DORA: Digital Operational Resilience Act - challenges and opportunities

Who is affected by DORA?

In contrast to XAIT, DORA is not designed to be sector-specific, but cross-sectoral. This means that the regulation affects insurance companies as well as capital management companies, banks and investment funds, etc. Specifically, this includes (scope of application Article 2 (1) DORA):

Credit institutions
Payment institutions
Account information service provider
Electronic money institutions
Investment firms
Provider of crypto services
Central securities depository
Central counterparties
Trading venues
Trade repository
Alternative investment fund manager
Management companies
Data provision services
Insurance and reinsurance companies
Insurance intermediaries, reinsurance intermediaries and insurance intermediaries in secondary employment
Company pension schemes
Rating agencies
Administrators of critical reference values
Swarm financing service provider
Securitization register
ICT service provider

What are the overarching objectives of DORA?

• Reduction of fragmentation:
  DORA aims to eliminate existing regulatory differences and create a uniform standard.
• Strengthening digital resilience:
  Establishment of stricter standards for the management of information and communication technology (ICT) as well as their development and implementation.
• Harmonization of regulations:
  Creation of a uniform regulatory framework for IT security in the financial sector that enables cross-border recognition of audit results.
• Risk management:
  Financial institutions need to implement effective risk management procedures to identify, classify and manage ICT risks.
• Incident Reporting:
  The regulation obliges financial institutions to report serious ICT incidents to the competent authorities.
• Increase transparency:
  Access to ICT incidents enables companies and authorities to better counter future threats.
• Eliminate redundancies:
  At European level, reporting obligations are simplified and redundant information is minimized.

Challenges

DORA is intended to ensure a high level of security and resilience of the financial sector in the EU and can be roughly summarized in the following four chapters:

1. ICT risk management (Art. 5-16)

Financial institutions must have a comprehensive, well-documented set of rules for ICT risk management. This includes strategies, policies, procedures, ICT protocols and tools for identifying, classifying, assessing, monitoring and mitigating ICT risks. The management body of the financial company (e.g. the management board of a bank) is responsible for the strategy and control of ICT risk management.

Requirements and need for implementation:

• Planning and provision of resources and appropriate budget
• Adjustment of the regulations once a year and after serious incidents
• Regular review through internal audits
• Ensuring the independence of risk management, controls and audits by separating functions
• Information security guideline with rules to protect the availability, authenticity, integrity and confidentiality of data
• ICT systems must always be up to date

This is how LocateRisk can provide support:

• Identification and classification of IT assets
• Carrying out the annual IT risk assessment
• Carrying out an incident-related review at any time
• Continuous monitoring of the security of IT systems

2. ICT incident reporting (Art. 17-23)

In the event of significant ICT-related incidents, rapid, comprehensive reporting is required. DORA defines precise requirements and deadlines for such reports. Companies must have processes in place for dealing with IT incidents to ensure rapid detection and resolution.

Goals:

• Ensuring rapid detection and response to IT incidents
• Fast reporting to authorities and customers/consumers
• Promoting the exchange of information on new threats

Requirements and need for implementation:

• Classification of ICT incidents according to specific criteria
• Immediate reporting of serious IT incidents to the authorities within set deadlines
• Creation of crisis communication plans

3. test of digital, operational resilience/digital resilience testing (Articles 24-27)

DORA requires financial companies to conduct comprehensive testing programs to assess their preparedness for cyber risks and to identify potential vulnerabilities.

Goals:

• Objective control of the effectiveness of IT risk management
• Initiation and verification of continuous improvement of the protective measure

Requirements and need for implementation:
The basic annual tests include:

• Vulnerability assessments and scans
• Open source analyses
• Network security assessments
• GAP analyses
• Physical security checks
• Questionnaires and scans of software solutions
• Source code checks
• Compatibility tests
• Performance tests
• End-to-end tests
• Penetration tests and more

Mandatory tests every three years:

• Threat-oriented penetration tests by qualified and reputable testers

How LocateRisk can provide support:

• Vulnerability assessments
• Performance tests
• GAP analyses
• Testing the network security

4. third party ICT risk management/management of third party ICT risks (Articles 28-44)

In addition to their own IT security, financial companies must also minimize the risks in their business relationships with external service providers. This includes a risk management strategy for third parties such as cloud service providers, software providers, data analysis services and data centers as well as providers of payment services and payment processing.

Goals:

• Reduce the risk of attacks via the supply chain
• Minimize the potential consequences of the failure of individual service providers

Requirements and need for implementation:

• Even before the contract is concluded:
  Assessment of the criticality or importance of the outsourced services and the suitability of the third-party ICT service provider based on a comprehensive analysis
• Contractual regulations:
  Contracts with third-party ICT providers must contain clear and unambiguous agreements on aspects of operational resilience, including service level agreements (SLAs), availability requirements, security standards and contingency planning.
• Monitoring and testing:
  Financial companies are required to continuously monitor the activities of third-party ICT providers and regularly test the effectiveness of security measures and resilience strategies.
• Exit strategy:
  A clear exit strategy in the event that the service of a third-party ICT provider is terminated or no longer meets the required standards must be in place to ensure the continuity of business processes and protect against excessive dependence on individual providers.

How LocateRisk can provide support:

• On-demand assessment of new business partners
• Automated audit of IT and GDPR compliance
• Provider, partner and supplier monitoring at freely selectable intervals
• Supplier assessment by means of a digital questionnaire/Self Assessment Questionnaire (SAQ)

Conclusion

DORA brings considerable challenges, but also opportunities for the financial industry. By harmonizing regulations and introducing stricter standards for digital resilience, the aim is to achieve a uniform level of security in the EU. The new requirements are comprehensive and require companies to prepare and implement them thoroughly. The support of specialized providers such as LocateRisk can help to meet these new regulatory requirements and strengthen digital resilience.

This article focuses on the four chapters mentioned and does not cover the entire regulation. Detailed information on DORA can be found on the website of BaFin Federal Financial Supervisory Authority at DORA - Digital Operational Resilience Act

Learn more, book a demo, or just have a quick chat? Alex is happy to help!

Your personal consultant
Alexander Feldmann
Consulting

+49 (0) 6151 6290246

Get in Touch Now

Home

Blog

About Us

Contact

Legal Notice

Privacy

General Terms and Conditions

Jobs

© LocateRisk 2023