Blog May 24, 2024

DORA Regulation: What Financial Institutions Need To Do

Yannis Velitsikakis, Product Manager

As a cybersecurity company, Obrela is vigilant in monitoring the evolving regulations and how these impact our clients, especially those in the financial sector. With the introduction of the Digital Operational Resilience Act (DORA), we see a transformative step forward in the European Union’s approach to financial cyber resilience. Here’s an overview of what DORA entails and what it means for financial entities.

What is DORA?

DORA is an updated, comprehensive regulatory framework designed to strengthen the cybersecurity and resilience of the financial sector across the EU. Recognizing the critical role of ICT in financial services, DORA consolidates existing regulations and introduces new requirements under a unified legislative umbrella. This act covers all financial players, not just banks, ensuring a broad and inclusive approach to digital operational resilience.

Purpose and Coverage

The primary goal of DORA is to enhance the robustness of financial entities to withstand ICT-related disruptions and threats. By harmonizing fragmented regulations into a single framework, DORA simplifies the compliance landscape, making it clearer for entities to understand and meet regulatory mandates. This includes management of ICT risks, oversight of third-party service providers, and ensuring effective incident reporting and response strategies.

Impact on Cybersecurity Controls

Under DORA, financial institutions are expected to adopt a proactive approach to cyber resilience, focusing on comprehensive cyber risk management. This means executive boards are now directly responsible for their cybersecurity strategies — ensuring they understand and manage risks appropriately. Institutions must identify critical assets and implement protective measures, detect threats, and have robust response and recovery strategies in place.

Compliance and Supervision

DORA is not merely about compliance; it’s about cultivating a forward-looking, learning-driven approach to cyber resilience. Financial entities must continuously evaluate and improve their cybersecurity and resilience practices in response to evolving threats. Those found non-compliant must not only address deficiencies but also demonstrate ongoing improvements in their cybersecurity posture.

Obrela offers assistance in meeting organizational compliance needs and achieving your desired resilience posture, through our MRC product portfolio, which can help you prepare and plan for the new regime.

cityscape

Why the Phased Implementation?

The official rollout of DORA is set for January 2025, following its introduction in January 2023. This two-year gap allows for the development of detailed regulatory technical standards and provides the financial sector with adequate time to align their systems and practices with the new requirements. It ensures that all involved parties, regulators and financial entities are prepared for a smooth transition.

Global Implications

While DORA aims to standardize cyber resilience practices across the EU, it may lead to differences with regulations in non-EU countries, such as the UK. Financial entities operating in multiple jurisdictions may need to navigate these differences to ensure global compliance.

As domain experts, we’re here to help our clients navigate these changes. Whether it’s understanding DORA’s implications, carrying out a DORA readiness and maturity assessment, developing and executing a DORA compliance roadmap, our team is equipped to support you every step of the way.

Your DORA Checklist

To ensure compliance with DORA, financial institutions across the European Union need to undertake specific actions. Here’s a non-exhaustive checklist to guide you through the necessary steps:

  • Understand the Scope of DORA
    • Familiarize yourself with the provisions of DORA and its applicability across all areas of financial services, not just banking.
  • Evaluate Current Cyber Resilience Framework
    • Review and assess your current cybersecurity and resilience practices against DORA requirements.
    • Identify gaps in your current ICT risk management frameworks in comparison to DORA standards.
    • Conduct strategic resilience planning to define the road ahead.
  • Board-Level Engagement
    • Ensure the executive board understands their responsibility for cyber resilience.
    • Organize training for board members on DORA compliance and its implications.
  • ICT Risk Management
    • Develop or refine a comprehensive ICT risk management strategy.
    • Implement robust security measures to protect critical information and ICT assets.
  • Incident Management Process
    • Revise or develop your incident management process
    • Ensure your incident classification scheme meets the requirements dictated by Article 18 of DORA.
    • Set up a clear protocol for timely incident reporting in line with DORA requirements.
  • ICT business continuity
    • Ensure your ICT business continuity policy, associated ICT response and recovery plans conform to DORA mandates.
  • Third-Party Risk Management
    • Conduct thorough due diligence of all third-party service providers, especially major cloud services and other critical IT suppliers.
    • Ensure contracts with third parties align with DORA’s security and resilience standards.
  • Testing and Audits
    • Regularly test the effectiveness of security measures and resilience strategies.
    • Conduct audits to ensure continuous compliance with DORA regulations.
  • Documentation and Reporting
    • Keep detailed records of compliance efforts, incident management outcomes, and improvements.
    • Prepare for regular reporting to relevant EU supervisory authorities.
  • Prepare for Regulatory Technical Standards (RTS)
    • Stay informed about the development and implementation of RTS related to DORA.
    • Plan to integrate RTS into your operational practices as soon as they are finalized.
  • Continuous Improvement
    • Foster a culture of continuous learning and adaptation to evolving cyber threats.
    • Regularly update your cybersecurity and resilience strategies and practices based on new findings and regulatory updates.

By following this checklist, financial institutions can position themselves to comply with DORA and enhance their overall digital operational resilience. This proactive approach will be crucial in navigating the complexities of modern cybersecurity threats and ensuring financial stability across the European Union.

Obrela’s Managed Risk and Controls (MRC) platform comprehensively covers customers needs throughout their journey to comply with the DORA requirements. MRC along with our elite team of experts can support and guide Organisations in the Financial Services sector from understanding the scope of DORA, through evaluation of their security framework to testing and audit. Users benefit from real-time centralized view of DORA compliance posture and enhanced compliance insights that fuel better decision-making and results, improve visibility in the performance of the DORA compliance program and gain full control, tracking and in-depth access in the execution of their improvements or mitigation plan.

In addition, by deploying Obrela’s MRC platform you can gain:

  • Operationalization of an effective and robust compliance program
  • Streamlined and consistent reporting of your DORA compliance program that helps you build confidence in all relevant parties
  • Time optimization, productivity boost and increased performance of your DORA compliance program
  • Enhanced reporting to the board and other stakeholders.