The five pillars of DORA
Managing ICT risks, handling incidents, testing resilience, and overseeing third-party providers are key pillars of DORA. These measures ensure financial institutions can detect, respond to, and recover from disruptions efficiently, while information sharing strengthens their collective defense against cyber threats. Understanding and implementing these pillars is crucial for building robust digital resilience.
1. ICT risk management
Financial institutions must have an overarching framework for managing and controlling ICT risk. The framework must be established, approved, and monitored by the board. This responsibility includes establishing guidelines, defining roles and responsibilities, setting risk tolerance levels, approving various plans, allocating an appropriate budget, and regularly reviewing guidelines for the use of ICT providers.
The key requirements are that the financial institution must:
- Have a function for monitoring deliveries from ICT providers or appoint a member of management responsible for following up on risk exposure and documentation related to the delivery.
- Identify, classify, and document ICT-related functions and dependencies, and continuously identify all sources of ICT risk.
- Continuously monitor the security and functionality of ICT systems and have appropriate security tools, guidelines, and procedures in place to protect the systems and respond with necessary actions.
- Have mechanisms for the rapid detection of abnormal activity, including performance issues and ICT incidents, as well as identifying significant "single points of failure."
- Have comprehensive guidelines for ICT operational stability, and in accordance with these, have appropriate and well-documented arrangements, plans, procedures, and mechanisms.
- Maintain and regularly test continuity plans for ICT operations, especially for critical or important functions outsourced to ICT providers.
- Have guidelines, procedures, and methods for the recovery of ICT systems and data after an incident.
- Have resources and employees to gather information about vulnerabilities, cyber threats, and ICT incidents, and analyze how they can affect the company's digital operational resilience.
- Evaluate major ICT incidents by analyzing causes and identifying necessary improvements in ICT operations or continuity plans, and upon request from the supervisory authority, companies must report the changes implemented.
- Have plans for crisis communication, both internally and externally, with routines for how communication should take place.
2. Incident management
DORA sets requirements for handling, classifying, and reporting ICT incidents. These include that the company must:
- Establish a process for detecting, managing, and reporting ICT incidents.
- Log all ICT incidents and major cyber threats.
- Have procedures for monitoring, handling, and follow-up, so that the root cause is identified, documented, and handled to prevent recurrence.
- Have early warning indicators, communication plans, and measures to mitigate impacts and ensure rapid recovery.
- Classify incidents based on factors such as the number of affected customers, duration, data loss, the criticality of affected services, and economic consequences.
- Report to the supervisory authority all serious ICT incidents, defined as incidents with a significant negative impact on the network and information systems supporting the company's critical or important functions.
3. Resilience testing
DORA sets requirements for testing digital operational resilience in companies. The tests must be conducted by independent parties, either internal or external. The requirements include that financial institutions must:
- Have a comprehensive program for risk-based tests as part of the ICT risk management framework.
- Assess readiness for handling ICT incidents and identify weaknesses, deficiencies, and deviations in digital resilience, as well as provide a basis for quickly implementing improvement measures.
- Have procedures and routines for prioritizing, classifying, and addressing identified faults, as well as methods for internal validation to ensure that all identified weaknesses, deficiencies, and deviations are followed up.
- Test ICT systems and applications that support critical or important functions at least once a year. The supervisory authority must identify which companies are required to carry out more advanced testing in the form of threat-led penetration testing (TLPT). Identified companies must conduct TLPT at least every three years.
4. Third-party risk management
The regulation includes specific rules on vendor management, in the form of requirements for companies' handling of risks associated with using services from third parties.
Before a company enters into an agreement with an ICT provider, it must have conducted a series of assessments and investigations related to the provider, and agreements can only be entered into with providers that adhere to appropriate information security standards.
DORA sets requirements for the design of agreements with ICT providers, including complete descriptions of services, service quality requirements, cooperation with the supervisory authority, monitoring, termination, and reporting requirements.
The company must:
- Have a strategy for vendor risk.
- Maintain a register with an overview of the use of services from ICT providers and which of the services support critical or important functions.
- Make the register available to the supervisory authority upon request.
- Report to the supervisory authority at least annually about new agreements entered into, and additionally, inform the supervisory authority in a timely manner about planned agreements on ICT services that will support critical or important functions, as well as when a function has become critical or important.
- Have a risk-based approach to using access, inspection, and audit at the provider, where the frequency of audits and inspections, as well as which areas are to be audited, must be predefined.
- Assess whether the ICT provider will be difficult to replace or whether several of the company's deliveries will be concentrated with the same provider (this must be done before the agreement is entered into).
- Conduct a cost-benefit analysis of alternative solutions, such as the use of other providers.
- Assess the significance of insolvency and data protection regulations that apply to the provider.
5. Information sharing
DORA has provisions that allow financial institutions to exchange information and intelligence about cyber threats. Certain conditions must be met:
- The exchange must aim to improve the companies' resilience, particularly by increasing awareness of cyber threats, limiting or preventing the spread of threats, and supporting defense capacity, detection techniques, mitigation strategies, or response and recovery phases.
- The exchange must take place within a trusted community of financial institutions.
- The exchange must be conducted within arrangements that protect potentially sensitive information and are covered by rules on business confidentiality, data protection, and competition policy guidelines.
- Such information exchange arrangements must have provisions on participation by financial institutions and possibly also by authorities and third-party ICT providers. Companies must inform the supervisory authority about their participation in such arrangements.
Ready to implement DORA's pillars and improve your digital resilience?