Author: Liesbeth Sparks, Content writer cybersecurity
Can you give us a summary of the new DORA regulation? This is a question Secura often gets asked. Anne de Nies and Ben Brücker, both experts at Secura, answer the most frequently asked questions about DORA.
DORA stands for Digital Operational Resilience Act. The European financial sector must comply with this European cybersecurity directive by the start of 2025.
Anne de Nies, Group Manager Finance at Secura
‘DORA focuses on protecting networks and information systems. It is a European directive that the whole financial sector in the EU must follow,’ says Anne de Nies.
She works as Group Manager Finance at Secura and helps organizations in the financial sector with their digital security. ‘The aim of this law is to make the sector more resilient against digital risks.’
Although DORA has been adopted by the European Parliament, the legislation per country is still being worked out, Red Teaming manager Ben Brücker explains: ‘The member states will interpret the directive in their own laws.’
‘For example: DORA requires you to have a Risk Management Framework. But which framework? Each EU country will probably determine that themselves.'
De Nies: ‘The DORA regulation came into effect on January 16 of this year. It’s now up to the individual EU countries to implement the directive. From 1 January 2025, all companies must comply. The Regulatory Technical Standards, or RTS, are expected to be available in June 2023.’
That means organizations have quite some time to prepare, says De Nies: ‘Because this is a complex European directive, the EU has opted for a long implementation period of 24 months.’
‘Of course the financial world is already covered by all kinds of laws and regulations and the supervision that comes with these laws,’ says De Nies. ‘But they mainly focus on the financial aspect, like credit risks or anti-fraud.’
The last few years have seen an increase in cybersecurity requirements: ‘In 2016 we had the NIS directive, aimed at securing network and information systems. But DORA is the first European standard for the financial sector that explicitly says: you must map your digital ICT risks.’
All financial organizations will have to meet the same requirements, more or less, De Nies explains: ‘This regulation doesn’t only apply to the major banks, who are often well regulated anyway and who really prioritize cybersecurity.’
‘The biggest advantage of DORA is that the entire sector will become more resilient to threats,’ says De Nies. ‘And we expect international cooperation to become easier, because we’re all required to work in the same way.’
DORA will not only apply to banks and financial institutions, but also to critical suppliers to the financial sector, explains De Nies: ‘For example: the company that manages the network of a bank.’
‘If the bank is safe, but the ICT supplier is not, you still have a major risk. That is why these suppliers are also covered by DORA.’ However, critical service providers will have slightly different rules than banks or asset managers.
Ben Brücker, Senior Security Specialist | Manager Red Teaming
‘I don’t expect DORA will be very exciting for large banks and pension funds that already spend a lot of time on security’, says De Nies. These large companies should do a gap analysis: in which areas are we already compliant and what do we still need to do?
‘It’s the smaller companies that face a challenge. They may need to start taking measures they haven’t needed before.’
The 5 main elements of DORA are:
DORA means an expanded incident response process, says De Nies: ‘Previously, this process was a standard part of the risk management framework that an organization already had. But DORA takes it a step further. You have to classify an incident and, in certain cases, report it correctly.’
The new legislation also means: more and mandatory testing, says Brücker. ‘Financial institutions must perform a Threat-Led Penetration Test, or TLPT, once every three years. These tests can also include IT service providers. Testing is not yet mandatory at the moment, so that is a change.'
The type of TLPT test that DORA will make mandatory will probably be a variation on the existing TIBER standard. ‘We call this Advanced Red Teaming, or ART,’ Brücker explains.
In the Netherlands, De Nederlandsche Bank will supervise the new standard. Any findings can also be shared anonymously via DNB.
The advantage of an Advanced Red Teaming test is that an ART-test is less expensive than a test according to the TIBER standard, which, says Brücker, can cost up to one hundred and fifty man hours.
Brücker: ‘They are now looking for a variant of TIBER that has sufficient depth to create an accurate picture of a company’s cyber resilience, but in a way that makes the test affordable.’
Not everything is clear yet, says Brücker: ‘Suppose an organization is located in France and in the Netherlands. Is it sufficient for that organization to meet the French requirements of DORA? Or do you also have to follow the Dutch interpretation exactly? These details are not yet clear.’
DORA is not the only major cybersecurity directive to come into force in 2025. NIS2 also sets requirements for the digital security of companies and organizations in Europe.
How do these two directives relate to each other? De Nies: ‘Both involve IT security. The difference is that DORA focuses purely on the financial sector and NIS2 covers all critical sectors. DORA will be leading for the financial sector.’
Yes, there certainly will be sanctions, says Brücker. ‘The regulator, probably the central bank of a member state, can impose a penalty for non-compliance with the directive. The penalty will be 1% of the average daily turnover for every day that the organization does not comply with the guideline, for a maximum of six months.’
Is your organization getting started in cybersecurity? You could keep these steps in mind when preparing for DORA.
‘Preparing for DORA starts on the process side,’ advises De Nies. ‘It is a good idea to first check whether you have an ICT Risk Management Framework. That’s the basis. There are standard frameworks you can use if you don’t already have one.’
If you already have a framework in place, check whether there are gaps between your framework and the new regulation. Is security testing already part of your risk management or not? And what about your suppliers?
Think about your incident process. Do you have the capacity to report incidents in a proper way?
‘What am I going to test? When will I test it? How am I going to demonstrate what I have tested? Make sure you have a test program or test plan in place for the upcoming years, and find a partner with the capacity to help you execute it.’
Does your organization already have a mature security posture? In that case De Nies’ advice is to conduct a gap analysis to check which additional measures you need to implement for DORA.
Although De Nies and Brücker are generally positive about DORA, they do expect a few problems.
‘If you are a CISO working solo at an organization that hasn’t spent a lot of resources on cybersecurity, DORA will mean a lot of extra work,’ says De Nies.
‘There is so much work coming up for the sector due to DORA and NIS2, that there probably won’t be enough people to complete it all in the time we have. Security people are scarce, so that’s the first challenge.’
‘DORA will require you to report security incidents. But the question is: how is that requirement managed?’ asks De Nies. ‘Where will that information end up? It can make organizations uneasy to have to report these kinds of incidents.’
A third challenge when it comes to DORA: gaining control of the third party risks, says De Nies: ‘What if your third party is a small IT supplier or a foreign party that you don’t have any control of? How are you going to manage that? That is unclear.”
Does DORA affect your organization? Secura can help you prepare for DORA, so that you are ready by January 2025. Please contact Anne de Nies or Ben Brücker to discuss the possibilities.
If you need more information on DORA, fill in the form below and we will get back to you within one business day.
Liesbeth Sparks, content writer at Secura, was trained as a journalist and historian. She has worked in cybersecurity since 2019.
