Time to explore the Digital Operational Resilience Act (DORA)


Today, ICT-related incidents remain rampant, with the scourge of data breaches showing no sign of abating. This year,millions of records will unfortunately once again be affected with the ramifications being severe and the average breach now costing businesses ​​around £3.5million. Facing these risks, Digital Operational Resilience Act (DORA) compliance is more important than ever.

Coming into play throughout all EU member states from the 17th of January 2025, and enacted by the European Parliament, DORA’s scope extends across a broad spectrum of financial entities, from banks to investment firms, as well as any service provider offering IT and cybersecurity services to those entities. By casting such a wide net, DORA provides a comprehensive approach that aims to fortify digital infrastructures throughout the entire financial industry.DORA will function as a guiding framework to help financial entities navigate a plethora of new and emerging challenges, with the need to maintain robust cybersecurity measures at its core. So, what is it that businesses need to do to ensure they stay protected?

What is the Digital Operational Resilience Act (DORA)?

DORA was established to reduce the risks of unauthorised data, breaches, and a lack of control over sensitive financial data. While previous EU regulations varied between different EU member states, DORA’s unified framework will streamline compliance efforts and enhance the resilience of the collective EU financial system.

Now, standardised practices ensure that financial institutions and their third-party service providers across the EU adhere by the same framework for optimised cyber security.

Although officially sanctioned by the European Parliament and the Council of the European Union in November 2022, DORA is still being refined to include more detailed standards, with an expected go-live date of early 2025.

The first is to analyse whether the entire data supply chain is secure from top to bottom. By setting out strict requirements for contracting, managing, and reporting against ICT service providers, DORA makes it essential that firms in the UK and elsewhere are using DORA-compliant content communication tools. 

This is often easier said than done. Third-party tools, solutions, and partnerships play an integral role in any organisation today. And for good reason. They can help staffcommunicate with other team members, safely access sensitive information, and streamline project management tasks. However, third parties can also introduce inherent risks that can compromise a business’ security. 

So much so, that the recent Verizon Data Breach Investigations Report (DBIR) found that 15% of data breaches are now connected to the supply chain, a 68% jump from the previous year. Our own Sensitive Content Communications Privacy and Compliance Report similarly found that nine-in-ten (90%) organisations share sensitive content with over 1,000 third parties. Robust vendor risk management and security controls throughout the supply chain is, therefore,paramount to bolster a business’ overall resilience. 

Make sure the business is not only enhancing the resilience of your own business’ externally provided software, but also the technology your partners are using to communicate, collaborate or share content with your organisation. It is time to ask whether the emails sent between the business and the supply chain secure? Whether the business’ tools or that of itspartners introducing undue cyber risks? And whether any file sharing tool being used is compliant and can ensure that any data sent is not to an unsafe third-party environment? 

Third-party vulnerabilities can occur for a wide range of reasons. It might be due to inherent weaknesses ininfrastructure, a lack of contingency plans for service disruptions, or inadequate contractual provisions addressing cybersecurity standards. By identifying these vulnerabilities early on, a business can take proactive measures to mitigate the risks and strengthen its overall third-party risk management. Enhancing overall resilience and ensuring DORA compliance as a result.

Whether organisations are sharing files for audits or providing services that necessitate file sharing in the EU, it is important that they use secure file sharing tools to protect this content. Secure file sharing tools will let a business set and enforce policies from its own system. That way, it can share large volumes of sensitive data confident that data confidentiality is intact.

To streamline the DORA compliance process and foster a culture of resilience it is essential to secure support from key decision-makers early on and encourage their active participation. Engage with board members, executive leadership, and relevant departments to communicate the importance of DORA compliance and its implications for the organisation. Clearly articulate the benefits of initiative-taking compliance efforts. This could include enhanced cybersecurity, improved operational efficiency, and the safeguarding of customer trust. 

By involving stakeholders in this way, it is far easier to secure the necessary resources andfacilitate a smoother implementation of DORA compliance measures. This collaborative approach not only strengthens the business’ overall resilience but also reinforces a shared commitment to cybersecurity excellence across all levels within the business.

Effective incident reporting and management needs to be at the heart of DORA. It willstrengthen the business’ resilience in the wake of new and emerging challenges. To ensure ICT risk management reporting is as effective as possible, it is important for the business to ask itself:

  • Do reporting processes capture all relevant information accurately and efficiently?
  • Do reporting processes enable swift detection, containment, and resolution of cybersecurity incidents? 
  • Is there a consolidated audit log outlining user access and how does it relate to sensitive content in relation to a breach?
  • Does the business regularly conduct post-incident reviews to identify lessons learned and areas for enhancement?

Continually assessing and refining incident reporting and management processes helps an organisation bolster itsresilience against emerging threats, safeguard critical information, and demonstrate its compliance with DORA’s stringent requirements.

For best results and to improve visibility, use a single platform to manage all communication channels. Look for solutions that offer comprehensive logging and reporting capabilities against all activity. This should include data access, file transfers, log ins and more. Only then can the business record all its content communication and, as a result, evidence compliance against DORA UK regulatory standards. 

For enhanced and secure collaboration, it is also worth exploring some of the next-generation digital rights management (DRM) solutions that are now available. They can allow editable file access externally without relinquishing source control, protection of original files within the owner’s environment, editing and collaboration on file streams like a native application, detailed audit logs and reports, and restrictive collaboration on any file type.

Automation has emerged as a powerful tool for enhancing operational efficiency and resilience across a variety of industries in recent years. With the ability to continuously deploy standardised processes, with little potential for errors, automation tools can be perfect to help businesses better align with DORA. By embracing automation, organisationscan not only enhance their operational resilience but also optimise resource allocation and demonstrate compliance with DORA’s requirements in today’s increasingly complex digital landscape.

To get started, consider adopting automation tools to streamline key processes and mitigate operational risks. Explore opportunities to automate routine tasks like threat detection, incident response, and compliance monitoring. With advanced analytics and machine learning algorithms, automation tools can also help the enterprise detect and respond to cybersecurity threats in real-time to protect vital information.

Documenting any actions taken to meet DORA compliance can help the businessdemonstrate its due diligence and accountability when needed.

To do this, prioritise the thorough documentation of any actions taken. These could include the detailed records of any risk assessment, incident report, and any remediation effort taken. Not only will this help the organisation demonstrate its compliance efforts but will also provide the perfect opportunity to create and maintain comprehensive documentation of theorganisation’s policies, procedures, and protocols related to any digital operations and cybersecurity efforts. 

Just remember that not every content communication solution has the same security standards and governance controls. To ensure they remain compliant, organisations need to look for those with advanced security and next-gen DRM governance controls to boost their security posture.

As organisations continue to navigate the complexities of today’s digital landscape, achieving DORA compliance is essential for maintaining data integrity, cybersecurity, and regulatory compliance. By taking note of some of the tips above, businesses can begin enhancing theirreadiness for DORA compliance, protecting sensitive data against evolving cyber threats and upholding trust among stakeholders in the process. 

The importance of ensuring compliance with DORA must not be overlooked by anyone with exposure to the financial services industry. With severe penalties facing those who are found to be non-compliant, and continuous risks threatening to gain access to sensitive information, DORA compliance will surely become the catalyst to strengthening the industry’s resilience with standardised, and documented, practices.

Do not get caught short. Look for content communication solutions that reflect the DORA regulation and for vendors that are promoting DORA compliance. Search for solutions that are validated or certified by standards such as Cyber Essentials Plus, SOC 2 Type II, ISO 27001, etc. That way you can ensure your business is DORA ready in time for January 2025. 



Source link