Ready, set, DORA

The Digital Operational Resilience Act (DORA) has been slowly rolling out in Europe since 2023, as I highlighted in this post back in March. By January 2025, it will be in full effect. We could make cheeky comments about Dora being a cartoon for kids or a Designated Outdoor Refreshment Area. However, in this case, DORA is a more serious topic.

DORA is a European regulation, but companies based in the United States that do business in Europe must abide by it. In short, DORA establishes binding standards for financial entities and their third-party technology service providers to manage their information and communication technology (ICT) risk.

Marshall England, vice president of marketing at cyber risk management company FortifyData, says companies and managed service providers (MSPs) need to be ready for DORA.

“Financial services providers and their MSP partners will need to sharpen their pencils on an overall cyber risk management plan, vendor risk management, and incident reporting that can be shared with European regulators,” England states.

Compliance and regulatory scrutiny to intensify

London-based cybersecurity expert and risk advisor Alina Timofeeva says the recent global outage makes DORA loom larger. “I foresee greater adherence to existing regulations including DORA and regulators being more stringent,” Timofeeva shares, adding that currently, compliance varies.

“I would anticipate in the conversations with regulators, companies would want to demonstrate at least full Level 3 compliance with the key risks and existing or proposed control frameworks, versus this being a checkbox exercise,” Timofeeva explains. Additionally, she notes that banks need to accelerate their preparedness for DORA. They need to carry out self-assessments against the requirements, identify gaps, and take the appropriate steps to close them.

“After completing a DORA preparedness assessment and engaging with senior management and the board on digital resilience to raise awareness, I would imagine the key steps would be around resilience uplift and end-to-end resilience,” she says.

Greater awareness and expanded skillsets are needed

Some areas of resilience to focus on include:

1. Strategically developing and enhancing the operational resilience framework, governance, and operating model.
2. Identifying all critical business services and mapping these across data, technology, third parties, people, and processes to define how to develop resilience for each service.
3. Elevating the incident management capabilities so that there is improvement and standardization of incident handling guidelines, with the integration of analytics (including predictive analytics). As part of this, define the list of early warning signs, implement capabilities to track these, and define incident response protocols linked to specific early warning signs.
4. Defining and establishing a comprehensive testing program based on a risk-based approach. Part of that includes threat-led penetration tests and link testing to ICT risk tolerance.
5. Defining a clear third-party strategy to ensure third-party compliance. Review existing and relevant third-party contracts using a risk-based approach. Consider the key roles & responsibilities, risks, and controls for the shared ownership model.

Timofeeva adds that it is also key that organizations increase the involvement of the board and senior management in ICT risk management because it requires increased ICT risk awareness and the skills to deliver robust reporting.

For those who need a refresher on DORA, the full text of the legislation can be found here.

Photo: KOTOIMAGES / Shutterstock