The Digital Operational Resilience Act (DORA), an EU regulation aimed at bolstering defenses against digital threats in the financial sector, poses significant challenges for financial institutions. Covering over 22,000 financial entities and their ICT service providers, DORA sets stringent standards for managing, responding to, and recovering from technology-related incidents. The deadline for full compliance is January 2025, but the road to achieving it is paved with complexities and operational hurdles.
Key Challenges and Themes
Threat-Led Penetration Testing (TLPT)
DORA mandates financial institutions to conduct threat-led penetration tests every three years starting in January 2025. These tests, based on the TIBER-EU framework, extend beyond technical aspects to assess the overall resilience of institutions, including their people and procedures. TLPT simulates cyberattacks to identify vulnerabilities, examining an organization’s ability to defend against real-life cyber threats by mimicking the tactics of actual threat actors.
Financial organizations must first identify all critical ICT processes, systems, and technologies, including third-party providers. Subsequently, they need to develop attack scenarios grounded in thorough threat research. This testing requires coordinated efforts from red and blue teams, comprehensive documentation, and approval from relevant authorities. Eviden notes that challenges include gaps in threat intelligence, coordination with national authorities, maintaining precise audit trails, scenario separation, and aligning results with existing frameworks like ISO 27001/2 and NIST CSF.
ICT Third-Party Risk Management (TPRM)
ICT third-party risk management is another significant challenge under DORA. Financial institutions are required to manage risks related to their critical and important functions proportionately. The first step involves creating a detailed register of information related to all contractual arrangements with ICT third-party providers. Conducting a preliminary assessment of ICT concentration risk and specifying key contractual provisions is crucial for compliance.
Eviden suggests starting with an as-is diagnosis of current ICT risk-management measures to assess alignment with strategic goals, risk integration, and the resilience of ICT suppliers. Challenges observed include fragmented assessments of third-party providers, inconsistency in audit rights and cybersecurity standards, and the need to align the risk management framework with organizational objectives. Regular audits and independent assurance assessments are recommended to ensure compliance and promote effective supplier management.
Overarching Trends and Insights
Preparation for TLPT is intricate and prolonged, requiring substantial planning and collaboration among financial institutions. Establishing robust frameworks for ICT risk management that align with DORA’s stringent requirements is essential. Continuous monitoring and comprehensive documentation of third-party risks are critical to enhancing contract management systems. The trend toward harmonizing DORA and TIBER-EU underscores ongoing efforts to create uniform standards across the EU.
Summary of Findings
Effective execution of TLPT and ICT third-party risk management necessitates multifaceted strategies, including thorough preparation, a deep understanding of risk cause-and-effect chains, and continuous alignment with regulatory frameworks. Financial institutions face considerable operational challenges in meeting DORA requirements, necessitating detailed planning, adequate resource allocation, and targeted capacity-building efforts. Successfully navigating DORA compliance requires understanding nuanced regulatory standards, proactive threat intelligence, and fostering strong vendor relationships to ensure mutual compliance and resilience.
Consolidated Narrative
The Digital Operational Resilience Act (DORA) is an EU regulation focused on strengthening defenses against digital threats within the financial sector. This regulation impacts over 22,000 financial entities along with their Information and Communication Technology (ICT) service providers. DORA lays down rigorous standards for managing, addressing, and recovering from technological incidents, aiming to ensure the financial sector’s robustness in facing digital challenges. The full compliance deadline is set for January 2025. However, reaching this goal involves a maze of intricacies and operational obstacles. Financial institutions need to adopt comprehensive strategies to align with DORA’s requirements, ensuring they have the necessary infrastructure, protocols, and resources in place. Engaging in regular assessments, fostering collaboration with ICT providers, and investing in cybersecurity measures are crucial steps. The journey to achieving full compliance under DORA’s mandates demands meticulous planning, coordination, and dedicated efforts to navigate the complex landscape of digital resilience effectively.