‘I don’t expect DORA will be very exciting for large banks and pension funds that already spend a lot of time on security’, says De Nies. These large companies should do a gap analysis: in which areas are we already compliant and what do we still need to do?
‘It’s the smaller companies that face a challenge. They may need to start taking measures they haven’t needed before.’
The 5 main elements of DORA are:
- An organization must have an ICT Risk Management Framework
- An organization must have an Incident Response Process
- Security testing must be done more often and will be mandatory
- Third party risks must be mapped out, for example the risks your suppliers run
- Threat intelligence sharing will be mandatory
Incident process expanded
DORA means an expanded incident response process, says De Nies: ‘Previously, this process was a standard part of the risk management framework that an organization already had. But DORA takes it a step further. You have to classify an incident and, in certain cases, report it correctly.’
More frequent and mandatory testing
The new legislation also means: more and mandatory testing, says Brücker. ‘Financial institutions must perform a Threat-Led Penetration Test, or TLPT, once every three years. These tests can also include IT service providers. Testing is not yet mandatory at the moment, so that is a change.'
Advanced Red Teaming (ART)
The type of TLPT test that DORA will make mandatory will probably be a variation on the existing TIBER standard. ‘We call this Advanced Red Teaming, or ART,’ Brücker explains.
In the Netherlands, De Nederlandsche Bank will supervise the new standard. Any findings can also be shared anonymously via DNB.
The advantage of an Advanced Red Teaming test is that an ART-test is less expensive than a test according to the TIBER standard, which, says Brücker, can cost up to one hundred and fifty man hours.
Brücker: ‘They are now looking for a variant of TIBER that has sufficient depth to create an accurate picture of a company’s cyber resilience, but in a way that makes the test affordable.’
Not clear yet
Not everything is clear yet, says Brücker: ‘Suppose an organization is located in France and in the Netherlands. Is it sufficient for that organization to meet the French requirements of DORA? Or do you also have to follow the Dutch interpretation exactly? These details are not yet clear.’
6. What is the relationship between NIS2 and DORA?
DORA is not the only major cybersecurity directive to come into force in 2025. NIS2 also sets requirements for the digital security of companies and organizations in Europe.
How do these two directives relate to each other? De Nies: ‘Both involve IT security. The difference is that DORA focuses purely on the financial sector and NIS2 covers all critical sectors. DORA will be leading for the financial sector.’
7. Will there be sanctions if my organization does not comply with DORA?
Yes, there certainly will be sanctions, says Brücker. ‘The regulator, probably the central bank of a member state, can impose a penalty for non-compliance with the directive. The penalty will be 1% of the average daily turnover for every day that the organization does not comply with the guideline, for a maximum of six months.’
8. Where should my organization start with DORA?
Is your organization getting started in cybersecurity? You could keep these steps in mind when preparing for DORA.
Step 1: Map out your risk management
‘Preparing for DORA starts on the process side,’ advises De Nies. ‘It is a good idea to first check whether you have an ICT Risk Management Framework. That’s the basis. There are standard frameworks you can use if you don’t already have one.’
Step 2: Do a gap analysis
If you already have a framework in place, check whether there are gaps between your framework and the new regulation. Is security testing already part of your risk management or not? And what about your suppliers?
Step 3: Check your incident process
Think about your incident process. Do you have the capacity to report incidents in a proper way?
Step 4: Create or improve your test plan
‘What am I going to test? When will I test it? How am I going to demonstrate what I have tested? Make sure you have a test program or test plan in place for the upcoming years, and find a partner with the capacity to help you execute it.’
Does your organization already have a mature security posture? In that case De Nies’ advice is to conduct a gap analysis to check which additional measures you need to implement for DORA.
9. What’s the biggest challenge when it comes to DORA?
Although De Nies and Brücker are generally positive about DORA, they do expect a few problems.
1. Heavy work load
‘If you are a CISO working solo at an organization that hasn’t spent a lot of resources on cybersecurity, DORA will mean a lot of extra work,’ says De Nies.
‘There is so much work coming up for the sector due to DORA and NIS2, that there probably won’t be enough people to complete it all in the time we have. Security people are scarce, so that’s the first challenge.’
2. Reporting incidents
‘DORA will require you to report security incidents. But the question is: how is that requirement managed?’ asks De Nies. ‘Where will that information end up? It can make organizations uneasy to have to report these kinds of incidents.’
3. Third Party Risks
A third challenge when it comes to DORA: gaining control of the third party risks, says De Nies: ‘What if your third party is a small IT supplier or a foreign party that you don’t have any control of? How are you going to manage that? That is unclear.”