Categories
Compliance Guide Guide

How does SharkStriker help you become Digital Operational Resilience Act (DORA) compliant? 

Digital Operational Resilience Act

How does SharkStriker help you become Digital Operational Resilience Act (DORA) compliant? 

What is DORA? 

DORA or Digital Operational Resilience Act was passed by the European Union on 27th December 2022 to bolster cyber resilience in the European financial market.  

Earlier financial entities did not have a comprehensive set of guidelines that specifically covered all the aspects of operational resilience. It seeks to secure financial market participants and ensure the security and reliability of operations even in the event of significant disruption in Information and Communication Technology (ICT).  

One of the primary aims it seeks to realize is to provide a detailed framework with best practices to manage risks associated with operations including cyber threats and disruption of operations caused due to system failures. It is the world’s first framework that assigns power to the supervisors in Financial Services to oversee all the Critical ICT 3rd party providers (CTPPs) including all the Cloud Service Providers (CSPs)   

Primary Objectives of DORA 

To assist all the regulated financial entities and all the 3rd party service providers in achieving a high level of digital operational resilience.  

Ensuring that all the subjected entities and third-party providers possess a complete range of ICT-specific capabilities for network and information security of all the network and information systems.  

To empower entities and all the associated 3rd parties to be able to provide financial services and quality without any disruption even while facing a cyberattack. 

What is digital operational resilience?  

As per DORA, digital operational resilience is the ability of regulated financial entities to: Build, assure, and review their operational integrity and reliability. It is to be able to defend their infrastructure against cyber threats but also able to resist them.  

What are the requirements for DORA? 

All the subjected entities are required to adhere to the requirements stipulated in DORA for protection, detection, containment, repair, and recovery for ICT-based cyber incidents. 

The European Union requires organizations to adopt a broader view when it comes to operational resilience and seeks to establish clear accountability from the senior management level. 

The recommended measures are distributed across domains including: 

ICT risk management and governance

As per DORA, the management body of the subject entity will be accountable for the governance of ICT. They are responsible for defining risk management strategies and long-term risk management frameworks as per the latest developments in the threat landscape. Entities must conduct continuous risk assessments, business impact analysis of cyber-attacks, and prepare business continuity and recovery plans. They are required to keep everything documented.   

Incident Response and Reporting  

They must have a system in place that is for monitoring, categorizing, recording, and reporting all ICT-specific incidents. They must conduct a root cause analysis and collect all the necessary incident-specific evidence, document and report the incidents to the relevant parties. They must adopt the most efficient way for incident response management.   

Resilience Testing 

Entities are required to regularly evaluate the defenses of their ICT systems, identify and address the vulnerabilities, and prepare a detailed report with vulnerabilities classified as per severity. They must engage in scenario-based testing and threat-led pen testing at least once a year.  

Third-party (supply chain) risk management  

Financial entities must manage risks associated with third parties through their contractual agreements, and regular security posture assessment. They must identify all the dependencies associated with third parties. They must take measures to ensure that there is no increased reliance on a single third-party service provider and must maintain DORA requirements in all of their 3rd party agreements.  

Information Sharing  

Entities are required to share information regarding all ICT-specific incidents sharing all the relevant information regarding security vulnerabilities, tactics, techniques, and procedures deployed by modern-day threat actors.  

To whom does DORA apply? 

DORA applies to all the financial entities in Europe. It includes: 

  • Banks 
  • Investment firms 
  • Credit institutions 
  • Nontraditional entities 
  • Crypto asset service providers 
  • Crowdfunding platforms 
  • Entities excluded from financial regulations. 
  • 3rd party service providers that supply financial firms with ICT systems and services like data center and cloud services 
  • Firms that cover critical third-party information services such as credit rating services and data analytics providers 

The following are the entities that are exceptions from DORA: 

  • Alternative Investment Fund Managers 
  • Entities that render Insurance and reinsurance services 
  • Small institutions for Provision of Occupational Retirement 
  • Natural and legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU (MIFID II) 
  • Intermediaries that render Small Insurance services (employing less than 10 persons with an annual turnover of not more than 2 million euros) 
  • Post Office GIRO (General Interbank Institutions  

What are the consequences of being non-compliant with DORA? 

All the entities that fail to show adherence to all the guidelines recommended in DORA by January 2025 will be subject to the consequences of non-compliance imposed by the “competent authorities”.  These authorities are designated regulators for each EU member state. They have the authority to issue remediation measures and penalize in case of non-compliance the entities that are subjected to DORA’s guidelines.   

European Commission has assigned Lead Overseers as authorities for enforcing the guidelines on ICT providers deemed as critical. Lead Overseers can penalize all the non-compliant entities with fines up to 1 percent of the daily turnover worldwide in the previous business years for every day up to six months until compliance. 

What are the business benefits for DORA? 

The following are some of the business benefits of DORA: 

Promotes transparency and accountability: It encourages financial entities to keep all their data centralized through record keeping and maintenance, promoting transparency and accountability.  

Improved operational resilience: It ensures that entities take measures to ensure operational resilience by periodically assessing the integrity and reliability of ICT systems, making way for uninterrupted operations in financial sectors. 

Assists them to stay proactively prepared for cyber attacks: DORA provides some of the best practices for incident response, preparing organizations against the most damaging cyber attacks. It assists them in securing their most valuable financial assets and systems.  

Periodic supervision of security posture: It empowers entities through periodical cyber security posture assessment, ensuring that they are prepared against the latest developments in the threat landscape.  

Reduce business costs associated with incident response: It reduces the costs associated with cyber-attacks through a comprehensive set of best practices and mechanisms for keeping systems and information assets secure from ICT-targeted incidents.  

Promotes information sharing on the latest cyber risks and threats: It encourages financial organizations to share all the information regarding the latest cyber risks and threats, assisting them to stay ahead of threat actors in an evolving landscape. 

Prepares entities against risks associated with third parties: DORA requires all entities to regularly assess all the third-party security risks, providing industry best practices for recovery and backup in case of cyber incidents, and assisting them in damage control.  

Improve the reliability of ICT systems: Encourages regular security assessment of ICT systems, making them more reliable for uninterrupted operation and consistent delivery of quality.  

What are the business challenges of being compliant with DORA? 

Given the multi-faceted benefits offered by DORA, it is critical to consider the challenges that are associated: 

Having a framework in place that addresses all the aspects of DORA requirements 

  • Establishing a framework that encompasses all the recommended measures, policies, and procedures recommended in DORA is a challenge because of the high complexity of the requirements.  

Challenge managing the risks associated with ICT 

  • The risks associated with ICT are highly complex. Understanding them and implementing measures to treat them needs a level of expertise that not all organizations may have onboard.  

Incident response-specific challenges 

  • DORA requires entities to have a comprehensive incident response plan in place that addresses all the risks associated with ICT and requires organizations to report incidents to associated authorities. This can be a big challenge for many organizations due to the complexity involved.   

Ensuring operational resilience 

  • DORA recommends that financial entities establish operational resilience by building, assuring, and reviewing their operational integrity and reliability, taking measures to secure themselves against the most sophisticated threats that can be highly challenging when it comes to implementation.  

Assessing risks across Critical Third-Party Providers 

  • As per DORA guidelines, organizations are required to manage risks across all their suppliers, Critical Third-Party Providers (CTPPs) through periodical assessments.  

How does SharkStriker help you become DORA compliant? 

We understand that staying compliant can be highly challenging with a limited team for cybersecurity and compliance, especially in an environment that is constantly subject to change.  

Risk Assessment across ICT Setup  

We assess ICT-based risk assessment using Vulnerability Assessment and Penetration Testing (VAPT) across the infrastructure, categorizing all the risks as per their severity using real-world attack techniques.  

 Gap Assessment   

The next step is to assess compliance gaps across the IT infrastructure to treat them with appropriate measures.  

Risk Treatment Plan   

We prepare a detailed plan comprising all the controls, policies, procedures, rules, and measures to treat cybersecurity and compliance risks. It has ICT-specific incidents across the IT infrastructure.  

Implementation  

We implement the risk treatment plan with appropriate expertise, processes, and technology.  

Post-implementation Assessment 

We conduct an assessment to identify and address gaps (if any) in the implementation.  

Training and Awareness  

We bridge all the awareness gaps in compliance through training across multiple levels.  

Implement best practices for securing financial information with SharkStriker’s compliance management services for DORA  

Get Started

Read More

All
Endpoint Security
Blog
Blog
Webinar
Webinar
News
News
Guides
Guides
Videos
Videos
Datasheet
Data Sheet
Services
Services