The financial stability of the European Union is a critical concern, and the EU recognized that its heavily digitized financial institutions could be vulnerable to crippling cyberattacks. To address this threat, the EU enacted the Digital Operational Resilience Act (DORA) in 2020, which harmonizes standards for cybersecurity and operational resilience across all member states. Even companies outside the EU that interact with EU-based financial institutions will need to comply with DORA by January 2025.
This article explores the five key pillars of DORA and how the Reflectiz platform can help organizations fill compliance gaps. But first –
What is DORA?
The idea that the European financial sector could be brought to its knees by cybercriminals or malicious state actors doesn’t bear thinking about, which is exactly why the European Union decided to think about it. It realized that with all its financial systems crippled, its member states would grind to a halt, so how best to guard against this doomsday scenario?
With their financial institutions heavily reliant on ICT and third-party providers, many EU countries already had standards in place to ensure they could maintain digital operational resilience, but there was no consistency between jurisdictions, which made ensuring that they were all up to the same standard about as easy as trying to herd cats.
To remedy this, the EU came up with DORA, the Digital Operational Resilience Act in 2020. It harmonizes standards for financial institutions and the third-party ICT providers they use across all member states.
Even if your company isn’t based in the EU but still has dealings with EU-based financial institutions, certain DORA requirements will still apply. January 17th, 2025 is when it comes into effect, so let’s look at how to be prepared.
The Five Pillars of DORA
DORA rests on five main pillars. You can picture these pillars as Greek columns if you want, like the ones propping up the Acropolis in Athens. (Some might call that a little weird, but we won’t judge.) Here are the pillars:
- Board oversight: Organizations need a board-approved strategy in place to protect data and prevent breaches.
- Incident reporting: They also need communication plans that cover how they will respond to ICT incidents.
- Resilience testing: They will need to use automated tools to proactively identify and fix vulnerabilities before they can cause trouble.
- Third-party risk management: This one’s all about assessing and mitigating the risks that come with using external ICT service providers, so think vetting and monitoring them.
- Threat intelligence sharing: Organizations should share information about cyber threats with each other so that everyone benefits.
How Reflectiz Helps with DORA Web Compliance
Global companies are now using the Reflectiz platform to keep their websites secure and to meet various industry-specific regulations, and now it can fill in some of the blanks with DORA compliance, too. The regulations are described in various articles, so here’s how Reflectiz can help you meet some of their requirements:
Article 5: Governance and Organization
Reflectiz reviews and approves the use of third-party web applications, defines permissible actions, monitors for unauthorized behaviors, assesses risks, and evaluates overall website risk exposure.
Article 6: ICT Risk Management Framework
It contributes to your management of risk by maintaining a detailed inventory of all your third-party apps, including their associated risk factors and potential justifications for why each application is needed. This level of detail gives you comprehensive oversight of what’s connected to your website and allows you to conduct more thorough risk assessments.
After you’ve established your security baseline by selecting which behaviors to permit and which to block, the system understands your risk appetite and applies it to future alerts, categorizing each one according to the risk levels that you have established you are comfortable with. This makes for more efficient monitoring and reduces alert fatigue.
Article 6: Holistic ICT Multi-Vendor Strategy
That detailed inventory of external ICT resources with its risk factors and potential justifications for why each application is needed helps to meet these requirements too. The greater visibility it provides allows for more thorough risk assessments.
Article 8: Identification
The inventory and our unique proprietary Exposure Rating system both help you to identify every source of potential compromise. The inventory is updated regularly to reflect major changes, and the Exposure Rating system measures website risk levels against those of industry competitors (using information from our massive database) so not only can you benchmark your website’s relative security level compared to others within your sector, you can also apply its suggested action points to improve your score.
Article 9: Protection and Prevention
Reflectiz features detailed alert and approval mechanisms that rapidly identify potentially harmful code behaviors and invite your response. It classifies alerts for easy management and again, the Exposure Ratings system measures risk levels and offers remedies.
Article 10: Detection
Reflectiz integrates with ticketing apps and SIEM, providing multi-layered control mechanisms, alert thresholds, and automated responses for ICT-related incidents. The Reflectiz advanced alert mechanism ticks the box for Article 10.1’s requirement for prompt detection of anomalous activities and identification of potential single points of failure in ICT infrastructure.
Article 11: Response and Recovery
Reflectiz features an on-demand blocking mechanism that’s activated by detailed alert information. This means you can immediately respond to incidents and contain them.
Article 13: Learning and Evolving
DORA isn’t meant to be a static document. There is an expectation to keep pushing forward with improving and maturing your cyber defenses. To that end, it’s worth mentioning that we’re never complacent. We’re continually building on our cyber-attack expertise and using our customers’ insights to update the platform with evolving approaches to risk assessment, threat detection, and mitigation.
Article 17: ICT-related Incident Management Process
Reflectiz offers detailed incident reporting with timelines and risk ratings, so you can proactively benchmark and manage any cybersecurity risks.
Article 31: Designation of Critical ICT Third-Party Service Providers
As we’ve noted, the platform maintains a detailed inventory of connected apps that includes potential risk factors and justifications for each application for excellent transparency into third-party risks. We also measure the popularity of third-party vendors among specific industries, including G-SIIs and O-SSIs, and Reflectiz can even suggest safer alternatives to low-popularity vendors.
Reflectiz features alerts with approval workflows for faster responses and it manages risk exposure with dynamic ratings. The comprehensive dashboard provides detailed asset information and categorized alerts for efficient monitoring. That may sound like it could be overwhelming, but we designed it not to be. The GUI is very user-friendly.
Try it for Yourself
Will your company be ready for DORA by January 2025? There isn’t much time left, so book a personalized demo today to find out what your cyber resilience strategy is missing and how Reflectiz can help. You can also visit our financial services industry page here.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!