The financial sector is bracing for a significant shift in its digital landscape as the EU’s Digital Operational Resilience Act (DORA) prepares to take effect in January 2025.
This new regulation is set to transform the approach of financial institutions – including banks, insurers, and investment firms – towards their IT infrastructure and data security protocols. At the heart of DORA lies Article 3, which aims to bolster “the capacity of financial entities to construct, ensure, and evaluate their operational integrity and reliability.”
In the years following the 2008 global financial crisis, there was a notable surge in attention to IT security and digital resilience. However, this focus gradually waned over time. Now, with cybercrime emerging as the world’s third-largest economy, surpassed only by the United States and China, DORA seeks to address this escalating cyber threat head-on. EU member states face potentially severe consequences if they fail to comply with these new regulations by January 2025. Non-compliant institutions could be subject to substantial penalties, including fines of up to 2% of their global annual turnover or 1% of their worldwide average daily turnover.
Despite the urgency of the situation, many institutions are experiencing delays in their preparatory efforts. While new technical standard documents were submitted to the commission in July of this year, affected entities continue to grapple with significant hurdles in their DORA readiness plans.
As the deadline looms, businesses cannot afford a wait-and-see approach. In the absence of concrete guidance, firms must take proactive steps based on the information currently at their disposal.
Transparency is the cornerstone of DORA compliance
The importance of comprehensive visibility cannot be overstated. DORA places a strong emphasis on this aspect, particularly in relation to data transparency and actionable evidence. The regulation shines a spotlight on critical areas that have traditionally lacked robust frameworks and are consequently more susceptible to risks. These include third-party risk management, operational resilience, and thorough testing protocols.
A pivotal aspect of DORA is its requirement for uninterrupted monitoring. This marks a significant departure from conventional periodic assessments, ushering in an era of constant vigilance. Under this new rule, organisations are tasked with implementing systems that offer real-time insights into their digital operational resilience. Such systems must enable swift identification and response to emerging threats or vulnerabilities.
The financial sector, in particular, faces the challenge of ensuring security and compliance across its entire supply network. This obligation extends beyond immediate suppliers, potentially encompassing a wide array of third-party providers and even their subcontractors. As a result, the process of evaluating cybersecurity practices may ripple through multiple layers of the supply chain, creating a complex and resource-intensive compliance environment. While the full extent of this cascading effect remains to be determined, organisations would be prudent to prepare for extensive reporting requirements that could span several tiers of their supply network.
Enhanced security testing
While the Payment Card Industry (PCI) standards have long focused on safeguarding credit card information, requiring annual penetration testing and assessments after significant changes, the regulatory landscape is evolving towards more frequent and comprehensive evaluations. The U.S. National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) has already expanded the scope, addressing additional crucial aspects such as recovery processes, thus filling some gaps left by PCI standards.
DORA takes this a step further, mandating organisations to implement exhaustive testing protocols that leave no stone unturned. This includes systems previously deemed too critical or sensitive for regular assessment. This regulatory shift signals a paradigm change, calling for a more rigorous and frequent testing regimen across the entire technological infrastructure, irrespective of a system’s perceived operational importance.
These emerging regulations are driving organisations towards a proactive stance on security. The emphasis is now on continuous monitoring to detect and address weaknesses before they escalate into significant risks. This approach aims to minimise the development of vulnerabilities and ensures that organisations maintain an up-to-the-minute awareness of their security posture.
Preparing your business for the DORA era
DORA’s emphasis on continuous threat monitoring and results-oriented risk management signifies a significant shift in the regulatory landscape. Soon, authorities will have the power to request data and assess compliance, making preparation crucial.
To begin this journey, organisations should establish a dedicated working committee with clearly defined roles and responsibilities. This committee will play a vital role in conducting a comprehensive gap analysis, identifying areas for improvement both within their operations and across their supply chain. Such an analysis will not only highlight necessary changes but also inform critical budget discussions and resource allocation decisions.
It’s important to note that approaching the five pillars of DORA as a chronological, step-by-step checklist will prove ineffective. Instead, organisations should focus on key areas such as third-party risk management and reporting, which are interwoven across all pillars of the regulation.
With the deadline looming, it’s critical to update and strengthen risk management strategies. DORA assumes firms already have a robust risk management framework in place. However, it’s crucial to understand that existing certifications, such as ISO27001, while valuable, may not ensure full DORA compliance due to the regulation’s extensive third-party risk management requirements integrated into every pillar.
Despite any potential delays in implementation guidance, DORA is imminent, and businesses must be prepared. Rather than viewing this regulation solely as a compliance requirement, forward-thinking organisations should see it as an opportunity to enhance their overall security posture. By focusing on continuous monitoring and effective threat management, businesses can not only meet regulatory standards but also achieve a higher level of protection across their networks, potentially gaining a significant competitive advantage in the process.
About the Author
Martin Greenfield is the CEO of Continuous Controls Monitoring solutions provider, Quod Orbis. He has over two decades in the cyber security space. With his team, Martin helps deliver complete cyber controls visibility for our clients via a single pane of glass, through Quod Orbis’ Continuous Controls Monitoring (CCM) platform. Their clients can see and understand their security and risk posture in real time, which in turn drives their risk investment decisions at the enterprise level.
