA Act?
  • The DORA Act aims to enhance the operational resilience and cybersecurity measures of financial institutions to mitigate risks effectively.
  • What are the key requirements for firms under the DORA Act?
  • Firms are required to strengthen their operational resilience, enhance cybersecurity measures, and comply with the regulations set forth by the legislation.
  • How can financial institutions adapt to the implementation challenges of the DORA Act?
  • Financial institutions can adapt by updating their existing systems and processes, collaborating with regulators, and providing training for compliance with the legislation.

Author

  • Yashraj Solanki

    Yashraj Singh Solanki is a dedicated Cyber Security Analyst with experience in audit and compliance across various standards such as PCI DSS, ISO 27001, and other regulatory guidelines. With a passion for exploring new fields and expanding his knowledge base, Yashraj is committed to staying at the forefront of cybersecurity practices. Beyond the realm of work, he finds joy in traveling to new destinations and indulging in his love for playing football.


Leave a Reply

Your email address will not be published. Required fields are marked *