Understanding the core principles of DORA: A beginner’s guide
Digital operational resilience in the financial sector is the main goal of DORA. The requirements in DORA are the means to achieve this goal. These requirements cover financial entities' ICT risk management, incident handling and reporting, digital resilience testing, use of ICT third-party providers, and information sharing.
DORA requirements
- Obligation to have an overarching framework for ICT risk management.
- The entity must have resources and personnel to gather and analyze information about vulnerabilities, cyber threats, and ICT incidents.
- Obligation to evaluate major ICT incidents: causes must be analyzed, and necessary improvements in ICT operations identified.
- DORA mandates testing the entity's digital operational resilience. Preparedness for handling ICT incidents must be tested, and weaknesses, deficiencies, and deviations in digital resilience must be uncovered.
- Experiences from tests, real incidents, and more must be included in the entity's risk assessments. The ICT management must report at least annually to the board on findings and recommendations.
- DORA requires internal training for employees and assessment of technological developments.
- The entity must manage risks associated with the use of services from third-party ICT providers, including a series of assessments and investigations related to the provider before an agreement is entered into.
- All entities must have a register with an overview of the use of services from ICT providers and which of the services support critical or important functions.
- Financial entities can also exchange information and intelligence about cyber threats, as long as the goal is to improve the entities' resilience.
Key concepts in DORA
- Digital operational resilience: The ability of a financial institution to prevent, adapt to, respond to, and recover from ICT-related disruptions.
- ICT risk: The risk of disruptions or failures in information technology that can affect the operations of a financial institution.
- ICT third-party service providers: Third-party actors providing ICT services, such as cloud services or data analysis, that are critical to the operation of financial institutions.
- Threat-led penetration testing (TLPT): Test procedures designed to simulate cyberattacks on ICT systems to assess their resilience.
- Critical functions: Functions or services where a disruption can have a significant impact on financial stability or the institution's operations.
- Incident: An event that actually negatively impacts the confidentiality, integrity, or availability of an ICT system or data.
- Impact tolerance: The maximum level of disruption that a financial institution can tolerate without compromising its critical operations.
- Resilience strategy: The comprehensive approach a financial institution uses to manage and mitigate ICT risks and ensure digital operational resilience.
- Operational disruption: Any event that leads to a financial institution being unable to deliver its critical operations or services.
Entities within DORA's scope
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries
- Reinsurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
- ICT third-party service providers
Most companies in the financial sector are covered by DORA, with some exceptions. Auditors, accountants, real estate agents, and debt collection agencies are generally not included under the regulations.
The five pillars of DORA
- ICT Risk Management: This involves establishing a solid framework to identify, assess, and manage risks related to information technology. Financial institutions must develop strategies, guidelines, and procedures to ensure they are equipped to handle potential ICT risks effectively.
- Incident Management: Companies must have a clear plan for detecting, reporting, and managing ICT incidents. This includes everything from minor operational disruptions to major cyberattacks, ensuring that the company can react quickly and effectively to minimize damage.
- Resilience Testing: Regular testing of digital systems' resilience is essential. Through penetration tests and other forms of stress testing, the company can uncover weaknesses in its systems and implement necessary improvements to ensure that the systems withstand various types of threats.
- Third-Party Risk Management: Many financial institutions rely on external providers for IT services. DORA requires that these providers be carefully assessed and that the risks associated with such third parties be managed throughout the collaboration.
- Information Sharing: Information sharing is crucial for strengthening cybersecurity. Financial institutions must collaborate with each other and with relevant authorities to share knowledge about threats, vulnerabilities, and best practices to enhance collective resilience in the sector.
A timeline for DORA compliance
The requirements arising from the five pillars are only partially described in the text above. The work will be extensive, even for smaller financial institutions.
- Gap Analysis: DORA builds on many existing regulations for the financial sector, both at the European and national levels. In a gap analysis, you compare which requirements you already meet with those defined in DORA.
- Roadmap: Create a plan for how you will close the gaps you found.
- Create the Framework: You must establish a framework for ICT risk, as described in the first pillar. This must be anchored in the board of directors. The framework must also describe how incidents and third-party risks will be handled.
- Implementation: Implement the necessary technology, processes, and training to meet all the requirements. Then begin resilience testing before establishing routines for information sharing.
- Continuous compliance: The first four pieces must be in place by January 2025. After that, it will be about adhering to your own framework, including testing, incident management, and evaluation of external providers.