Digital Operational Resilience Act
DORA: What Is Next?
Background on DORA
As a financial entity, nowadays, dealing with wide-ranging laws and regulations has become a standard practice. In recent years, a significant addition to these regulatory requirements has been in the field of information security. The latest legislation affecting most financial entities within the EU/EEA is the Digital Operational Resilience Act (DORA). As of December 27, 2022, the finalised text of DORA (level 1 legislation)[1] was published in the Official Journal of the European Union. Starting from January 17, 2025, the regulation will be applicable and binding in its entirety in all EU Member States. Regulators, referred to as Lead Overseers under DORA, are mandated to impose substantial fines for non-compliance. Hence, it’s imperative for financial institutions to delve into these regulations to ensure compliance and mitigate potential penalties.
The DORA comprises a series of measures aimed at strengthening the digital operational resilience of most entities within financial markets, ranging from banks and investment funds to management firms, crypto-asset providers, insurance companies, and trading platforms. The regulation enforces financial entities to adhere to rules concerning the protection, detection, containment, recovery, and remediation against ICT-related incidents. It specifically targets ICT risk and establishes requirements regarding ICT risk management, incident classification and reporting, operational resilience testing, and monitoring of ICT third-party risks. The act is in alignment with the Commission's overarching priorities, which aim to prepare Europe for the digital era and establish an economy that is resilient and adaptable to future challenges, ultimately serving the needs of its citizens.
Regulatory and Implementing Technical Standards
In addition to the level 1 legislation, which serves as the foundational legal text, several additional documents have been prepared to incorporate specific additional requirements. These are imposed in the form of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), collectively referred to as ‘level 2 legislation’. The Technical Standards are released in separate batches, with the first batch recently made available (January 17). The second batch is currently in public consultation until March 4, 2024, with the final versions expected to be available by the summer of 2024 (no later than July 17). Financial entities must be compliant with the level 2 legislation by January 17, 2025, which gives these entities a remaining implementation period of just six months after all Technical Standards are published.
The level 2 legislation released thus far focus on additional specific requirements that complement aspects outlined in the level 1 legislation of DORA. They mainly address specifications to harmonisation in ICT risk management, the simplified ICT risk management framework, classification of ICT incidents and threats, general principles for managing ICT third-party risk, and an information register.
Organisations in scope of DORA
The scope of the legislation encompasses all authorised companies and institutions that offer services within the financial sector in Europe. A list of all these parties is provided below. Besides entities directly operating in the sector, DORA also extends to certain entities usually exempt from financial regulations, the third-party serviceproviders. They too must adhere to DORA requirements.
Despite its broad scope and extensive requirements, DORA affords financial entities flexibility to determine how to proportionately fulfil various requirements based on their risk profile and the criticality of their services and operations. Additionally, certain types of entities are granted specific exemptions within the legislation based on factors such as size, assets under management, and other considerations. For example, the most advanced digital testing requirements will apply only to the largest, most significant financial entities.
What is the impact on your organisation?
The DORA, along with its RTS’s and ITS’s, comprise a wide range of requirements. Depending on your organisation's current size, complexity and maturity regarding information security, implementing all these requirements can require a significant amount of effort, time, and resources to ensure compliance. One thing is certain: no matter how well-prepared your organisation is, there are several brand-new requirements that your organisation might not yet have in place. The key areas where your organisation needs to implement (additional) measures are:
- ICT risk management: emphasis on governance structure, risk management framework, systems, protocols, and tools, as well as asset management and classification, protection, prevention, and detection procedures, response and recovery protocols, backups and restoration mechanisms, continuous learning and evolution, and effective communication strategies.
- Incident management: emphasis on management processes, incident classification methodologies, and the specific requirements for reporting significant incidents in a timely and accurate manner to competent authorities.
- Testing: emphasis on performance evaluation, the testing of tools and systems, the frequency of testing activities, and notably, advanced testing methodologies, such as Thread-Led Penetration Testing (TLPT).
- ICT third-party risk management: emphasis on sound general principles, conducting thorough due diligence, and ensuring that contractual agreements encompass all necessary provisions to mitigate risks effectively.
Who Is Responsible?
The financial entity’s management body. Leaders may be held personally liable for any failure of the entity to comply. Board members, executive leaders, and other senior managers are tasked with defining suitable risk management strategies, actively participating in their execution, and maintaining a current understanding of the ICT risk landscape. As for ICT providers, under DORA, Lead Overseers have the authority to impose fines on ICT providers equivalent to 1 percent of the provider's average daily worldwide turnover in the preceding business year. Providers may face fines on a daily basis for up to six months until compliance is achieved.
Where Do You Start?
You need to know your current level of compliance to the Regulation. If you struggle to assess your level of compliance, we can help. Even though not all level 2 documents (RTS’s and ITS’s) have been released, it is really important to already start addressing possible gaps. De Nederlandsche Bank (DNB) also emphasises this and states that initiating a fit-gap analysis based on DORA level 1 is a prudent first step[2].
What can we do for you?
We take a hands-on approach towards compliancy.
Step one is determining if you are in scope of DORA with our DORA Gap Assessment. If so, we assess the extent to which your organisation is DORA compliant and identify areas of shortfall to give you the insight into measures you need to implement to become fully DORA compliant.
We have dissected DORA including the first batch of RTS’s and ITS’s, extracted all the relevant requirements applicable to your organisation and made them assessable. Additionally, we mapped DORA requirements on the Good Practice Informatiebeveiliging of DNB which is a widely used framework in the Dutch financial sector. After assessing your status quo, we formalise an extensive report that provides complete insight in your organisation’s compliance towards DORA on the article level.
Step two is our DORA Board Training. DORA requires your top management to participate in information security training regularly. With this training you ensure that they can.
Step three is taking the right measures to become Dora compliant. We as no other understand the importance of ensuring the security and protection of your organisations systems and data. Due to our broad portfolio, Northwave can assist in implementing needed measures to ensure full compliancy to DORA, ranging from the implementation of a risk management framework to Threat-Lead Penetration Testing (TLPT). We are with you in this journey.
It is not yet formally defined in what form TLPT will be required. However, the current proposal in the RTS on TLPT, which is currently still in consultation, suggests Threat Intelligence-Based Ethical Red Teaming (TIBER-EU). TIBER-EU is European red teaming framework developed by the Dutch Central Bank (DNB) and European Central Bank (ECB). The Northwave Red Team is an experienced TIBER provider. We work in the financial sector and beyond. With TIBER or a derived framework, we guide your organisation through the entire process from start to finish, where maximizing learning from the assignment is at the forefront.
You probably still have numerous questions about DORA. If so, please reach out to us, and our experts will be available to answer all of them. We can help you with every step towards full compliance. Our vision is to shape your obligations of DORA into business enablers for your organisation. Let’s jointly make sure you are truly prepared, and your business is protected in the best possible way!
[1] https://www.dnb.nl/nieuws-voor-de-sector/toezicht-2023/dora-tijd-om-uit-de-startblokken-te-komen/
[2] https://www.dnb.nl/nieuws-voor-de-sector/toezicht-2023/dora-tijd-om-uit-de-startblokken-te-komen/
We are here for you
Need help with getting your organisation ready for DORA or wondering far along you your business currently is?
Get in touch and we will guide you with your next steps.