The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union (EU) to bolster the stability of its financial system by ensuring financial entities can withstand digital operational disruptions.
DORA establishes a robust framework for Information and Communication Technology (ICT) risk management, emphasizing cybersecurity and operational resilience. Key measures include penetration testing and other offensive security practices to identify and address vulnerabilities within financial institutions and their ICT providers.
The compliance deadline for DORA is January 17, 2025. Financial institutions and ICT vendors are encouraged to act now to ensure readiness.
Applicability and Enforcement
DORA applies to a broad spectrum of financial entities operating in the EU. [Art. 2]
This includes:
- Banks
- Insurance companies
- Investment firms
- Crypto-asset service providers
- Payment service providers
- Third-party ICT vendors, such as cloud and software-as-a-service providers
Enforcement
The regulation is enforced by national-level authorities and three primary European Supervisory Authorities:
- European Banking Authority (banking sector)
- European Securities and Markets Authority (securities markets)
- European Insurance and Occupational Pensions Authority (insurance and pensions sector) [Art. 46]
Authorities are empowered to conduct on-site inspections, demand information, mandate corrective actions, and impose penalties for non-compliance. [Art. 50-52]
Security Requirements
DORA places significant emphasis on offensive security measures, particularly penetration testing. These are outlined in Chapter IV [Art. 24-27], focusing on testing ICT systems to enhance digital resilience.
Penetration Testing and Offensive Security Measures
- Testing, Scanning, and Assessments [Art. 25.1]: Financial institutions must periodically conduct security tests, such as vulnerability scans, network security assessments, scenario-based testing, and penetration testing.
- Threat-Led Penetration Testing (TLPT) [Art. 26-27]:
- Must simulate real-world attack scenarios to evaluate protection, detection, and response capabilities. [Art. 3.17]
- Conducted at least every three years for critical or important functions, including outsourced systems. Third-party ICT providers are required to participate. [Art. 26.2-4]
- Significant credit institutions must exclusively use external testers for TLPT. For others, external testers must be used for at least one out of every three TLPT engagements. [Art. 26.8]
- Testing scope and methodologies align with the European Framework for Threat Intelligence-Based Ethical Red Teaming (TIBER-EU). [Art. 26.11]
- External Tester Standards [Art. 26.8, 27]: External testers must meet stringent criteria, including technical expertise, independence, and professional indemnity insurance.
Additional Testing Requirements
- Vulnerability Assessments [Art. 25.2]: Critical systems, such as those used by central securities depositories and central counterparties, must undergo assessments before deployment or redeployment.
- Remediation [Art. 26.5-6]: Financial entities and participants must implement controls to mitigate risks identified during testing.
Broader Security Requirements
- Risk Management [Art. 6, 16-17, 24, 28]: Establish robust ICT risk management frameworks, including resilience strategies, governance, and incident response plans.
- Digital Resilience Safeguards [Art. 9-10, 24-26]: Regularly test systems to ensure resilience through penetration testing, threat detection, and remediation.
- Incident Reporting [Art. 11-12, 19]: Implement policies for incident response, business continuity, and reporting major cybersecurity incidents to authorities and stakeholders.
- Third-Party Risk Management [Art. 28-30]: Conduct due diligence on ICT service providers and include mandatory provisions in contracts, with stricter requirements for providers supporting critical functions.
Business Implications
To meet DORA’s requirements, financial institutions should focus on the following:
Preparation for Compliance
- Conduct gap analyses to identify weaknesses in current ICT risk management frameworks.
- Align existing security measures with DORA’s requirements.
- Partner with qualified external testers and develop internal capabilities for continuous security assessments.
Adapting Security Programs
Integrate TLPT and other security measures into organizational security programs:
- Engage accredited external testers for TLPT.
- Train staff on cybersecurity best practices and incident response.
- Implement systems for accurate and timely incident reporting.
Vendor Management
- Update ICT vendor contracts to include DORA-mandated provisions.
- ICT service providers should prepare for contract updates and stricter compliance expectations.
Summary
DORA’s focus on offensive security and resilience aims to fortify the digital resilience of the EU financial sector. Financial institutions must act promptly to align their security programs with DORA’s requirements, ensuring compliance and safeguarding their operations against evolving threats.
