DORA – how to comply with the regulation?

05/11/2024
Share:

On January 17, 2025, the provisions of the Digital Operational Resilience Act (DORA) will come into effect. This regulation aims to enhance the digital operational resilience of financial entities and regulate the provision of ICT services in this sector. Thus, the 24-month transitional period, meant to give organizations time to prepare for the new rules, will come to an end. DORA imposes a range of obligations on financial institutions. How can they meet these requirements? Who is subject to DORA? Where can assistance be sought?

The financial sector plays a key role in the economy of every country, ensuring financial stability and the secure storage and transfer of funds. However, with the advancement of digital technologies and the increasing shift of societal activities online, new challenges have emerged related to data protection and operational risk management. Cyberattacks are becoming more frequent each year. For instance, in 2016, cybercriminals breached the international SWIFT financial system, stealing nearly $81 million. In Poland, there was a data leak in 2023 that exposed nearly 200,000 PESEL (national identification number) records. Another notable case involved the theft of 190 GB of data from ALAB, a medical laboratory. It is also worth noting that by the end of 2023, 21.7 million Poles were using banking apps, and 22.7 million were engaged in online banking. According to a report by Check Point Software Technologies, Polish banks are attacked up to 160 times daily—over 1,100 times weekly. Is DORA the solution to these issues?

The overall scale of cybercrime is difficult to estimate because companies often conceal information about breaches to protect their reputation. Each year, new techniques are developed by cybercriminals. In addition to well-known attacks like ransomware (file encryption), phishing (data theft), and DDoS (service overload), new methods leveraging artificial intelligence (AI) are emerging. In response to the increasing digitization of the financial sector and the associated cyber threats, the European Parliament and Council adopted the Digital Operational Resilience Act (DORA) on December 14, 2022. This regulation is designed to strengthen the operational resilience of the financial sector in the face of these growing challenges.

What is DORA?

DORA (Digital Operational Resilience Act) is an EU legal regulation aimed at increasing the resilience of financial entities to digital security incidents and ensuring that they can maintain business continuity even in the face of significant disruptions. The regulation establishes requirements for high levels of digital resilience in both the financial sector and companies providing ICT services to this sector.

DORA introduces specific rules for risk management, incident reporting, operational resilience testing, and risk monitoring to address gaps in existing cybersecurity regulations in the financial sector. In practice, implementing these provisions will contribute to greater stability in the EU financial system and improve the security of using digital services.

DORA applies across the European Union, providing a common, uniform standard. It is directly applicable in all EU countries, meaning that financial institutions must comply with its requirements without the need for additional interpretations or national adaptations.

Why was DORA created?

The Digital Operational Resilience Act (DORA) didn’t emerge out of nowhere. Over the years, the financial sector has witnessed numerous, increasingly frequent incidents that highlighted the severe consequences of lacking proper security mechanisms. Cases where IT system failures led to service disruptions, and cyberattacks compromised the security of customers’ data and funds, underscored the need for stronger measures. Some of these examples were mentioned earlier.

The legislative process for DORA began with analyses conducted by EU institutions such as the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). The development of the regulation also involved consultations with representatives of the financial sector to better understand its needs and the challenges it faces daily.

DORA is part of the European Union’s broader strategy to strengthen cybersecurity and ensure economic stability in the era of digital transformation.

Does this apply to me? Which entities are covered by DORA?

DORA is aimed at a wide range of entities operating in the financial sector. The regulation includes:

  • banks and other financial institutions involved in lending;
  • institutions engaged in payment services;
  • providers of services offering access to bank account information;
  • organizations issuing electronic money;
  • investment firms, such as brokerage houses and banks providing brokerage services;
  • companies offering services related to crypto-assets;
  • central securities depositories;
  • central counterparties (CCPs);
  • trading systems (regulated markets, MTFs, OTFs);
  • trade repositories;
  • alternative investment fund managers;
  • asset management companies;
  • providers of data reporting services;
  • insurance and reinsurance companies;
  • intermediaries in insurance, reinsurance, and ancillary insurance;
  • institutions managing employee pension programs;
  • credit rating agencies;
  • administrators of critical benchmarks;
  • crowdfunding service providers;
  • securitization repositories;
  • external information and communication technology (ICT) service providers.

The regulation, therefore, applies not only to the largest financial institutions but also to smaller entities as well as service providers.

Scope of regulation – what does DORA cover?

Zakres regulacji DORA obejmuje 5 kluczowych filarów bezpieczeństwa: The scope of the Digital Operational Resilience Act (DORA) encompasses five key pillars of cybersecurity:

1. ICT risk management.

DORA requires financial institutions to establish comprehensive frameworks for managing ICT-related risks. These frameworks should include clear rules and procedures to effectively manage threats. Institutions must identify and classify their processes in detail, enabling thorough documentation of technology-related activities. Key requirements include implementing threat detection systems, backup procedures, and communication plans for incident response. Organizations are also expected to conduct regular training programs to raise employee awareness about IT security.

2. ICT incident management, classification, and reporting.

Institutions must adhere to DORA’s standards for identifying, classifying, and assessing ICT security incidents. They are required to meticulously document each incident, classify it based on established criteria, and determine its impact on operations and customers. These practices are crucial for reporting major incidents that could threaten the operational stability of the financial sector. The mandatory reporting ensures that incidents with potentially significant effects are promptly communicated to supervisory authorities, enabling swift corrective actions and warnings to the broader sector.

3. Digital operational resilience testing.

DORA introduces strict requirements for testing digital operational resilience. Financial institutions must regularly test their systems and applications through comprehensive testing plans. These include penetration testing, network security assessments, and simulations of real-world threat scenarios. This approach helps identify vulnerabilities, which are crucial for mitigating risks. For example, penetration tests can reveal system flaws susceptible to external attacks, while open-source tool assessments evaluate their effectiveness and associated risks. Institutions must conduct these tests at least once a year to ensure that their security measures remain adequate and effective.

4. Managing risks from external ICT service providers.

DORA obliges financial institutions to manage risks associated with external ICT service providers effectively. This involves evaluating vendors for reliability, security measures, and potential risks their services may pose. The process includes pre-engagement risk assessments and continuous monitoring of service quality and security. Institutions must also develop exit plans and transition strategies to ensure operational continuity in case a vendor needs to be replaced, minimizing the risk of downtime or data loss. Additionally, institutions are required to identify critical providers on which their operations depend, enabling better protection against outsourcing-related threats.

5. Information sharing.

DORA promotes collaboration among financial institutions to share knowledge about cyber threats and mitigation strategies. Organizations should exchange information on emerging threats, security breaches, and defense techniques, including methods, procedures, and tools used to address these risks. The goal is to build collective knowledge that enhances the security of the entire financial sector and facilitates faster responses to new threats. This information sharing also includes warnings and signals about potential vulnerabilities, allowing institutions to keep their security strategies up to date.

All of these areas aim to create a comprehensive digital security management system that will allow financial institutions to respond quickly to any threats and secure both data and financial operations from disruption.

How to comply with DORA and avoid financial penalties?

Achieving compliance with the Digital Operational Resilience Act (DORA) requires financial institutions to undertake a range of organizational and technological actions. Below are the steps to consider:

1. Conduct an audit of current systems and procedures.

Institutions should thoroughly analyze their existing systems, applications, and procedures to identify areas for improvement. An audit helps uncover existing gaps and risks that could compromise digital resilience.

2. Develop digital risk management policies.

After completing the audit and determining implementation readiness, the organization should establish detailed risk management policies and procedures. These policies must cover all operational aspects and be tailored to the specific needs of the financial institution.

3. Implement incident monitoring and reporting mechanisms.

Effective monitoring is a critical component of DORA compliance. Deploying incident monitoring systems enables institutions to quickly detect and respond to threats.

4. Establish a framework for assessing incident impact on IT and the organization.

A methodology for evaluating the impact of incidents on IT infrastructure and broader operations must be established. Understanding the potential consequences of various types of incidents will aid in developing effective crisis management strategies.

5. Define policies for information access.

Financial institutions should create access control policies that specify levels of permissions and employee responsibilities. These policies are designed to limit access to sensitive information strictly to individuals who require it, enhancing overall data security.

6. Train employees in cybersecurity practices.

Staff should be adequately trained in digital security and incident management. These training sessions help employees understand the procedures to follow and how to respond effectively in the event of a threat.

7. Manage supply chain risks.

Organizations must have robust procedures to manage risks associated with service providers, particularly those that play a critical role in maintaining financial systems’ continuity. Monitoring and controlling collaboration with external ICT providers is essential to ensure they comply with DORA requirements.

Meeting the above requirements is achievable through proper planning and support from professional firms specializing in consulting and implementing DORA-compliant procedures.

Consequences of failing to implement procedures – penalties for non-compliance with DORA

Any entity obligated to comply with the provisions of the DORA Regulation should be aware of the consequences of failing to implement the required procedures – both in terms of their complete absence and late implementation. The DORA Regulation grants the Financial Supervisory Authority the power to impose financial penalties, the amount of which depends on the nature of the violation, its impact on the institution, and the broader financial sector.

Furthermore, the financial market supervisor can impose a penalty of up to 1% of the average daily global turnover on external ICT service providers for each day of non-compliance with DORA regulations.

The regulation also allows member states to decide whether they wish to waive administrative penalties for violations subject to criminal sanctions according to their own internal policies.

Tools supporting DORA compliance – what to consider?

Managing digital risk and complying with DORA requirements is a challenge that requires the use of advanced technological tools. There are solutions available on the market that can assist financial institutions in achieving compliance with DORA regulations. These include:

1. Incident monitoring platforms.

These tools enable real-time tracking and analysis of incidents, allowing for immediate detection of threats and prompt action. An example of this type of system is SIEM (Security Information and Event Management) solutions, which aggregate data from various sources, analyze it, and generate security alerts.

2. Risk management systems.

These are platforms that allow for the identification, analysis, and monitoring of operational risk. They implement risk assessment tools, data visualization, and report generation, which facilitate decision-making based on collected data and predicting potential threats. An example of such a platform is SourceMation.

3. Digital resilience testing software.

Regular digital resilience tests are critical for maintaining compliance with DORA. Tools dedicated to this purpose allow for attack simulations and testing IT infrastructure for various emergency scenarios.

4. Reporting systems.

Automated reporting systems facilitate the creation of reports needed for regulatory compliance. This allows financial institutions to quickly and efficiently report incidents to the appropriate supervisory authorities and generate the required reports on the actions taken in risk management.

An example of a tool that helps meet the requirements of the regulation is DORIAN (Digital Operational Resilience Investigation and Analysis). The software supports the ongoing assessment of ICT-related risks. It automatically retrieves system data on events and then identifies risk incidents. Based on configurable parameters, it allows for the evaluation of overall operational risk. In the case of significant incidents, it sends notifications with recommendations for corrective actions. DORIAN offers a customizable user interface that provides complete and quick access to key information related to risk assessment.

Implementing DORA requirements with Linux Polska – how we can help you?

Adapting to the DORA regulation requires not only the implementation of appropriate procedures and tools but also specialized knowledge and experience in operational risk management. Linux Polska is here to assist, offering support in achieving compliance with DORA. We provide comprehensive solutions and services tailored to the needs of the financial sector:

  • initial assessment and readiness audit;
  • development of digital operational resilience foundations;
  • preparation of an ICT risk management system;
  • implementation of an information protection policy;
  • creation of disruption response plans and recovery procedures;
  • implementation of an incident response system;
  • cyber threat identification and management procedures;
  • establishment of reporting and communication processes;
  • development of a digital resilience testing program;
  • audit of contracts with external ICT service providers;
  • adjustment of contracts with ICT service providers;
  • support for open-source components not covered by technical support;
  • employee training;
  • final compliance assessment and ongoing maintenance support.

Proper preparation of the organization and the implementation of the best standards and procedures help avoid severe financial penalties.

Learn more: https://linuxpolska.com/en/solutions/supporting-in-meeting-the-dora-requirements/.

In conclusion – why is it worth seeking professional support to meet the requirements of the DORA regulation?

The introduction of the DORA regulation is a groundbreaking step in enhancing the digital protection of the financial sector. This regulation not only sets the standards for operational risk management but also impacts the way financial institutions operate and collaborate with service providers.

However, complying with the DORA requirements can be challenging, especially for institutions that are just beginning the process of managing operational risks. That’s why it is beneficial to seek support from professionals who can assist in meeting the regulatory requirements – from consulting to the implementation of necessary tools.

Our proprietary system, DORIAN, and dedicated services help financial institutions achieve full compliance with DORA by providing tools, knowledge, and resources that facilitate risk management and incident monitoring. This allows organizations to relieve their IT teams and focus on their core business, knowing that their digital infrastructure is secure and compliant with regulatory requirements.