The Digital Operational Resilience Act (Regulation (EU) 2022/2554) was born from a realisation that businesses, particularly those in financial services, rely increasingly on Information and Communications Technology (ICT) and digital means to operate. The result of this digitalisation is predominantly to bring speed, ease of use and innovative services to customers, yet it also introduces the risk of cyber attacks or incidents that could lead to data breaches, downtime and financial losses. Any disruption to financial services in turn has a knock-on effect to other businesses, potentially negatively impacting whole economies.
The introduction of DORA marks a pivotal advancement in EU financial regulation, addressing a significant gap in operational risk management. Prior to DORA, financial institutions primarily relied on compliance-driven capital allocation to prove they were mitigating operational risks, but this alone did not prove a suitable level of operational resilience.
However, with the implementation of DORA, stringent guidelines will be enforced that mandate the establishment of robust protection, detection, containment, recovery and repair mechanisms against ICT-related incidents. DORA explicitly addresses ICT risk, delineating regulations concerning ICT risk management, incident reporting, operational resilience testing and monitoring of ICT third-party risks. Recognising the potential of ICT incidents and operational vulnerabilities to undermine the stability of the entire financial system, DORA emphasises the necessity of comprehensive risk management beyond traditional capital adequacy measures.
DORA takes effect in January 2025. It applies to banks, investment firms, insurance companies, payment service providers and any other organisation engaged in financial services. DORA requires organisations to adhere to specific guidelines for safeguarding, detection, containment, recovery and repair capabilities in response to ICT related threats and incidents.
How can organisations of all sizes effectively strengthen their security posture and set a foundation for complying with DORA?
Start With PAM
Privileged Access Management (PAM) is the discipline in which people, processes and technology are combined to give organisations visibility over who is accessing which critical systems, accounts or administrative functions, and what they are doing while they’re there. By choosing a PAM solution that thoroughly considers the four main pillars of DORA, organisations can not only get ahead of compliance, but protect themselves more effectively.
ICT Risk Management
DORA requires a robust risk-management framework, meaning organisations must create a strategy based on risk tolerance, addressing the identification and prevention of risks and demonstrating the capability to respond to risks. One way that organisations can take more control over their ICT risk management is by identifying and preventing risks with dark web monitoring which can highlight threats to the organisation and act as an early warning system. Dark web monitoring scans employees’ saved passwords or PAM vaults for passwords that have been exposed on the dark web, immediately alerting users and administrators to any actions required to protect the organisation.
Digital Operation Resilience Testing
DORA highlights the importance of assessing the resilience of third-party ICT service providers. Therefore, look for technology partners that operate world-class security, such as a zero-knowledge and zero-trust architecture. For security partners in particular, choose ones that can demonstrate that they conduct extensive internal and external testing, including penetration testing – and ensure they’re transparent with vulnerability reporting.
Management of Third-Party ICT Service Providers
DORA requires financial entities to assess the resilience of their third-party ICT service providers and ensure compliance with DORA requirements. Organisations must monitor technology providers’ risk throughout the relationship. Look for partners that meet critical standards like SOC 2 compliance and ISO 27001 certification, plus industry or regional-specific standards like GDPR, HIPAA or PCI-DSS.
Reporting
As with many compliance regulations, DORA mandates companies use a standardised methodology for incident reporting and classification. A PAM solution that supports customised reporting and integration with other cybersecurity technologies, like a third party SIEM solution, will help ensure alignment with any preferred reporting methodology. Be sure the organisation admins are able to monitor and report the access permissions of privileged accounts across the entire organisation.
By viewing DORA compliance through a privileged access management lens, organisations will ultimately be able to prove oversight over who has access to what sensitive data and systems, with visibility into what they do while logged in to them. This will help them meet a majority of the requirements put forth by the new regulations and equip organisations to better identify, respond to, report on and prevent risks – now and into the future.