A summary of the new DORA regulation
9 QUESTIONS AND ANSWERS ABOUT THE DIGITAL OPERATIONAL RESILIENCE ACT
Door Liesbeth Sparks, Content writer cybersecurity at Secura
Can you give us a summary of the new DORA regulation? This is a question Secura often gets asked. Anne de Nies and Ben Brücker, both experts at Secura, answer the most frequently asked questions about DORA.
DORA stands for Digital Operational Resilience Act. The European financial sector must comply with this European cybersecurity directive by the start of 2025.
1. WHAT IS DORA?
'DORA focuses on protecting networks and information systems. It is a European directive that the whole financial sector in the EU must follow,’ says Anne de Nies. She works as Group Manager Finance at Secura and helps organizations in the financial sector with their digital security.
‘The aim of this law is to make the sector more resilient against digital risks.’Although DORA has been adopted by the European Parliament, the legislation per country is still being worked out, Red Teaming manager Ben Brücker explains: ‘The member states will interpret the directive in their own laws.
’‘For example: DORA requires you to have a Risk Management Framework. But which framework? Each EU country will probably determine that themselves.'
2. WHEN WILL DORA APPLY TO MY ORGANIZATION?
De Nies: ‘The DORA regulation came into effect on January 16 of this year. It’s now up to the individual EU countries to implement the directive. From 1 January 2025, all companies must comply. The Regulatory Technical Standards, or RTS, are expected to be available in June 2023.’
That means organizations have quite some time to prepare, says De Nies: ‘Because this is a complex European directive, the EU has opted for a long implementation period of 24 months.’
3. WHY WAS DORA INVENTED?
‘Of course the financial world is already covered by all kinds of laws and regulations and the supervision that comes with these laws,’ says De Nies. ‘But they mainly focus on the financial aspect, like credit risks or anti-fraud.’
The last few years have seen an increase in cybersecurity requirements: ‘In 2016 we had the NIS directive, aimed at securing network and information systems. But DORA is the first European standard for the financial sector that explicitly says: you must map your digital ICT risks.’
All financial organizations will have to meet the same requirements, more or less, De Nies explains: ‘This regulation doesn’t only apply to the major banks, who are often well regulated anyway and who really prioritize cybersecurity.’
‘The biggest advantage of DORA is that the entire sector will become more resilient to threats,’ says De Nies. ‘And we expect international cooperation to become easier, because we’re all required to work in the same way.’
4. WHO WILL DORA APPLY TO?
DORA will not only apply to banks and financial institutions, but also to critical suppliers to the financial sector, explains De Nies: ‘For example: the company that manages the network of a bank.’
‘If the bank is safe, but the ICT supplier is not, you still have a major risk. That is why these suppliers are also covered by DORA.’ However, critical service providers will have slightly different rules than banks or asset managers.
5. WHAT DOES DORA MEAN FOR MY ORGANIZATION?
‘I don’t expect DORA will be very exciting for large banks and pension funds that already spend a lot of time on security’, says De Nies. These large companies should do a gap analysis: in which areas are we already compliant and what do we still need to do?
‘It’s the smaller companies that face a challenge. They may need to start taking measures they haven’t needed before.’
The 5 main elements of DORA are:
- An organization must have an ICT Risk Management Framework
- An organization must have an Incident Response Process
- Security testing must be done more often and will be mandatory
- Third party risks must be mapped out, for example the risks your suppliers run
- Threat intelligence sharing will be mandatory
INCIDENT PROCESS EXPANDED
DORA means an expanded incident response process, says De Nies: ‘Previously, this process was a standard part of the risk management framework that an organization already had. But DORA takes it a step further. You have to classify an incident and, in certain cases, report it correctly.’
MORE FREQUENT AND MANDATORY TESTING
The new legislation also means: more and mandatory testing, says Brücker. ‘Financial institutions must perform a Threat-Led Penetration Test, or TLPT, once every three years. These tests can also include IT service providers. Testing is not yet mandatory at the moment, so that is a change.'
The type of TLPT (Threat-Led Penetration Test) that DORA will make mandatory will probably be a variation on the existing Red Teaming standards. However, the Regulatory Technical Standards on this topic are not yet definite.
In the Netherlands, De Nederlandsche Bank will supervise the new standard. Any findings can also be shared anonymously via DNB.
Ben Brücker: ‘It is important to execute a test that has sufficient depth to create an accurate picture of a company’s cyber resilience, but in a way that makes the test affordable.’
NOT CLEAR YET
Not everything is clear yet, says Brücker: ‘Suppose an organization is located in France and in the Netherlands. Is it sufficient for that organization to meet the French requirements of DORA? Or do you also have to follow the Dutch interpretation exactly? These details are not yet clear.’
6. WHAT IS THE RELATIONSHIP BETWEEN NIS2 AND DORA?
DORA is not the only major cybersecurity directive to come into force in 2025. NIS2 also sets requirements for the digital security of companies and organizations in Europe.
How do these two directives relate to each other? De Nies: ‘Both involve IT security. The difference is that DORA focuses purely on the financial sector and NIS2 covers all critical sectors. DORA will be leading for the financial sector.’
7. WILL THERE BE SANCTIONS IF MY ORGANIZATION DOES NOT COMPLY WITH DORA?
Yes, there certainly will be sanctions, says Brücker. ‘The regulator, probably the central bank of a member state, can impose a penalty for non-compliance with the directive. The penalty will be 1% of the average daily turnover for every day that the organization does not comply with the guideline, for a maximum of six months.’
8. WHERE SHOULD MY ORGANIZATION START WITH DORA?
STEP 1: MAP OUT YOUR RISK MANAGEMENT
‘Preparing for DORA starts on the process side,’ advises De Nies. ‘It is a good idea to first check whether you have an ICT Risk Management Framework. That’s the basis. There are standard frameworks you can use if you don’t already have one.’
STEP 2: DO A GAP ANALYSIS
If you already have a framework in place, check whether there are gaps between your framework and the new regulation. Is security testing already part of your risk management or not? And what about your suppliers?
STEP 3: CHECK YOUR INCIDENT PROCESS
Think about your incident process. Do you have the capacity to report incidents in a proper way?
STEP 4: CREATE OR IMPROVE YOUR TEST PLAN
‘What am I going to test? When will I test it? How am I going to demonstrate what I have tested? Make sure you have a test program or test plan in place for the upcoming years, and find a partner with the capacity to help you execute it.’
Does your organization already have a mature security posture? In that case De Nies’ advice is to conduct a gap analysis to check which additional measures you need to implement for DORA.
9. WHAT’S THE BIGGEST CHALLENGE WHEN IT COMES TO DORA?
Although De Nies and Brücker are generally positive about DORA, they do expect a few problems.
1. HEAVY WORK LOAD
‘If you are a CISO working solo at an organization that hasn’t spent a lot of resources on cybersecurity, DORA will mean a lot of extra work,’ says De Nies.
‘There is so much work coming up for the sector due to DORA and NIS2, that there probably won’t be enough people to complete it all in the time we have. Security people are scarce, so that’s the first challenge.’
2. REPORTING INCIDENTS
‘DORA will require you to report security incidents. But the question is: how is that requirement managed?’ asks De Nies. ‘Where will that information end up? It can make organizations uneasy to have to report these kinds of incidents.’
3. THIRD PARTY RISKS
A third challenge when it comes to DORA: gaining control of the third party risks, says De Nies: ‘What if your third party is a small IT supplier or a foreign party that you don’t have any control of? How are you going to manage that? That is unclear.”
Event | How to deal with supply chain security
How do you handle cyber risks in your supply chain as a fintech, pension fund, insurance company or bank? Let's explore this together.
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.