What is DORA Act?

The Digital Operational Resilience Act (DORA) is a regulation of the European Union to strengthen the digital operational resilience of financial institutions. It aims to ensure that financial entities can withstand and recover from all types of ICT-related disruptions and threats. DORA introduces stringent requirements for risk management, cybersecurity controls, incident reporting, and resilience testing, and it establishes a framework for oversight and enforcement by competent authorities. By harmonizing these standards across the EU, DORA seeks to enhance the stability and security of the financial sector, protect consumers, and maintain market integrity in an increasingly digitalized landscape. DORA is set to come into effect on January 17, 2025.

Key DORA Objectives

As per official statements form the EU site, “DORA aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption”. It means that DORA imposes financial institutions to achieve a desired level of “digital resiliency”, meaning they can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

At the same time, by creating a unified framework, DORA seeks to reduce regulatory fragmentation and create a harmonised approach across the EU. As per today, each Member State set own regulations or recommendations for banks and financial sector segments, resulting in differences between the states.

Ultimately, DORA goal is to strengthen protection of consumers and maintain the stability and integrity of the financial system.

DORA Requirements

DORA sets out a long set of requirements in the areas of risk management, information security, business continuity, incident response, and third-party ICT suppliers management. All backed up by a vast documentation and procedures, as well as regular reviews and resilience testing.

The requirements are similar to well-known IT security frameworks like ISO27x series, however, it does not refer to them directly, and sets up own standards.

The key articles of DORA are:

  • Governance and organisation (Art. 5)
  • ICT risk management framework (Art. 6)
  • ICT systems, protocols and tools (Art. 7)
  • Identification (Art. 8)
  • Protection and prevention (Art. 9)
  • Detection (Art. 10)
  • Continuity, backup and recovery (Art. 11, 12)
  • Learning and evolving (Art. 13)
  • Communication (Art. 14)

Furthermore, the Regulation covers also related Delegated Acts (RTS and ITS) that specify in detail the requirements and provide guidelines how to comply.

The practical outcome of DORA is the need to create and maintain extensive set of documentation, as well as to introduce security controls like strong authentication, identity management or automated tools for monitoring and detecting anomalous activities.

Documentation

DORA requires from the financial entities introducing a number of various documents such as strategies, policies, plans, procedures and documentation of the ICT environment.

The full set comprises almost 80 documents from various categories, to mention just some of them:

  • Information Security System documentation
  • Business Continuity Strategies and Plans
  • Risk Management documentation
  • Business Impact Assessment
  • Incident Management policies and procedures
  • Identity Management and Access Control policies and procedures
  • Digital Resilience testing plans and reports
  • Register of all ICT Third-Party providers
  • ICT Third-Party providers exit strategies and plans
  • Register of all business functions, information and ICT assets, with their classifications
  • Procedures for ICT management, security, project management and many other

Preparing for DORA Compliance

To achieve DORA compliance, financial entities and relevant stakeholders must undertake several key steps. Preparation involves understanding the requirements, implementing necessary changes, and continuous monitoring and improving operational resilience measures.

The necessary element to start DORA compliance project is to define the compliance gap. Therefore implementation projects usually start with an audit (sometimes called ‘Zero Audit’), to analyse and compare the current state of the financial entity against all the detailed requirements of DORA. As a result, a Compliance Report is provided presenting compliance level in all aspects, and indicating gaps, like missing documents or their contents, processes, procedures or tools and security controls.

Another essential action is to make a full inventory of the ICT environment, as required by DORA. This comprises:

  • creation of a registry of all company functions and processes
  • creation of a registry of all ICT assets like system, applications, network elements, as well as information assets
  • creation of a registry of all agreements with external ICT providers
  • defining internal classification methodology for functions, ICT assets and information
  • performing classification process for all above items, process to understand their importance

The above process is called ‘identification’ and the outcome is used to find out what ICT environment elements are critical for the financial entity business security and risk management. As a consequence, for all the assets categorized as ‘critical or important’ (as per terminology of DORA) the entity must introduce higher protection means, while for the rest just ‘basic’ ones.

DORA and Cybersecurity Controls

DORA also imposes the use of ‘protocols and tools’, as well as ‘automated solutions’ in the area of cybersecurity to strengthen security posture and mitigate information security risks. The use of specific IT security solutions is basically a result of a risk assessment, however explicitly or implicitly (at least for bigger entities) DORA mandates implementation of the following security solutions:

  • strong authentication / Multi-Factor Authentication to secure access to administrative accounts or remote access
  • identity management to control all accounts and privileges, and properly govern the access (granting and revoking the entitlements and regular reviews)
  • privileged access management to protect shared or highly privileged accounts (like ‘admin’ or ‘root’)
  • SIEM or log managements
  • tools for real-time monitoring and detection of anomalous activities
  • data backup and restore solution

In particular, DORA clauses result in more stringent requirements related to the identity and access management and protection of applications and accounts with strong authentication in number of cases, which esspecially impact smaller players like fintechs. To learn more, you can read the white paper “DORA and IAM – How IAM solutions help fulfil DORA requirements” or watch a webinar recording  “How to comply with DORA in Identity Management“.

 

Who is DORA relevant for?

DORA applies to a wide range of financial entities within the European Economic Area (so not only EU Member States), encompassing both traditional financial institutions (like banks and credit unions), but also various other stakeholders in the financial ecosystem (fintechs). In addition, the part of the requirements implicitly span external ICT service suppliers/sub-suppliers of the financial entities.

This is worth to note, that the most of the requirements are mandatory for all financial entities, regardless the size of organisation. Despite DORA envisions so called “simplified ICT risk management framework” for smaller players, they still need to fulfil most of the requirements as referred in this document.

Article 4 of DORA provides the “proportionality principle”, which means that all the provisions of DORA should be implemented taking into account an institution’s “size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations”. So it means that smaller entities can use different means to comply (eg. manual processes rather than automated IT solutions), but the requirements remain the same ultimately.

Get DORA Compliance Assistance!

They way a given financial institution implements DORA depends on its size, services, current security posture, and last but not least availability of internal competence to run such project. Therefore it is possible work fully internally or hire external experts. If you are an auditor or compliance officer you can use automated tools (like audomate) to support your compliance analysis. The tool can search vast documentation and provides prompt answers to audit question and find out compliance gaps.

If you do not have your own resources you may consider working with external experts like Identonic, that can perform a compliance audit or assist you in your DORA preparation works.

Have you got any questions? Need advice on compliancy audit or the tool?
Make an appointment for a free consultation.

If you want to learn more about the tool or just get support with your compliance project, simply write to us!





    hello@audomate.eu

    mobile +48 451 094 905

    Auditech Sp. z o.o.
    Chmielna 132/134
    00-805 Warsaw
    Poland