DORA

The Digital Operational Resilience Act (EU) 2022/2554

  • This is a Regulation not a Directive – therefore it is applied from a fixed date and no country can override the requirements
  • Enforced in January 2023 with a 2 year transition period therefore will fully apply from 17th January 2025
  • Applies to Information and Communication Technology (ICT)
  • Regulates the processes financial entities operate under
  • Supervision and Enforcement is by nominated Competent Authorities

 

5 Pillars of DORA

  • Risk Management, including Business Continuity Planning,
  • Resilience Testing by Independent Testers,
  • Incident Management and Reporting,
  • Third Party Risk Management
  • Information and Intelligence sharing in Relation to Cyber Threats and Vulnerabilities.

 

Who does it apply to?

  • Financial entities – requirements vary based on size of company. Exemptions to various parts of the law so not consistent across all organisations.
  • Requirements are implemented appropriate to size, risk profile, nature, scale and complexity of services.
  • ICT third party suppliers providing services direct to financial entities or within a supply chain to financial entities.

How Does it Apply in the UK

  • UK financial company that works with EU customers.
  • UK financial company that does business with EU financial companies.
  • ICT third party suppliers based in the UK supporting EU financial entities or UK financial entities that work with EU customers.

What is Digital Operational Resilience??

Operational integrity and reliability by addressing security of network and information systems the financial entity uses  and supporting continued provision of quality services including during disruptions.

What do you need to do to comply

  • Set up Internal governance and control framework responsible for
    • Managing ICT risks
    • Establishing and implementing policies to preserve the Confidentiality, Integrity, Availability and Authenticity of data
    • Companies can outsource DORA obligations but cannot outsource accountability for ensuring compliance.

 

 

Implementation

  • DORA is all about Risk Management
  • First step is a gap analysis for ICT controls in place and risk identification
  • Then you need to deliver a risk management plan – – senior managers and Board of Directors must be included in this.
  • Introduce supply chain management and verification of their compliance with DORA requirements
  • Carry out a company compliance assessment – including Internal audits, third party audits and supporting client audits.

 

Risk Management

  • Identification – through functions, assets and third parties
  • Protection and Prevention – minimise risks
  • Detection – mechanisms to identify anomalous behaviour and points of failure
  • Response and recovery – incident contained and isolated and recovery plan including
    • Back up and Restoration
    • Learning and evolving
    • Communication

Reporting of Incidents

  • Assess likelihood and impact of the incident and introduce monitoring controls to catch the incident early and therefore reduce the impact.
  • Reporting process in place for incidents including employee, third party reporting and notifying regulatory authorities.
  • Incident response plans in place.
  • Internal and External communication policies
  • Detailed investigation
  • Learning from Incidents to prevent reoccurrence.

 

Resilience Testing

  • A range of assessment tests must be done related to risk management
  • Testing includes vulnerability assessments, Open Source analysis, Network Security, Process Gap analysis, Physical security, Employee awareness
  • PEN testing
  • Critical systems must be tested a minimum of annually or when there is a change to procedures.
  • Testing must be done by an INDEPENDENT PARTY – third party companies can help with this.
  • Test results must be actioned effectively, and timings must be based on the criticality assessment.

 

Third Party Risk Management

  • Framework for managing ICT third party risk
  • Risk Assessment & Due Diligence
  • Vendor Assessment Survey
  • Contract terms and SLA’s
  • Check third party supply chain.
  • Limited Access Control
  • Incident Response in place
  • Monitoring Performance – including audits
  • BCP Plans in place for Vendor Failure.
  • Third Party Register to be set up, recording all this information.

 

Supportive Certifications

  • Service providers with ISO27001 certification have proof they meet the requirements.
  • Other Relevant Standards / certifications include:-
  • ISO27017 – Cloud services
  • ISO22301 – Business Continuity Planning
  • ISO27018 – Personal data in the cloud
  • ISO27701 – PII management
  • Cyber Essentials Plus

The Resilient Workplace can help you with achieving these standards to demonstrate compliance.