DORA, the new standard for digital operational resilience in Europe
The new Digital Operational Resilience Act (DORA) for the financial sector was adopted by the European Union in late 2022. It will come into force in January 2025, requiring European financial players to implement a set of measures to ensure the continuity of their services and more broadly their digital resilience. “National regulators, such as the CSSF or the CAA in Luxembourg, and international supervisory bodies, such as the EBA or EIOPA, already defined a series of requirements and best practices to be followed," explains Aline Moyret, Head of Consulting Services at EBRC. “DORA amplifies these rules of good conduct in the digital world. A European act, such as DORA or the GDPR, applies uniformly throughout the Union, without having to be transposed into national legislation. De facto, this new text will contribute to the harmonisation of the rules on governance and risk management as far as the use of digital resources supporting financial activities is concerned.”
Thanks to DORA: The more you understand the risks, the more prepared you are to respond
Oversight of ICT service providers
With the growth of the interdependence between business and technology, the European legislator wanted to raise awareness and impose a framework on players in the wider financial sector. Christophe Ruppert, Lead Business Continuity Management at EBRC, explains “Here, the DORA regulation aims at ensuring everyone is able to deal with any possible incident and be ready to overcome it while limiting the business impact”. The risks are of various kinds. While one often thinks of IT security, aimed at safeguarding the organisation's digital assets from malicious intent, there are other considerations that need to be addressed such as those related to critical third-party ICT service providers (CTPPs). “Operations are increasingly dependent on IT resources managed by external partners, subcontractors. There is reason to wonder what the consequences might be, from a value chain assembly perspective, if a service provider were to fail," comments Christophe Ruppert. “Through DORA, which formally introduces the concept of resilience, the regulator wants to oblige all players to better understand these risks and to implement adequate measures to respond to them, but also to test them in real conditions.”
The DORA regulation accelerates the migration of activities to the Cloud
Thus, falling also and largely under DORA's purview is the resilience of processes and workloads moved to the cloud, especially in the public cloud, that are IaaS, PaaS and SaaS services. DORA therefore goes much further than predicting a backward shift in adoption or scale-up strategies to the cloud. The directive calls for an agnostic culture or a culture of portability of cloud(s) or any other outsourced service. A real challenge.
The five pillars of the DORA (Digital Operational Resilience Act) regulation
In order to set finance players on a path to greater resilience, DORA is built around five main pillars.
- ICT risk management: IT risk management, based on ad hoc governance, which implies risk analysis mechanisms, resource mapping or business continuity plans for example.
- Incident reporting: Financial institutions have a set of reporting requirements related to incidents involving Information and Communication Technology (ICT).
- Testing: DORA provides a mechanism to test the digital operational resilience of organisations, including the use of a Red Team to assess the incident response of supervised bodies.
- Risk management for third parties: A large chapter is devoted to risk management for subcontractors or the use of external resources, such as the cloud.
- Information and intelligence sharing: to enable everyone to better understand the risks and threats.
DORA in Europe, a framework adapted to the implementation of good practices
Through DORA, the regulator will align best practice, introducing new requirements for financial players. “For most players, we are fortunately not starting from scratch. We need to consider what is already implemented and how to strengthen its resilience effectively using detailed risk management assessments," comments Christophe Ruppert. “From this perspective, EBRC relies on a standardised approach to help players meet these challenges. We provide our clients with an expertise and a framework adapted to the implementation of best practices in resilience and service continuity. This starts with an assessment of the maturity of the players regarding standards such as ISO 22301, relating to business continuity, or ISO 27001, concerning information security management” . “This approach is complemented by a cross-cutting analysis," adds Aline Moyret, Head of Consulting Services at EBRC. “The objective is to ensure that for an identified threat, the implemented continuity and cyber security systems are comprehensive and consistent, from risk analysis to operational response."
DORA: Strengthening the entire ecosystem based on a common foundation
DORA secures data within financial institutions and subcontractors
The approach involves identifying the various risks, assessing their impact on the business and implementing responses. “This can involve in particular the formalisation of crisis management procedures," says Christophe Ruppert. “It is not unusual to have these procedures within the company, but formalising them is essential”. However, it is important to consider the challenges faced by the business and ensure that everything is in accordance with the principle of proportionality that prevails in the context of this regulation. "DORA requires players to better supervise and manage their risks, with a view to preserving the business. While this regulation aims at limiting systematic risks, it also supports the sustainability of each player," comments Aline Moyret. “By indirectly extending to subcontractors, as regulated entities must ensure that their continuity guaranties are upheld, DORA contributes to strengthening the entire ecosystem."
Provisions in line with DORA guidelines
Beyond the support offered in order to help organisations strengthen their resilience, EBRC has also developed a set of services and tools with a view to industrialising the process. The Cyber-Resilience Portal, for example, eases the management and sharing of information inherent to the risks and provided responses, in order to assess the various impacts on the organisation's business continuity (regulation, operations, image & reputation, revenue), with a view to continuously improving business continuity.
EBRC supports companies in the financial sector
Finally, EBRC, and more broadly Post CyberForce, offers some operational response for the requirements, or certain risks identified by the directive. CyberForce, via the SOC (Security Operations Centre) and CSIRT services, offers an operational response for the detection of and response to cyber incidents. The COS (CyberForce Offensive Security) team offers Red Team type services to test the resilience of the organisation. Finally, through its managed and cloud services and multi-cloud environments, EBRC assists its clients in designing resilient environments, taking into account these compliance needs.