The EU’s Digital Operational Resilience Act – everything you need to know.

In the modern world, industries are subject to a multitude of intricate and ever-changing regulations. It’s more difficult than ever for organisations to understand and keep up with compliance requirements, investing resources in training, technology, and personnel to ensure compliance and diverting valuable time and money away from core business activities.

In January 2023, the EU published its final version of the Digital Operational Resilience Act, or DORA. Initially defined by the Basel Committee for Banking Supervision as “the ability of a bank to deliver critical operations through disruption”, DORA is a new legislation designed to address operational resilience and mitigate third-party risk for organisations operating within the financial sectors. As the first draft has now been published, financial entities – and their service providers – are expected to be compliant by Q1 of 2025.

The intention is for it to compliment existing legislation, such as GDPR, in order to strengthen the security of financial institutions in the face of growing ransomware attacks. DORA won’t directly affect UK businesses, however the UK government has hinted at that it will legislate a British equivalent of the regulations in order to support resilient outsourcing to technology providers in the financial services sector. It is more than likely that the European legislation will shape a significant part of the British equivalent.

What does DORA involve?

DORA is a set of specific requirements for organisations within the financial sectors – this includes direct third-party IT service providers – that are designed to strengthen the sector’s resilience to cyber-related incidents. Organisations that are subject to DORA will be directly supervised by a relevant financial regulator.

Based around five core pillars, DORA affects how organisations have to approach:

• ICT risk management
• Incident reporting
• Digital operational resilience
• Third party risk management
• Security requirements and information sharing.

Risk management processes help organisations to identify vulnerabilities and threats within their IT supply chains, and put controls in place to mitigate the resulting risk, whilst information sharing enables the industry to benefit from increased preparedness. Some organisations will find the risk management process the most complex – large financial firms typically have hundreds, if not thousands, of third-party IT suppliers and service providers.

Digital operational resilience requires firms to introduce comprehensive security testing, agreed with the regulator. As well as requiring a wide range of assessments, practices and tools, any third party suppliers will also need to be involved in the planning process, potentially making this an extremely complicated operation with a finite amount of time.

Organisations will now have to report data breaches within a specified window of recovery, with this requirement extended to their third-party IT suppliers through contractual obligations. This means that financial institutions will need to align their processes and channels to enable fast reporting in the event of a cyber incident.

Ransomware attacks are on the rise, and targeting large organisations

Recent research has revealed that ransomware attacks are on the rise across the first half of 2023, with their cumulative total now 90% of the entire total for 2022. Having extorted $449.1 million so far this year, ransomware attackers are now on course for their second largest year ever.

Due to its damaging and disruptive nature, ransomware poses a significant threat to the financial industry. Organisations in these sectors handle vast quantities of highly sensitive data including personal and financial information, which makes them prime targets for cyber criminals; hackers have also recently switched back to “big game hunting”, and the large revenues within the financial sector give the potential for vast ransom sums. It has never been so critical for financial organisations to have comprehensive cyber security and data protection processes firmly in place.

What are the next steps?

Given that the legislation will become active in less than two years, it’s essential that relevant organisations begin to prepare as soon as possible. The introduction of DORA only means more regulations and compliance – getting ahead of the requirements early means that firms have more time to address any gaps or shortcomings.

It’s critical that organisations within, or directly providing services to, the financial sectors in the EU begin to fortify their detection, response, and recovery capabilities. This means that these organisations need to have comprehensive cyber security and data protection solutions in place.

Sooner rather than later, financial institutions should seek to identify any gaps in their cyber resilience strategy, as well as testing for any weaknesses in their security posture in order to comply with their digital operational resilience requirements.

It won’t be long before DORA is a firm part of EU law. With the UK likely to be following suit, it’s best that firms to which this legislation may be applicable start to make preparations now. It’s important to ask yourself – could these regulations be relevant to your organisation , and if so, how are you going to prepare?

As with much of the IT and cyber security world, a proactive strategy is often the best.

Celerity's Cyber Resilience Assessment

Celerity’s Cyber Resilience Assessment is a no-cost virtual workshop that identifies the readiness of your current environment & your ability to respond to a cyber-attack. It highlights security gaps, strengths, & weaknesses against best practice requirements based on the NIST Cyber Security Framework, as well as discovering any utilisations of existing solutions, integrations, and overlaps that can be fine tuned. Leveraging IBM’s Cyber Resiliency Assessment Tool, it’s an incredibly powerful way to identify your organisation’s blind spots and recommended areas for improvement, ultimately producing a cyber security strategy that is customised to your vision and mission.

Do you know where your security gaps are, and the areas of your resilience strategy that need to be improved? If you aren't sure, Celerity can help. Read the Cyber Resilience Assessment Tool brochure here, or get in touch with us to find out how we can help.