The cyber threat landscape has continued to evolve, with sophisticated threats such as ransomware increasing in frequency and impact. To combat this rise in cybercrime, regulatory bodies have taken a renewed interest in ensuring organisations are continually improving their security posture and hardening their defenses.
This is especially true for the financial industry, where interconnected, often global, organisations are top targets for cybercriminals, in large part because they are responsible for valuable financial data and personally identifiable information (PII) for business partners, clients, and third parties.
The Digital Operational Resilience Act (DORA), enacted by the European Union (EU), goes into effect in January 2025, and is meant to reduce these financial organisations’ risk levels by requiring certain security controls and other measures to strengthen their operational security.
What is DORA?
The DORA EU regulation 2022/2554 is focused on digital operational resilience for the financial sector. It sets requirements covering information and communications technology (ICT) risk management, incident reporting, digital operational resilience testing, information sharing, and third-party risk management.
It will be enacted in January 2025, and applies to any organisation that is located in or does financial business across the EU, including in or with: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Lichtenstein, Switzerland. Even though DORA is an EU law, DORA will apply to some U.K. organisation. For example, if a UK financial institution has operations or clients in the EU, such institution would need to comply with DORA to maintain market access.
In addition to the requirements above, DORA establishes:
- Requirements in relation to contractual arrangements between financial entities and ICT third-party service providers
- Rules for an oversight framework for critical ICT third-party service providers when providing services to financial entities
- Rules on cooperation among supervisory authorities, and on supervision and enforcement
The Five Pillars of DORA
There are five pillars that all the requirements of DORA fall under:
1. ICT risk management. The first pillar of DORA requires financial entities to establish a risk management framework centered on identification, protection, prevention, detection, response, recovery, back up, learning, and communicating.
2. ICT-related incident classification and reporting. DORA’s second pillar includes the development and implementation of standardized incident classification, the reporting of major ICT incidents, and a centralized EU recordkeeping of major incidents.
3. Digital operational resilience testing. Under this pillar, financial entities are required to establish a comprehensive testing program, including but not limited to vulnerability assessments and scans, open-source analysis, network assessments, gap analysis, source code review, scenario-based tests, compatibility tests, performance tests, penetration tests, and end-to-end tests.
4. ICT third-party risk. This pillar requires the management of third-party risk, including revising contracts, enhancing oversight mechanisms, and regularly assessing risk.
5. Information sharing. Under this pillar, DORA encourages the sharing of threat intelligence and other information with EU entities.
Combined, these pillars represent a comprehensive cybersecurity strategy that contains both proactive and reactive components, as well as encourages collaboration to reduce risk across organisations.
DORA Compliance Requirements
Achieving DORA compliance is not a one-and-done task. It will take time for organisations to harden their security posture, implement required technologies, and adapt their operational processes to maintain compliance. However, it is critical for organisations to align their cybersecurity strategy to the DORA requirements by the implementation date, as non-compliance could lead to fines, reprimands, withdrawal of authorizations, criminal charges, and administrative fines.
The 14 steps an organisation can take to achieve DORA compliance and fulfill the requirements listed above are:
1. Understand the DORA requirements as they relate to your organisation’s operations and cybersecurity.
2. Perform a privacy information assessment (PIA).
3. Perform a threat risk assessment (TRA).
4. Bring in stakeholders and assign roles and responsibilities.
5. Implement security awareness training .
6. Build an operational resilience plan.
7. Conduct regular digital operational resilience testing (DORT) and penetration testing.
8. Automate your threat detection.
9. Regularly review your cybersecurity strategy.
10. Understand the worst-case scenario.
11. Secure your data.
12. Consider utilizing a third-party vendor.
13. Be prepared to provide evidence of your cybersecurity tools and security posture.
14. Understand your environment and ensure end-to-end security.
Strengthen Your Security Posture with Arctic Wolf
Compliance guidelines can help protect data from unauthorized access, and failure to follow guidelines or take proper security precautions may increase an organisation’s cyber risk or potentially increase the likelihood of an incident. And while compliance is not the same as security, the two are intrinsically linked.
As the industry-leader in security operations, Arctic Wolf can help your organisation advance your security journey, helping you mature your security posture over time.
The Arctic Wolf® Security Operations Platform combines with our Concierge Delivery Model, which pairs a team of security operations experts directly with your IT or security staff to ensure you have on-demand security expertise and strategic guidance every step of the way on your security journey.
Arctic Wolf Security Operations solutions help you address cyber risk end to end, with capabilities that include:
- Risk assessments
- Incident response
- Security awareness training
- Automated threat detection
- Evidence, artifacts, and reporting
- External security expertise
- And more
Learn more about how Arctic Wolf’s solutions work together to help your organisation increase operational resilience.
Learn more about the DORA Act and what steps your organisation needs to take to become compliant.
This information is provided for informational purposes and is not legal advice and should not be interpreted as such. Consult with your own legal counsel to determine your regulatory obligations and assess the effectiveness of your compliance programs. Arctic Wolf products and services are not compliance solutions but are tools that can support your compliance programs.
