What organizations need to know about the Digital Operational Resilience Act (DORA)

In this Help Net Security interview, Kris Lovejoy, Global Security and Resilience Leader at Kyndryl, discusses the impact of the Digital Operational Resilience Act (DORA) on organizations across the EU, particularly in ICT risk management and cybersecurity.

With a focus on enhancing enterprise cyber resiliency, DORA brings sector-specific regulations applicable to financial entities (FEs) and third-party service providers. Lovejoy discusses the alignment between DORA and NIS2 directives, the timeline for DORA’s implementation, and the imperative steps organizations must take to ensure compliance by the 2025 deadline.

How will DORA impact organizations across the EU, particularly regarding ICT risk management and cybersecurity?

The Digital Operational Resilience Act is among several recent and emerging regulations in the EU, created to enhance and standardize requirements for enterprise cyber resiliency. DORA is specific to financial entities operating in the EU-27 — including banks, insurance companies, credit agencies and more — and third-party service providers, such as Kyndryl, that support them. Now regulatory compliance (and associated fines and legal fees) and cyber insurance repercussions will compound the effects of cybersecurity breaches.

How does DORA align with or differ from other cybersecurity directives like NIS2, and what unique challenges does it present?

DORA and NIS2 (the revised Network and Information Security Directive) have the same objectives and have been introduced at the same time, with roughly similar implementation timelines. A key difference, however, is that DORA is a sector-specific regulation with direct applicability to 20 financial entities whereas NIS2 is a horizontal directive applicable to 18 sectors ranging from energy, transport, digital infrastructure to manufacturing and retail. To avoid overlaps, the regulators have specified that entities in scope of DORA would not need to comply with some of the key NIS2 provisions such as the risk management framework and the reporting obligations.

What is the timeline for DORA’s implementation, and what steps should organizations take to ensure compliance by the 2025 deadline?

DORA, came into force on January 16, 2023 and will be fully effective on January 17, 2025. Next January may seem like a distant target. But in the complex world of financial services information and communication technology (ICT), one year is hardly enough.

Affected firms must strengthen (or build), pressure test and implement the critical systems and protocols that will protect both operational and personal data from adverse manipulation, destruction or theft. If they don’t, they’ll be subject to sanctions and penalties — up to and including the C-suite and board of directors — in addition to operational and reputational damage.

DORA emphasizes the importance of ICT-related incident reporting. Can you elaborate on the requirements for incident reporting and how this will improve operational resilience?

DORA will require FEs to report any major ICT incidents to their corresponding competent authorities via specific reporting templates in specifically prescribed timelines. Any reports must also include all the necessary details for the receiving competent authority to then ascertain the level of ICT incident and any possible cross cross-border impact posed.

Prior to DORA, the EU operational resilience and cybersecurity risk management governance model for FEs was based on a disparate collection of national rules, guidelines, and practices that did not empower EU financial supervisors to impose uniform requirements on FEs nor to assess the risks arising from their dependence on TSPs. DORA tackles these disparities and uneven national regulatory or supervisory approaches.

What are the resilience testing requirements under DORA, and how will they help identify and mitigate vulnerabilities?

For FEs regular testing of ICT systems to evaluate strengths and identify vulnerabilities will now become of paramount importance, as results and subsequent plans to address any areas of concern will need to be shared with the relevant competent authorities. Under DORA, FEs will also be required to undertake annual basic testing, such as vulnerability assessments and scenario-based testing, whilst those considered to have a critical role in the financial system and their ICT providers will also need to undergo additional threat-led penetration testing (TLPT) every three years.

How does DORA impact the role of internal audit within financial institutions, especially concerning third-party outsourcing?

DORA will require internal audit functions to review and potentially augment all their current plans and programs, as these will now need to pinpoint potential risks to FEs via third-party ICT providers. This means that internal audit functions should be challenging their established risk-identifying process regularly, maintain a register of information related to all contractual agreements, and report to regulators annually.

FEs can outsource their reporting obligations to a third-party, but ultimately remain responsible for compliance with obligations under DORA. The application of DORA safe protocols should not be considered as a fire drill, as proper planning for critical cyber activity requires considerable and regular training, senior management support and properly prepared security operations teams to be most effective.