Skip to main content

Preparing for DORA

The EU is seeking to enhance cybersecurity within the Financial Sector. To that end, it has been busy developing the Digital Operational Resilience Act or DORA for the better part of 2 years. Now, a provisional agreement has been reached, securing agreements that will seek to bolster the EU’s financial sector against cyberattacks. While a final agreement has not yet been reached, legislation should be passed over summer or by the end of the year.

From there, most banks will have roughly 2 years to comply – which will mean integrating numerous operational resilience compliance measures.

DORA in short

DORA is a set of proposed regulations to harmonize and standardize cybersecurity measures and regulations across the EU. This includes ICT risk management, testing, and reporting requirements with technical standards for financial services organizations to follow.

For now, numerous sector specific regulations and sector agnostic regulations (like the existing NIS directive) continue to apply. However, DORA will build on, expand, and future proof that legislation. You can read more about it here. DORA will coexist with NIS2.

What can you do to prepare for DORA now?

While DORA has reached the stage of provisional agreements, many of the technical standards have yet to be drafted. This means that while organizations technically have 2 years to comply with DORA, in practice, it will be less. The question for many financial organizations, is “Do I have to take action now”.

While we don’t yet know exactly which standards DORA will impose, you can certainly take preparatory steps to ensure you’re ready for DORA when it does arrive. That’s especially true for ICT service providers to financial entities – which will be forced to either create an EU subsidiary so that oversight can be implemented.

Maturity Assessment – It’s a good idea to conduct a maturity assessment on ICT risk management and governance practices.

Gap Assessment – DORA will introduce numerous new requirements for banks, like internal threat-led pentesting. Many banks don’t have the internal capabilities to enable this. Similarly, DORA will introduce stricter reporting requirements. E.g., you will have to report near misses and reports have to be delivered within 24 hours. You can’t achieve that without significant processes and data collection set up inside the organization to enable it. Performing a gap assessment to see what resources you need to meet those requirements can help you to have that set up by the time you have to start delivering.

Resilience Management – Do you have the people, processes, and structure in place to manage new requirements? Performing a maturity assessment on your readiness testing capability, including threat led pentesting should be a first step. In addition, resilience should be moved into security awareness training.

ICT Third-Party Management – Any financial institution outsourcing ICT must ensure that that third party can meet the requirements staged by DORA. This means that financial organizations are obligated to have contractual agreements stipulating incident and reporting timelines and that the organization can do so within the 24-hour period. Conducting an assessment of those third-party providers, existing agreements, and making changes now can ensure you will be able to comply on time – because often contractual changes can take considerable time.

DORA will most likely be signed into legislation in the coming months and for many banks that will require significant marshalling or resources and building new processes. If you start now, you’ll have more time to get everything in place before it becomes mandatory.

If you’d like to discuss your strategy or processes with ACE, get in touch. We’re happy to help.

Resources:

https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/