The 5 Fundamental Pillars of the Digital Operational Resilience Act (DORA)

Nowadays, financial organizations rely heavily on information and communication technology (ICT) to support remote operations. While ICT enhances operational efficiency and customer experience, it significantly increases cybersecurity risks in the financial sector.

To mitigate cybersecurity risks related to ICT, the European Union (EU) has developed a specific regulation: the Digital Operational Resilience Act. In this article, we’ll review its five fundamental principles and how they can help your financial institution strengthen its IT security.

What is DORA and its purpose?

The Digital Operational Resilience Act (DORA) is an EU regulation that came into force in January 2023. DORA establishes requirements for financial organizations to fortify resilience against ICT-related incidents.

It aims to improve digital operational resilience in the financial sector across all member states of the EU. Operational resilience is the ability of a business to endure, react to, and recover from ICT-related incidents and, thus, maintain critical operations even during disruptions.

A range of financial entities operating in the EU are obliged to meet the DORA compliance requirements to maintain a sufficient level of digital operational resilience.

Benefits of DORA Compliance

Complying with DORA will bring financial organizations tangible benefits. Here are some of them:

• Strengthened corporate security — DORA requires financial institutions to implement a comprehensive cybersecurity framework that enhances their overall security.
• Elevated protection of sensitive data — Adopting robust cybersecurity protocols and measures to comply with DORA can create a more secure environment for sensitive financial data.
• Reduced cybersecurity risks — Implementing a comprehensive cybersecurity framework and the data protection measures required by the act minimizes the chance and impact of cyber attacks.
• Boosted resilience against threats — Proactive risk management and comprehensive incident response planning enhance financial entities’ resilience against threats. Businesses that meet the requirements of DORA are able to react to security incidents promptly and recover from them swiftly.
• Streamlined experience exchange between peers — Thanks to the knowledge exchange, you can learn about current attack techniques and prevent them before they strike your organization.
• Minimized third-party risks — Introducing the processes and measures required by DORA can strengthen financial organizations’ relations with third parties and protect them against vendor-related security breaches.

Syteca is a comprehensive insider risk management software solution that streamlines your compliance efforts and brings even more security benefits to your financial institution.

Read further to learn about the current status of DORA, deadlines for compliance, and potential penalties for those failing to comply.

Current status of DORA

DORA was first proposed in 2020 and came into force in January 2023. At the moment, it is in the final stage of development; the three European Supervisory Authorities (ESAs) are fine-tuning the key details of the act. The first batch of policy products providing specific instructions on how financial entities need to comply with DORA is ready, while the second is expected by 17 July 2024.

Ultimately, financial entities in the EU covered by DORA must comply with its requirements until 17 January 2025. Also in 2025, the ESAs will begin overseeing the implementation of DORA’s requirements by financial entities and ICT third-party providers.

To ensure that financial institutions follow the DORA compliance requirements and maintain a sufficient level of digital operations resilience, the act implements a strict system of penalties for non-compliance. Thus, in 2025, the ESAs will be able to impose penalties on financial institutions that fail to comply with DORA. They can also penalize individuals who hold specific leadership or management roles with direct responsibility for DORA compliance. The size of penalties will depend on the level of violation.

Financial entities may face penalties of up to 2% of their total annual worldwide turnover or penalties of 1% of the average daily global turnover in the previous year, paid daily for up to half a year until they comply. Individuals can face a maximum penalty of €1,000,000.

Third-party ICT service providers labeled “critical” by the ESAs can face penalties of up to €5,000,000 for organizations or a maximum of €500,000 for individuals.

The ESAs can also issue cease-and-desist orders, termination notices, or public announcements and impose additional financial penalties or, in some cases, criminal liabilities.

From this DORA regulation summary, it’s clear that there are both benefits for complying with DORA and potential negative consequences for non-compliance. Let’s now look at the five key aspects behind the Digital Operational Resilience Act in greater detail.

The 5 key pillars of DORA requirements

The DORA regulation provides numerous requirements your financial organization should follow to build and maintain robust digital operation resilience.

These requirements are fundamentally centered around five core domains.

1. ICT risk management

According to DORA security requirements, you must establish a proactive ICT risk management process. It requires you to create and follow a comprehensive ICT risk management framework.

Before establishing a framework, outline your financial entity’s ICT-related security risks. Identify and classify your assets and functions from least to most critical, along with documentation of connections and dependencies between them. The act also obligates you to analyze how specific scenarios and disruptions may influence your operations and what the potential consequences may be.

It also requires you to implement information security policies that can help mitigate ICT-related risks, including identity management, access management, and incident detection and response. As well, your financial institution should deploy cybersecurity tools to enforce those policies.

Set roles and responsibilities for all ICT-related processes and ensure effective and timely communication and coordination between them.

2. ICT-related incident management

DORA cybersecurity requirements regulate how your financial institution should manage ICT-related incidents. It states that having the means and procedures to detect, analyze, classify, and report incidents is essential.

You need to be able to document early signs of an incident to enable its swift detection. Decide on who is responsible for what when handling ICT-related incidents.

Your financial entity should also establish incident response procedures to reduce the impact of incidents and maintain critical operations throughout them.

In addition, the DORA regulation introduces requirements for incident reporting. Responsible personnel in your organization should not only report major incidents to internal management, but also to the relevant EU authorities, partners, and affected customers. Therefore, you need a straightforward incident communication plan.

3. Digital operational resilience testing

Another focus area is ICT systems testing, which aims to ensure your organization’s resilience to attacks. Resilience testing helps you identify weaknesses and gaps in the ICT-related risk management process and then take on-target corrective measures.

To identify your organization’s level of operational resilience, you need to conduct a series of vulnerability and penetration tests, as well as incident response drills. These tests should be conducted by independent parties from within or outside your organization at least once a year.

When the testing is complete, classify and prioritize the issues identified during the testing process and determine how to fix them.

4. ICT third-party risk management

Third-party risk is a major theme throughout the Digital Operational Resilience Act. Since financial organizations nowadays greatly depend on third-party ICT service providers, securing cooperation with third parties is essential.

Even if you use third-party services to support your business operations, you remain responsible for your organization’s digital operational resilience and compliance with DORA requirements at all times. That’s why you need to build a third-party risk management strategy.

According to DORA, you must thoroughly assess the cybersecurity measures taken by potential service providers before signing an agreement with them. Your organization is also required to complement contractual agreements with clauses mandating third parties to implement adequate cybersecurity measures and comply with DORA standards.

Additionally, you need to establish third-party vendor monitoring procedures to check if third parties actually follow cybersecurity best practices and meet compliance.

Third-Party Vendor Monitoring with Syteca

5. Information and intelligence sharing

DORA highlights the importance of collaboration within the EU financial sector. It encourages the creation of an environment where covered financial entities can share incident intelligence and strategies to stay ahead of cyber threats.

Such an environment can help the financial industry in the EU raise awareness about ICT-related risks and limit the spread of ICT threats. However, organizations should only share information through secure means and ensure that sensitive data is appropriately protected.

Still, sharing information and intelligence with other financial entities is rather a recommendation than a mandatory requirement and is completely voluntary.

Now that we’ve learned about the key pillars of DORA, let’s find out how you can uphold them with the help of Syteca.

Meeting IT Compliance Requirements with Syteca

How Syteca can help you comply with DORA

Syteca is a full-cycle insider risk management platform that helps organizations deter, detect, and disrupt security threats within their networks. Its variety of cybersecurity features can help you enhance operational resilience and implement DORA’s five key pillars in your financial organization.

• For effective ICT risk management, Syteca provides full visibility into the activity in your network. It continuously monitors and records all user activity and can notify your security personnel whenever something seems suspicious. High-risk user sessions are marked with corresponding alert icons, so it doesn’t take long to find a session that triggered an alert, view it, and disrupt it if needed.

• For ICT-related incident management, Syteca offers a rule-based incident detection and response functionality. It provides a set of predefined rules that you can use to configure incident detection and response processes. You can also create custom rules to tailor the processes to your specific needs. Additionally, Syteca can empower you with auditing and reporting tools to simplify incident reporting to the board and EU authorities.

• When conducting digital operational resilience testing, Syteca’s online session viewing allows you to track the progress in real time and observe how users react to various test cases.

• To streamline third-party risk management, Syteca enables you to granularly manage your service providers’ access permissions and secure their remote connections to your network. As well, with Syteca’s continuous monitoring functionality, you can watch your service providers’ activity.

• To empower you to share intelligence on security incidents with peers, Syteca offers an evidence exporting function. With it, you can export and share user sessions and activity reports. The user data anonymization feature will help you respect individuals’ right to privacy and keep personal user data safe.

This is only a brief overview of Syteca’s capabilities. Download our white paper to discover a detailed summary of how Syteca can help you implement and maintain the five key pillars of DORA.

Conclusion

Financial organizations need to shift from reactive to proactive management of cybersecurity risks. And since they only have until January 2025 to implement the DORA requirements, it’s crucial for CIOs, CSOs, and CCOs of financial entities operating in the EU to prioritize compliance efforts without delay.

Syteca is a comprehensive platform that comprises various robust cybersecurity functionalities, such as identity management, two-factor authentication, access management, user activity monitoring, incident detection and response, and auditing and reporting. These capabilities can enhance your organization’s operational resilience and ensure compliance.