Preparing for DORA: 5 Pillars of DORA and How to Achieve Compliance

A new upcoming European regulation, which is called DORA, is going into force soon. What is it about, who will be affected, how to comply, and what if I don’t? We will discuss all these questions in in details.

Key Concepts of DORA

Let’s begin with introducing specific terminology, which you should be familiar with to understand and prepare for DORA requirements.

DORA – Digital Operational Resilience Act – European regulation, which introduces new cybersecurity framework and digital resilience requirements for regulated financial entities in the European Union.

ICT – Information and Communication Technology – it covers all technical means related to processing of information. Generally, it refers to hardware, software, networks, and other technological resources that an organization uses to store, process, and transmit information.

Risk management – I guess you are familiar with it, because it’s a process of identification, assessment, and treatment of risks related to confidentiality, integrity, and availability of the information.

Incident – generally, an incident is an event that could indicate that information or a system have been compromised, or security measures have failed.

Competent authority – it refers to the national supervisory authority responsible for overseeing DORA compliance within each EU member state. It is based on the specific type of a financial entity involved: EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority), ESMA (European Securities and Markets Authority), National Competent Authorities (local national banks), Securitisation repositories etc.).

For instance, if you’re talking about banks, the competent authority is European Banking Authority on the European Union level and Central Bank on the Member State level.

Competent authorities will be finally assigned near January 2025 because European countries need to fully integrate DORA into local legislations.

What? When? Who?

DORA aims to establish a comprehensive and cross-sectoral digital operational resilience framework with rules for all regulated financial institutions. It is built on five pillars, which we review below in details.

DORA was enacted on January 16, 2023 with implementation period of 2 years. It means that it will come into force from January 17, 2025, and organizations should be compliant with the requirements by this date.

Preparartion for Digital Operational Resilience Act – European regulation, which introduces new cybersecurity framework and digital resilience requirements for regulated financial entities in European Union

Primarily, DORA applies to financial institutions authorized under EU legislation, including banks, investment firms, payment service providers, and critically important third-party service providers to these institutions. It will affect approximately 22,000 financial entities.

What’s important, besides traditional financial institutions like banks, insurance companies, investment funds, and the like, the regulation applies to crypto-assets companies, crowdfunding service providers, and to ICT service providers that provide services to these institutions.

So, if you are working in a software development company and you are providing services to a European bank or European insurance company, you are also falling under DORA regulation.

5 Pillars of DORA

Five pillars of the DORA framework are ICT Risk Management, ICT Incident Reporting, Digital Operational Resilience Testing (which is simply called DORT), Managing of ICT Third-Party Risk, and Information Sharing Agreements. Now let’s review each of these pillars in detail.

ICT Risk Management

This is a complex pillar, which includes 10 sections of requirements, namely:

  1. Governance and Organization
  2. Risk Management Framework
  3. System, Protocols, and Tools
  4. Identification
  5. Protection and Prevention
  6. Detection
  7. Response and Recovery
  8. Backup Restoration and Recovery Procedures
  9. Learning and Evolving
  10. Communication

The requirements start with assigning clear roles and responsibilities within your organization. It means that an organization needs to designate a team or an individual to oversee the ICT risk management program. This individual or team will be accountable for implementing the program, conducting risk assessments, and reporting the DORA compliance status to senior management.

Generally, this pillar is about the risk management process, establishing and updating controls in the organization. It also covers the incident management process, including all steps starting from identification, from protection and prevention to backup activities.

What’s important here – ITC risk management is about continuous improvement. So, you should regularly monitor your risks updates, controls as needed and also, in case of any security events or incidents, you should implement all lessons learned.

Another important consideration is that DORA acknowledges the proportionality principle. If you are working in smaller organizations, you may implement the requirements in a more streamlined way. However, if you’re working in an enterprise, the level of sophistication of all these sections should be much higher.

ICT Incident Reporting

This pillar requires organizations to have in place an efficient incident management process that ensures a structured approach to identifying, responding to, and recovering from IT disruptions or security threats.

Also, DORA sets mandatory reporting requirements for major incidents. These incidents typically meet criteria like:

  • Widespread impact on clients (outages, financial loss)
  • Extended service downtime
  • Geographic impact (beyond a single location)
  • Significant data loss (sensitive data types)

Moreover, Dora encourages Voluntary Notification of Significant Cyber Threats. An organization may choose to report any significant cyber threat, even if the organization haven’t been directly impacted by that cyber threat. Reporting of this information to competent authorities helps raise awareness within the financial industry and promotes collaboration on threat mitigation.

Having a well-defined incident management process with robust classification and reporting procedures will help you effectively respond to disruptions, minimize damage, and comply with regulations.

Digital Operational Resilience Testing (DORT)

DORT introduces new and even stricter requirements in comparison to ISO 27001 framework in terms of testing your security and resilience.

It requires organizations to run 2 types of tests:

  • Annual tests: These are conducted on systems and applications that support critical or important functions. They are likely general security and functionality tests to ensure ongoing system health.
  • Threat-led penetration testing (TLPT): These are in-depth assessments conducted every three years. TLPTs simulate real-world attacks using current threat intelligence to identify vulnerabilities in critical systems and processes. It is also known as red team testing.

All these testing activities should be performed by independent parties, internal or external, to avoid a conflict of interest. The regulation doesn’t mandate involving external parties. However, engagement of external experts may bring such benefits as:

  • Objectivity as external testers bring a fresh perspective and are less likely to overlook vulnerabilities due to familiarity with internal systems.
  • Expertise as security firms specialize in penetration testing and possess advanced tools and knowledge to identify sophisticated vulnerabilities.

Choosing internal or external parties for execution tests depends on your resources and expertise.

The first step to implement DORT is to design a testing program. The best way is to tailor your testing program to address the identified risks and vulnerabilities. You need to focus on the areas with the highest likelihood and potential impact.

After you have determined your focus areas, you need to describe which activities should be conducted and how often. For example, penetration testing should be conducted by an independent internal team once a year.

Also, you can describe any additional testing activities, such as the use of automated tools for vulnerability scanning, network assessment, and so on.
If you are dealing with applications, there should be activities related to, for example, security code review if it’s feasible. It can be assessed by manual effort or using some automated tools.

If we are talking about manual effort, we should consider to use a person with appropriate skills, because conducting the security code review require some skills in programming, in application security, and so on. Thus, you will need to make sure that the person who is responsible for this has appropriate skills.After conducting various activities, you should document the results and create some issues or tickets in the same system to fix found gaps and so on. As an additional activity, you can also use questionnaires or checklists to verify and test your system.

In some cases, it can be a good idea to use a scenario-based test or a so-called tabletop exercise. For example, in our company we had two major disruptions in the last 4 years – the pandemic and the start of the full-scale invasion in Ukraine. To start preparing for such a critical event, we conduct a set of simulations using some scenario and invite different stakeholders to prepare ourselves and our business for such outstanding challenges. Such type of testing will help you prepare and avoid some mistakes, find gaps in your process documentation, and maybe some controls.

Other types of testing that should be conducted: compatibility testing, performance testing, end-to-end testing. The found gaps should be reported and fixed as well.

Managing of ITC Third-party Risk

Another complex pillar of DORA is managing ICT third-party risk. I consider designating a separate pillar for third-party risk is a good thing, since supply chain attacks bear more risks nowadays. Recent supply chain incidents, such as SolarWind attack and XZ library attack, confirm it.

A cyberattack on SolarWinds, provider of software examination infrastructure tools and network computer monitoring tools, began in September 2019 and affected over 18,000 SolarWinds customers who installed updates containing malicious code. The code was used to steal customer data and then spy on other organizations. On average, the attack cost companies 11% of their annual revenue.

Source: Fortinet.com

To cover this requirement, you need to implement several processes to assess such risks.

  1. Clear strategy of ICT Third-Party Risk Management. First of all, you need to develop a comprehensive strategy for managing ICT third-party risks.To this end, you should establish clear criteria for evaluating potential third-party vendors:
    • assess the vendor’s security controls, incident response plan, and compliance certifications relevant to your needs (e.g., SOC 2, ISO 27001);
    • assess the vendor’s disaster recovery plan and ability to maintain service during disruptions;
    • ensure the vendor adheres to relevant data privacy regulations and industry standards;
    • research the vendor’s past performance and reputation for security incidents.
  1. Pre-contracting Assessment. Then, you will need to introduce pre-contracting assessment for contractors. You may utilize different Assessment Methods such as:
    • Vendor questionnaires tailored to your specific risk profile;
    • Reviewing security audits and penetration testing reports conducted on the vendor;
    • Conducting on-site visits to the vendor’s facilities (if practical);
    • Referencing industry blacklists and threat intelligence reports, etc.
  1. Key Contractual Provisions. It is required that security standards the vendor must meet should be clearly defined in your contracts.

They include:

  • Data security controls (encryption, access control)
  • Incident reporting and response procedures
  • Vulnerability management practices
  • Regular penetration testing requirements
  • Data Protection Obligations: include clauses that ensure compliance with relevant data privacy regulations (e.g., GDPR). This should cover data ownership, processing limitations, and breach notification requirements.
  • Performance Guarantees: specify service level agreements (SLAs) that outline performance expectations and outline remedies for non-compliance.
  • Audit Rights: reserve the right to conduct regular security audits and penetration testing of the vendor’s environment.
  • Termination Rights: include clear provisions for terminating the contract in case of security breaches, non-compliance, or service disruption.
  1. Register of All Contractual Arrangements with ICT Third-Party Providers. DORA requires financial institutions to maintain a central register of all contracts with third-party vendors that provide ICT services. Having a central repository provides a clear overview of all your third-party vendor relationships. It simplifies tasks like contract review, risk assessments, and audits.This centralized register can be linked to your third-party risk management program. It allows you to track the risk profile of each vendor and prioritize due diligence efforts.

By implementing this comprehensive strategy, you can effectively manage ICT third-party risk. Remember, this is a continuous process that requires ongoing monitoring, adaptation, and communication.

Information Sharing Agreements

Now let’s talk about the last DORA pillar – Information Sharing Agreements. The regulation recognizes the importance of collaboration and information sharing within the financial sector to combat cyber threats.

That’s why DORA encourages financial institutions to establish information-sharing agreements with each other and with relevant authorities. These agreements outline the framework for sharing cyber threat information and intelligence.

On the other hand, DORA mandates reporting major incidents to the relevant competent authority. This allows authorities to identify systemic threats and take appropriate actions on the country or even EU level.

Financial institutions can share Cyber Threat Information and intelligence within trusted communities (e.g., industry consortia, information sharing and analysis centers – ISACs). This allows for collective threat analysis, identification of emerging threats, and development of coordinated mitigation strategies.

The information sharing aspect of DORA regarding cyber threats and intelligence isn’t strictly mandatory. However, it’s a crucial element for building a robust cyber defense strategy.

DORA Implementation Path

Let’s quickly talk about possible ways of achieving compliance. As you may see, it may require serious resources and collaborative effort across various departments within your organization. However, there is not much time left, because DORA goes live from 17th of January next year. So, we need to start preparing right now.

Step 1 is to assign responsibility for achieving DORA compliance. Assigning clear roles and responsibilities is crucial. It is crucial to have senior management commitment and sponsorship which is essential for the success of the DORA compliance program.

Step 2. Before diving into specific actions, it’s essential to understand your current state of compliance with DORA requirements. Conduct a comprehensive gap analysis to identify areas where your existing policies, procedures, and controls need to be improved or even designed from scratch. This analysis should involve reviewing DORA regulations, assessing your current security posture, and documenting the findings.

Step 3. Once the gaps are identified, you need to prioritize them based on factors like risk severity and potential regulatory impact. So, you need to develop a phased roadmap outlining the steps required to achieve DORA compliance and set realistic timelines and milestones for each stage of the process. Your priorities should depend on risk levels and their regulatory impact.

Step 4. Also, you need to think about allocation resources and budget to support the roadmap activities. Having roadmap, you may start with developing or updating policies and procedures to address DORA requirements. Such policies may describe, for instance, incident management, ICT risk management, third-party risk management, etc. Once developed, these policies and procedures need to be documented and communicated to all your stakeholders. You may already have some policies in place, in which case it is worth checking if something needs to be updated or developed from scratch.

Step 5. Then you should focus on technology. This step involves identifying and implementing technology solutions that can support your compliance efforts. Some examples include Security Information and Event Management (SIEM) tools for centralized log management and incident response, vulnerability management tools for identifying and addressing security weaknesses in systems. Also, you may consider expanding your multi-factor authorization if needed.

Step 6. Once you have completed working with technical controls, you should verify the effectiveness of the designed controls in the organization, including technical and organizational control. For this purpose, you need to perform testing. Testing is a critical aspect of ensuring your organization’s resilience against cyber threats. As I told earlier, you should develop a comprehensive compliance testing strategy. It should include annual tests of critical systems and threat-led penetration testing (TLPT) every three years.

Step 7. This final step focuses on implementing a robust ICT third-party management process. It includes conducting thorough pre-contracting assessments, ongoing monitoring practices, and maintaining a centralized register of all contractual arrangements with ICT third-party.

Enforcement Measures

Generally, Dora may raise five types of enforcement measures.

Administrative fines: Financial institutions can be fined up to 10 million euros or 5% of their total annual turnover, whichever is higher, for serious infringements of the regulation.

Remedial measures: Competent authorities may require financial institutions to take remedial measures to address any weaknesses or failures in their operational resilience.

Public reprimands: Competent authorities may publicly reprimand financial institutions that fail to comply with the requirements of the regulation.

Withdrawal of authorization: One of the strictest DORA measures. Competent authorities may withdraw the authorization of financial institutions that repeatedly fail to comply with the requirements of the regulation.

Compensation for damages: Financial institutions may be required to compensate customers or third parties for any damages resulting from a failure to comply with the requirements of the regulation. It may be used in combination with other measures.

It is important to note that the exact penalties for non-compliance may vary depending on the specific circumstances and the severity of the infringement.

Share article: