Enacted in December 2022, DORA has mandated regulations for financial sector organisations and their critical third-parties. The key long-term objective of DORA is the creation of a standardised, unified, and comprehensive framework for digital operational resilience, ensuring that financial entities and third-party suppliers follow consistent rules and standards across the European Union.
Financial entities will be expected to be compliant with DORA by 17 January 2025.
While an EU regulation, DORA will affect UK organisations. The Bank of England and the Financial Conduct Authority (FCA) have released discussion papers that align with regulations, signalling the likely enactment of corresponding regulations [1,2]. In the unlikely event that the UK deviates from DORA, any business that is intertwined with EU-based financial entities as a critical partner will still be required to comply by proxy.
We have broken down some of the most fundamental questions about DORA below.
Who will DORA impact?
DORA applies to several financial entities and crucially their third-party service providers who offer critical ICT-related services. These include:
- Banks – Including commercial banks, retail banks, and investment banks.
- Insurance Companies – Including life insurance, general insurance, and reinsurance companies.
- Investment Firms – Including brokerage firms, asset management firms, and investment advisors.
- Payment Service Providers – Including companies providing payment processing services and electronic money institutions.
- Critical Third Parties – ICT service providers offering services to financial entities, including cloud platforms, data analytics services, and other information communication technology services.
Financial entities required to comply with DORA need to develop a framework to assess third-party service providers’ ICT security measures. This means that if you are an ICT service provider with financial sector clients you should prepare to meet heightened compliance requirements by speaking to financial sector partners about their planned compliance requirements for DORA wherever possible.
What aspects of DORA are new?
Not all aspects of DORA are unique. DORA builds upon existing regulations set out by NIS 2 Directive and ENSIA, many organisations already have processes that make adherence to DORA less arduous. However, there are a number key changes which organisations should be aware of.
There are five overarching areas worth analysing from both an internal and external perspective:
- Risk Management
- Incident Management & Reporting
- Resilience Testing
- Third-party Management
- Threat Intelligence / Information Sharing
Each organisation’s board of directors will be directly responsible for the establishment of a ICT risk management framework, with several responsibilities in defining, approving, overseeing, and being accountable for the framework’s implementation. Board members will also be required to undergo regular training to gain and maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.
Perhaps most importantly, organisations must establish a role or designate a member of senior management to monitor ICT third-party service providers – who are referenced repeatedly in DORA. This will include overseeing risk exposure and relevant documentation related to the use of ICT services provided by third-party service providers.
Incident Management & Reporting
Financial entities must establish and implement an ICT-related incident management process, including early warning indicators. This process should monitor, handle, and follow up on ICT-related incidents, identify root causes, and ensure consistent communication both internally and externally.
Perhaps most crucially, major ICT related incidents must provide an initial notification to the relevant authority no later than the end of the business day, or within 4 hours from the beginning of the next business day if the incident occurred within 2 hours of the end of the business day. Intermediate reports must also be issued within one week, and a final root cause report within a month.
This level of specificity on incident notification and reporting is a much welcome introduction. Unfortunately however, DORA does not outline the exact methods or procedures for how financial entities should notify their clients in the event of a major ICT-related incident, which may leave partners exposed.
There are a number of ways DORA will have an impact upon testing requirements. Articles 21-24 of DORA, particularly Article 23 specifically outlines provisions for a ‘threat led’ approach to testing.
Threat-led penetration testing is a framework that mimics the tactics, techniques and procedures of real-life threat actors who pose a genuine cyber threat, which delivers a controlled, bespoke, intelligence-led testing of critical live operations. Without getting bogged down on terminology, a threat-led approach may be easily recognisable as “Red Teaming” to many, however, there are many more aspects to testing which one could term more broadly as ‘Adversarial Simulation’ which organisations may choose to explore.
Several financial sector organisations will have already adopted a threat-led approach to testing, for example those who have undergone CBEST or similar. Those who are yet to adopt such an approach should speak to their third party security testing partners about the extent to which their current engagements are ‘threat-led’.
Several guidelines emphasise the responsibility of financial entities for managing ICT third-party risks, conducting more stringent due diligence, maintaining documentation, complying with high-security standards, and ensuring business continuity.
The mass exploitation of software vulnerabilities has caused several notable attacks on financial sector organisations in 2023. In May, the breach of the popular file transfer platform MOVEit crystallised the sale of the issue, as major organisation such as PWC, Aon and Deloitte among others were impacted, further validating the pressing need for an advanced and unified approach to supply chain management.
According to DORA, the management of third-party ICT risk should be proportional to the scale, complexity, and criticality of the ICT-related dependency. However, as with other aspects of DORA this “principle of proportionality” has created ambiguity.
DORA have released a technical advisory in September 2023 (the only additional supporting document of this nature) which further specifies the criteria for critical ICT third-party service providers (CTPPs) and the associated fees to be levied on such providers, confirming that it one of the most contentious yet vital aspects of the legislation.
Threat Intelligence / Information Sharing
DORA allows (but does not obligate) financial entities to share cyber threat information and intelligence amongst themselves. This optional information sharing, which supports threat detection and response strategies, is not particularly notable at present. However, financial entities will need to define participation conditions, outline public authorities’ involvement, and use dedicated IT platforms as required.
What can I do to get ready?
The finer technical specifics of DORA are yet to be published.
At a minimum, affected organisations should begin to analyse their current processes for risk management, incident management & reporting, resilience testing, third-party management and threat intelligence and seek advice on strategies to strengthen where gaps exist.
It is up to each organisation to find the right partners to explore the optimum approach not simply for compliance, but to ensure that their internal governance and external supplier management processes are refined in a way that makes their organisation more resilient to increasingly sophisticated cyber threats. Whilst it might be tempting to simply be compliant with DORA legislation, with adequate forethought, it is possible to drive significant value from such an approach and can yield cost and resource savings and help to prioritise.
Organisations can get on course to be fully prepared when DORA comes into full effect in 2025. Officially the following internal training is recommended: https://www.cyber-risk-gmbh.com/Contact.html
As mentioned, DORA have also released a technical advisory specifying the criteria for critical ICT third-party service providers (CTPPs): https://www.digital-operational-resilience-act.com/DORA_Links.html
Key Dates: Publication: 27 December 2022. Enforcement: 17 January 2025.