In response to
Evidence shows that many entities have
DORA scope and applicability (Articles 1 through 3)
DORA is applicable to a very broad swath of financial entities in the EU, including banks and investment firms, payment institutions, insurance and re-insurance undertakings, trading venues, electronic money institutions, central securities depositories and the like. Also covered within the scope are crypto-asset service providers, credit rating agencies, crowdfunding and third-party ICT service providers (like cloud computing services, data centers and analytics providers).
DORA applies to roughly 22,000 entities in the entire EU financial ecosystem, including ICT providers based outside the EU. Organizations that violate DORA requirements can face penalties of up to two percent of gross revenues.
The proportionality principle (Article 4)
There's an allowance built in the DORA act that serves as guidance for organizations as to what extent they are in scope for all or a subset of the requirements. In other words, the "proportionality principle" ensures that regulatory requirements are tailored around the size and scale of a business, its overall risk profile, and the type of services or operations it conducts. For example, a smaller organization may be required to have lighter testing or reporting requirements, while a larger, critical entity may be subject to more stringent oversight and reporting assessment.
The five main pillars of DORA (Articles 5 through 45)
At its core, DORA is all about risk resilience. Here are the five main pillars:
- Information risk management and governance: Financial entities must establish internal governance structures that manage ICT risk. This includes having a management body that approves, oversees and periodically reviews risk management practices. It includes having a comprehensive, well-documented framework that outlines the strategies, processes, protocols and controls needed for managing ICT risk. It includes having ICT systems, processes and tools that help identify, assess and mitigate digital risks and ensure the resilience, continuity and availability of ICT systems.
Incident management, classification, notification: Financial entities are required to establish and implement incident management processes to detect, manage and notify ICT-related incidents. They must classify these incidents based on criteria such as the number of financial counterparts affected, the duration of the incident, the geographical spread, the data losses that occurred, the criticality of services affected and more. Significant cyber threats must be reported to the relevant competent authority, such as the European Central Bank.
- Operational resilience testing: The purpose of digital operational resilience testing is to identify weaknesses and gaps in security controls and processes, to proactively implement corrective measures, and to validate security performance. The resilience testing program must include a range of tests such as vulnerability assessments and scans, open-source analysis, network security assessments, source code reviews, physical security reviews, penetration testing and red team exercises. DORA recommends adopting a risk-based approach to testing, taking into account all material risks and emerging threats the business might be exposed to.
- Third-party risk management: Entities must have in place contracts that require third parties to remain responsible and under the obligation of DORA; they must adopt and regularly review strategies on third-party risk; they must have a well-documented register detailing the ICT services provided by third parties. In cases of high technical complexity, financial entities must verify whether auditors possessing appropriate skills and knowledge have performed relevant audits and assessments. There must also be an exit strategy in place — entities must be able to exit contracts without disruption to business activities or without impacting the quality of service provided.
- Information sharing: Amongst financial firms and regulators, DORA encourages the sharing of cyber threat information and intelligence, such as indicators of compromise, tactics, techniques and procedures (TTPs), cyber security alerts and configuration tools with the goal of raising awareness about emerging threats, impeding cyber threats from spreading and supporting defense capabilities. DORA specifies that the information must only be shared within trusted communities, and it must support business confidentiality and ensure protection of personal data.
Key takeaways:
There's a tendency for organizations to dive straight into regulations. Instead, we recommend that organizations follow the approach below:
- Assess whether you're an in-scope organization: Even though your organization may not be a financial entity, you may still be in-scope for DORA (e.g., you provide critical services to a financial entity). Therefore, it's worth understanding whether your business is in scope, evaluating the proportionality principle requirements, and running an assessment to understand what requirements are applicable.
- Perform a gap analysis: Find out what you already have in place in terms of processes, policies, and controls. Compare them with the applicable DORA requirements. Organizations (particularly SMBs) can leverage industry tools like the ISF Standards of Good Practice (
SOGP ), to identify gaps in security procedures, protocols, and controls. - Focus on meeting the compliance: Instead of trying to boil the ocean, use the gap analysis findings to address security priorities and identify gaps. Focus on what you need to do from an organizational perspective to meet compliance. Achieving full compliance immediately may not be feasible, but setting up a process to regularly review and improve security practices is essential for meeting compliance requirements.
Almost all (