Preparing for the new DORA regulation (Digital Operational Resilience Act)

DORA regulation against IT risks
By EBRC 03/05/2023
Banking, Insurance & Fintech
Public Sector & European Institutions
Energy, Logistics & Industry

DORA (Digital Operational Resilience Act), the latest European regulation will come into force on January 17, 2025. It aims at supporting the operational resilience of financial players in the cyber environment by harmonising the requirements in the European Union. For EBRC, the concerned players will face new capacities  to ensure the continuity of their services.

DORA, the new standard for digital operational resilience in Europe

The new Digital Operational Resilience Act (DORA) for the financial sector was adopted by the European Union in late 2022. It will come into force in January 2025, requiring European financial players to implement a set of measures to ensure the continuity of their services and more broadly their digital resilience. “National regulators, such as the CSSF or the CAA in Luxembourg, and international supervisory bodies, such as the EBA or EIOPA, already defined a series of requirements and best practices to be followed," explains Aline Moyret, Head of Consulting Services  at EBRC. “DORA amplifies these rules of good conduct in the digital world. A European act, such as DORA or the GDPR, applies uniformly throughout the Union, without having to be transposed into national legislation. De facto, this new text will contribute to the harmonisation of the rules on governance and risk management as far as the use of digital resources supporting financial activities is concerned.” 

Discover how to manage and monitor your GDPR compliance

Thanks to DORA: The more you understand the risks, the more prepared you are to respond 

Oversight of ICT service providers

With the growth of the interdependence between business and technology, the European legislator wanted to raise awareness and impose a framework on players in the wider financial sector. Christophe Ruppert, Lead Business Continuity Management at EBRC, explains “Here, the DORA regulation aims at ensuring everyone is able to deal with any possible incident and be ready to overcome it while limiting the business impact”.  The risks are of various kinds. While one often thinks of IT security, aimed at safeguarding the organisation's digital assets from malicious intent, there are other considerations that need to be addressed such as those related to critical third-party ICT service providers (CTPPs). “Operations are increasingly dependent on IT resources managed by external partners, subcontractors. There is reason to wonder what the consequences might be, from a value chain assembly perspective, if a service provider were to fail," comments Christophe Ruppert. “Through DORA, which formally introduces the concept of resilience, the regulator wants to oblige all players to better understand these risks and to implement adequate measures to respond to them, but also to test them in real conditions.”

The DORA regulation accelerates the migration of activities to the Cloud 

Thus, falling also and largely under DORA's purview is the resilience of processes and workloads moved to the cloud, especially in the public cloud, that are IaaS, PaaS and SaaS services. DORA therefore goes much further than predicting a backward shift in adoption or scale-up strategies to the cloud. The directive calls for an agnostic culture or a culture of portability of cloud(s) or any other outsourced service. A real challenge. 

Discover our Consulting services

The five pillars of the DORA (Digital Operational Resilience Act) regulation

In order to set finance players on a path to greater resilience, DORA is built around five main pillars. 

  1. ICT risk management: IT risk management, based on ad hoc governance, which implies risk analysis mechanisms, resource mapping or business continuity plans for example. 
  2. Incident reporting: Financial institutions have a set of reporting requirements related to incidents involving Information and Communication Technology (ICT).
  3. Testing: DORA provides a mechanism to test the digital operational resilience of organisations, including the use of a Red Team to assess the incident response of supervised bodies. 
  4. Risk management for third parties: A large chapter is devoted to risk management for subcontractors or the use of external resources, such as the cloud. 
  5. Information and intelligence sharing: to enable everyone to better understand the risks and threats.

DORA in Europe, a framework adapted to the implementation of good practices

Through DORA, the regulator will align best practice, introducing new requirements for financial players. “For most players, we are fortunately not starting from scratch. We need to consider what is already implemented and how to strengthen its resilience effectively using detailed risk management assessments," comments Christophe Ruppert. “From this perspective, EBRC relies on a standardised approach to help players meet these challenges. We provide our clients with an expertise and a framework adapted to the implementation of best practices in resilience and service continuity. This starts with an assessment of the maturity of the players regarding standards such as ISO 22301, relating to business continuity, or ISO 27001, concerning information security management” . “This approach is complemented by a cross-cutting analysis," adds Aline Moyret, Head of Consulting Services at EBRC. “The objective is to ensure that for an identified threat, the implemented continuity and cyber security systems are comprehensive and consistent, from risk analysis to operational response."

DORA: Strengthening the entire ecosystem based on a common foundation 

DORA secures data within financial institutions and subcontractors

The approach involves identifying the various risks, assessing their impact on the business and implementing responses. “This can involve in particular the formalisation of crisis management procedures," says Christophe Ruppert. “It is not unusual to have these procedures within the company, but formalising them is essential”. However, it is important to consider the challenges faced by the business and ensure that everything is in accordance with the principle of proportionality that prevails in the context of this regulation. "DORA requires players to better supervise and manage their risks, with a view to preserving the business. While this regulation aims at limiting systematic risks, it also supports the sustainability of each player," comments Aline Moyret. “By indirectly extending to subcontractors, as regulated entities must ensure that their continuity guaranties are upheld, DORA contributes to strengthening the entire ecosystem." 

Provisions in line with DORA guidelines

Beyond the support offered in order to help organisations strengthen their resilience, EBRC has also developed a set of services and tools with a view to industrialising the process. The Cyber-Resilience Portal, for example, eases the management and sharing of information inherent to the risks and provided responses, in order to assess the various impacts on the organisation's business continuity (regulation, operations, image & reputation, revenue), with a view to continuously improving business continuity.   

EBRC supports companies in the financial sector

Finally, EBRC, and more broadly Post CyberForce, offers some operational response for the requirements, or certain risks identified by the directive. CyberForce, via the SOC (Security Operations Centre) and CSIRT services, offers an operational response for the detection of and response to cyber incidents. The COS (CyberForce Offensive Security) team offers Red Team type services to test the resilience of the organisation. Finally, through its managed and cloud services and multi-cloud environments, EBRC assists its clients in designing resilient environments, taking into account these compliance needs.