New legislation is forthcoming to further strengthen the cyber resilience of financial institutions in the European Union (EU): the Digital Operational Resilience Act, or DORA. This legislation, along with initiatives such as the Cyber Resilience Act (CRA) and the Network and Information Security Directive (NIS2), aims to compel organizations to exercise more demonstrable control in the realm of cybersecurity. DORA will come into effect on January 17, 2025, and companies falling under its purview (spoiler: not only financial institutions) would be wise to take action now.
With less than a year remaining before DORA's implementation deadline, financial institutions, which already typically comply with much security legislation, have additional homework. The second version of DORA will be published midway through this year, providing more clarity on the exact requirements. Financial institutions and other involved parties would be wise to closely monitor this, enabling them to prepare for compliance.
Not just for banks
The impact of DORA extends far and affects a wide range of organizations within the financial sector. Not only traditional banks, insurance companies, pension and investment funds are subject to the regulation, but also emerging players such as crypto exchanges and crowdfunding service providers. Additionally, third parties providing services to financial institutions must comply with regulations under DORA. This includes IT service providers, SaaS providers, and application developers. These companies must demonstrably meet requirements, including having and actively maintaining security policies, keeping systems up-to-date, and mapping their IT, application, and data landscapes.
Moreover, they must periodically test the effectiveness of their security measures. Large financial institutions such as major banks, large insurers, and institutional investors such as pension funds are already accustomed to being accountable for security issues both internally and externally. They will likely need to adjust their reporting procedures primarily. Additionally, given the penalty clause, these institutions will feel more obligated to comply with the new legislative requirements. Medium and smaller financial institutions are expected to have to catch up to demonstrate clearly that they meet DORA's requirements.
Key requirements and changes under DORA
A key requirement under DORA is the implementation of a risk framework. This framework should provide clarity on the security risks to which the organization is exposed and what appropriate measures are being taken.
Board and management must actively be informed about evolving tactics of cybercriminals and the specific threats relevant to the business. DORA-obliged organizations must have access to a 'threat intel feed' so they can receive threat information in a structured manner and anticipate it. Larger banks and insurers often have a dedicated team for collecting and analyzing threat information. However, smaller organizations may need to purchase this information externally, with Managed Detection & Response (MDR) service providers playing a valuable role in sharing and interpreting threat information.
This risk framework approach is seen more frequently as part of new European legislation and marks a positive trend. Instead of just prescribing specific measures to be met, the rules now emphasize thorough risk analysis as a first step. This development promotes a more thoughtful approach to cybersecurity, where measures are taken based on a well-founded understanding of an organization's risk landscape.
Business continuity management
Another significant change under DORA is the requirement to have a robust business continuity plan. This plan must detail how the company will respond to incidents, which systems are critical to operations, what the recovery plans are, and what agreements exist with suppliers regarding the continuity of their services. Crucially, this plan must be regularly practiced in practice, as prescribed by DORA. In practice, it often turns out that much needs to be arranged. It is essential to consider communication protocols, such as gathering alternative contact information in case email is unavailable, and identifying replacement responsibilities in the absence of key personnel. Again, larger financial institutions often have much arranged to ensure their continuity, but this will entail considerable extra work for medium and smaller financial institutions.
Effective detection mechanisms
DORA also requires effective detection mechanisms to be set up within the IT environments of financial institutions. This means active monitoring to detect potential incidents in a timely manner. Many larger institutions have their own Security Operations Center or a contracted third party responsible for monitoring, detection, and response. For parties that do not yet have their own or contracted detection capability, accelerated development of internal capacity or outsourcing is necessary.
Reporting and testing obligations
Another change under DORA legislation is the reporting obligation in the event of incidents. Although the exact timelines are yet to be determined, the requirements are clear: an initial report on an incident, followed by intermediate reporting on changes, and ultimately a detailed report on the root causes, mitigation measures taken, and an analysis of the impact.
In addition to the reporting obligation, DORA also imposes strict requirements for security testing, especially attack simulations. Financial institutions must conduct these at least annually by an independent internal or external team. Every three years, a more advanced test must also be conducted, based on current threat intelligence. An example of such a test is TIBER (Threat Intelligence Based Ethical Red Teaming), based on the testing framework of the Dutch Central Bank, inspired by the original British method, which now also has an EU variant (TIBER.EU). These tests are intended to simulate attacks by more advanced actors as realistically as possible, primarily to test the effectiveness of defense mechanisms. This type of test may only be conducted by certified teams with demonstrable experience in realistic attack simulations.
Compliance
In line with the reporting obligation, the possibility of sanctions is also an important change. Failing to comply with the Digital Operational Resilience Act can have significant consequences in the form of fines. These fines can amount to 2% of global turnover, with a maximum of one million euros for individuals. For ICT service providers, sanctions can amount to five million euros, with a possibility of half a million for individuals held responsible for non-compliance. These financial penalties emphasize the importance of timely and thorough compliance with DORA regulations to ensure the operational resilience and cybersecurity of financial institutions and ICT service providers.
Getting started with DORA
DORA has a significant impact on organizations within the financial sector and beyond. While large banks and insurers already largely comply with similar requirements, smaller institutions such as crypto exchanges and ICT service providers will need to make significantly more efforts to meet the new standards. This includes third parties, who are now also subject to mandatory compliance. DORA goes deeper than the NIS2 directive, with specific and uniform tests, necessitating a thorough and demonstrable approach to cybersecurity.
For medium and smaller financial institutions, this means there is much work to be done. Implementing an effective strategy requires time and dedication, with the board and management playing a crucial role and actively being accountable for compliance with DORA's requirements. Ensuring security must be based on a risk management approach, with the ability to rely on an internal or external Security Operations Center, monitor and anticipate current threats, and support incident preparedness with targeted continuity measures and effectiveness tests. All of this is to be able to detect and report incidents in a timely manner and to prevent any fines resulting from non-compliance.
More information or advice?
Do you want to know more about DORA or other cybersecurity legislation? Or do you want to discuss the measures your company needs to take? Contact us at info@computest.nl.