DORA Regulations: What You Need to Know
The financial services sector has always been enthusiastic about adopting technological innovations, which is why in the last 10 years it has changed almost beyond recognition. Customers now use mobile and desktop apps for banking, investing, insurance, tax, and more, but the ICT infrastructure needed to support all of this digital delivery introduces a huge number of points of potential failure as well as avenues of attack. This makes individual financial services providers, and the system as a whole, potentially very vulnerable.
The European Union realized that if events like wars, natural disasters, or cyber-attacks ever managed to shut down the European financial sector, the consequences would be disastrous, so it introduced the Digital Operational Resilience Act (DORA).
This new law came into force on 16 January 2023 and the organizations that it covers will need to meet its requirements from 17 January 2025.
Who Does DORA Apply To?
DORA applies to Europe’s 22,000 financial entities, along with the ICT infrastructure providers that enable them to function. Companies that will need to improve their risk management and enterprise cybersecurity based on DORA include:
· Credit institutions
· Credit agencies
· Account information service providers
· Pension funds
· Crypto firms
· Investment firms
· Insurance providers
· Crowdfunding providers
· Alternative investment fund managers
· ICT service providers
As the name of the Act implies, its main objective is to strengthen their digital operational resilience so that financial markets and services avoid major disruptions and continue to run smoothly if catastrophic events should still occur.
Crucially, even if those infrastructure providers are in territories outside of the EU but they serve companies that have a presence within it, they will be required to satisfy certain DORA requirements. The level of scrutiny they attract and the requirements they need to fulfill will vary according to the risk level, but it means that companies providing things like cloud services or tracking pixels to EU financial providers will need to fall in step with the Act’s requirements.
DORA regulations are composed of five key ‘pillars’ which are:
1. ICT Risk Management: This pillar focuses on the responsibilities of the board of directors in developing and approving the Digital Operational Resilience Strategy (DORS). It includes creating policies to protect the confidentiality, integrity, and availability of all data, ensuring communication, cooperation, and coordination by implementing an ICT governance framework, and using ICT solutions to prevent breaches of confidentiality, impairment of integrity, lack of availability, and loss of data.
2. Reporting on ICT-related incidents: emphasizes the need for a communication strategy for the disclosure of ICT incidents as part of the Digital Operational Resilience Strategy (DORS). DORA attempts to streamline the reporting process, encouraging rapid investigation and response to breaches to reduce their impact.
3. Digital Operational Resilience Testing: companies will need to implement testing assessment programs which, out of necessity, will probably involve using automated tools to identify and correct issues before they can threaten operations.
4. Management of Third-Party Risk: addresses the management of risks associated with third-party ICT service providers.
5. Information and Intelligence Sharing: focuses on the development of cyber threat information sharing processes. Many threat actors targeting the financial industry will attempt to target multiple organizations simultaneously. DORA encourages organizations to share threat intelligence with peers to improve awareness of evolving cyber threats.
DORA Regulations – Where to Start
DORA’s main aim is to ensure that financial companies consistently monitor security and ICT tools to minimize risk. They will need to adopt a proactive approach to managing risk by continuously reviewing their security measures and third-party risk levels. The best place to start will be a review of the DORA articles and a review of where the business is at the moment.
From there they will need to work on strategies to minimize operational risk, instigate pre-planned responses to handle security threats, and commit to ongoing investments in new tools, policies, and procedures. The objective is continuous resilience, so measuring security KPIs will be an ongoing commitment.
The five pillars are comprised of 64 articles that describe the requirements in detail. As Article 4 indicates, the expectations to meet requirements will be applied proportionally to the risk profile of the ICT provider. For instance, if dozens of financial companies all relied on the same cloud service provider, this would indicate a high level of risk because if it fails, they all fail. So, that provider would be designated a Critical ICT Third-Party Provider, and as well as maintaining compliance would also be subject to direct supervision by European financial regulators.
DORA allows its Lead Overseers to impose non-compliance penalties on organizations. These fines can be up to 1 percent of their average daily worldwide turnover in the previous business year and issued periodically for up to six months until they achieve compliance.
Financial Providers’ Websites
We were keen to understand how all of this would relate to the provision of a European financial services provider’s website, so we spoke to PULSEC Group, a consultancy services provider, for their expert opinion.
They pointed to paragraph 7 of Article 3 which defines an ICT asset as “…a software or hardware asset in the network and information systems used by the financial entity.”
A website and the components that support it clearly fall under the heading of ‘ICT assets,’ and under this definition they also harbor risks according to paragraph 18 of Article 3. It defines an ‘ICT third-party risk’ as a “…risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements.”
PULSEC Group told us that all the components that go into building a website are under the purview of the Act, including third-party elements like analytical tools, pixels, and other SaaS solutions. So, for financial services providers with links to the EU, these definitions put their websites and the third-party software vendors that they rely on within the scope of DORA.
Managing the Risks with Reflectiz
Reflectiz has a key role to play in ensuring that financial services providers with European links maintain DORA compliance.
Article 10, paragraph 1, which comes under the risk management pillar says:
“Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.”
Reflectiz is just such a mechanism. It contributes to an organization’s operational resilience by continuously scanning all components connected to its websites for anomalous activities, revealing:
· what first, third, and fourth-party components are connected to the site. Examples include Google Analytics, CRMs, WordPress, Facebook pixels, etc.
· what data collection or active tracking behaviors each component is performing.
· which domains the components are communicating with. The system can quickly detect and report suspicious and malicious activity, including when components are attempting to send data outside the EU.
Reflectiz begins by mapping and maintaining an accessible inventory of all digital assets connected to a website and establishing a baseline for their behaviors. This automated approach is essential for maintaining up-to-the-minute visibility of these connected assets, which is key for security, and is also particularly useful for evidence gathering, helping businesses to comply with DORA’s mandatory reporting requirements.
With just over a year to go before implementation, it’s important for financial services providers to put their operational resilience measures in place now. Reflectiz can be a key part of boosting your company’s operational resilience profile and meeting its responsibilities under DORA, so don’t delay, join now.