Countdown to DORA – are you ready?

By 17 January 2025 financial entities in the EU and their ICT services providers are expected to be fully compliant with DORA. Are you ready? In this article, Katherine Kearns, Head of Proactive Cyber Services UK & Europe, outlines key cyber security requirements of the DORA regulation, and explores keys steps organisations should take to prepare.

Background

DORA (Digital Operational Resilience Act) is an EU-wide oversight framework on financial services institutions and their critical ICT third party service providers, designed to make sure the financial sector in Europe is able to stay resilient through a severe operational disruption. DORA places a set of rules on financial services institutions around cyber risk management, incident reporting, resilience testing and third-party risk monitoring, which come into force from 17 January 2025 following a two-year implementation period. 2024 is the year when organisations in scope are expected to have accelerated their preparedness to the DORA requirements.

DORA is expected to apply to more than 20,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. The coverage is very wide: credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, insurance companies, crypto-asset service providers, exchanges and clearing houses, alternative fund managers, pension, credit rating agencies, etc. all fall in scope of the new regulation.

 Notably, DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services — like cloud service providers and data centres — must follow DORA requirements. DORA also covers firms that provide critical third-party information services, such as credit rating services and data analytics providers.

While DORA is not adopted by the UK, it will be relevant to many UK-based entities (financial firms and ICT providers) who offer services in the EU.

DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services — like cloud service providers and data centres — must follow DORA requirements.’’

Focus areas of DORA

The essence of DORA is divided across 5 core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities. 

1. ICT risk management
2. ICT-related incident management, classification and reporting
3. Digital operational resilience testing
4. Managing of ICT third-party risk
5. Information-sharing arrangements on cyber threat information and intelligence

What does this mean for organisations implementing DORA requirements?

By 17 January 2025 organisations in scope will need to be aligned with the Regulatory Technical Standards (RTS) supplementing DORA and implement:

• A robust ICT risk management framework​, ensuring the impact of the ICT risk is understood, all sources of risk are continuously identified and effectively managed, and the risk management process continuously improves.​
• Comprehensive disaster recovery, business continuity and incident response strategies ​that are well communicated and tested.
• An effective third-party risk management and monitoring​ programme to monitor risks arising from ICT third parties and their compliance with contractual obligations. 
• Cyber security training and awareness programme​ for staff and leadership.​
• Threat-led Penetration Testing (TLPT)​ programme, for organisations in scope of TLPT, to red team areas of higher threat exposure, based on a clear view of top cyber threats. ​

The good news is these requirements are not new. DORA has aggregated and prioritised many of the cyber security practices that financial entities in Europe have already been working towards. In building out their DORA compliance programmes, organisations can effectively leverage existing security frameworks that they are aligned with, like ISO 27001 or NIST Cyber Security Framework, and build upon established practices to streamline compliance efforts and avoid duplication.

Key steps to prepare

So where should organisations start on their journey to compliance?

While compliance requirements mandated by DORA are broad and complex, there is a number of core steps an organisation can take set out their path to compliance.

• Conduct a gap analysis - identify weaknesses against the security requirements mandated by DORA and supporting Regulatory Technical Standards (RTS) and establish an implementation and governance programme to prioritise and address these weaknesses;
• Educate the management team on their responsibilities under DORA and adopt a top-down approach to compliance. Management team must demonstrate responsibility for security and must be involved in the management of cybersecurity risk​;
• Establish comprehensive operational resilience documentation and test your incident preparedness and recovery with key business and IT stakeholders;
• Be prepared to classify security threats and incidents in line with the criteria materiality thresholds set out in the RTS, and report establish mechanisms and responsibilities to report these to the competent authorities within 24 hours of them being identified;
• Identify ICT third parties supporting critical and important functions within the organisation and update contractual relationships to include obligations around information security and risk management as well as rights for inspection, access to information and secure exit strategies.

Conclusion

DORA is likely to bring a significant step forward in harmonisation of cyber security requirements applied to critical national infrastructures across the EU and in strengthening operational resilience of the financial sector and critical ICT providers that support it. The regulation presents an opportunity for the organisations operating in the financial sector in the EU and their ICT third parties to establish robust ICT risk management processes and boost maturity of their response and recovery capabilities to limit disruption from cyber security events and reduce the likelihood of wide scale cyber crises affecting this critical sector. By proactively addressing DORA requirements and sharing information with the competent authorities, organisations would strongly position themselves to detect cyber threat, limit the impact of cyber incidents and prepare for the oversight and enforcement actions imposed by the competent authorities.

We extensively help organisations across critical national infrastructures in building out their cyber resilience capabilities. Reach out to us to discuss how to prepare for DORA regulation and to improve your cyber resilience.