How Can Financial Institutions Achieve DORA Compliance by 2025?

December 16, 2024

The digital transformation in the financial sector has introduced numerous benefits, yet it has also significantly amplified exposure to cyber threats. In response to these growing concerns, the European Union has introduced the Digital Operational Resilience Act (DORA), a pivotal regulation aimed at bolstering the security and resilience of financial institutions. Scheduled to become fully enforceable by January 2025, DORA mandates a rigorous and structured approach to managing and mitigating Information and Communication Technology (ICT) risks. With over 22,000 financial entities and their ICT service providers falling under its scope, ensuring compliance with DORA’s substantial requirements presents a formidable yet crucial challenge for the sector.

Understanding DORA and Its Importance

DORA seeks to fortify the operational resilience of financial entities by putting in place a comprehensive regulatory framework. With a focus on fostering the ability to manage, respond to, and recover from ICT-related incidents, this framework is central to securing the financial sector against escalating digital threats. Covering both financial entities and their ICT service providers, DORA’s primary objective is to mitigate potential disruptions that could undermine the sector’s stability and integrity. By constructing a reliable defense against these threats, DORA aims to safeguard the financial system as a whole.

Non-compliance with DORA carries severe repercussions, including substantial financial penalties, operational disruptions, and potentially irreparable reputational damage. Financial institutions must grasp the full scope and implications of DORA to navigate its complex landscape effectively. Built upon five key pillars—ICT Risk Management, ICT Incident Reporting, Digital Operational Resilience Testing, ICT Third-Party Risk Management, and Information Sharing among Financial Institutions—DORA’s regulatory framework is both comprehensive and demanding.

The Five Pillars of DORA

ICT Risk Management

ICT Risk Management stands at the core of DORA, demanding that financial institutions implement comprehensive risk management frameworks. These frameworks are designed to identify, assess, and mitigate ICT risks effectively, aiming to ensure that these organizations can withstand and recover from digital disruptions. Effective ICT risk management necessitates continuous monitoring, regular risk assessments, and the seamless integration of these practices into the organization’s overarching strategy. By establishing and maintaining robust risk management procedures, financial institutions can preemptively address vulnerabilities and minimize potential impacts from cyber threats.

ICT Incident Reporting

DORA mandates the timely and precise reporting of ICT-related incidents to regulatory authorities as a crucial requirement. This ensures that regulators have real-time awareness of potential threats and can take necessary actions to control and mitigate risks effectively. Financial institutions must establish clear and structured incident reporting procedures. These procedures encompass the identification of reportable incidents, meticulous documentation of incident details, and the prompt submission of these reports to the relevant authorities. This proactive approach not only aids in compliance but also fosters a collective defense against digital threats.

Digital Operational Resilience Testing

Digital Operational Resilience Testing is initiated to regularly assess the vulnerabilities within an organization’s ICT systems. The goal is to determine their resilience against cyber-attacks, with an emphasis on identifying areas that require improvement. A critical component of this effort is Threat-Led Penetration Testing (TLPT), conducted every three years starting January 17, 2025. TLPT simulates sophisticated cyber-attacks to evaluate an organization’s defenses rigorously, revealing resilience gaps and providing actionable insights for bolstering security measures. Regular testing and iterative improvements ensure that financial institutions maintain a strong security posture against evolving threats.

ICT Third-Party Risk Management

ICT Third-Party Risk Management (TPRM) focuses on the rigorous oversight and management of risks associated with third-party ICT service providers. Under DORA, financial institutions are held accountable for ensuring that their third-party providers comply with stringent regulatory requirements and uphold robust security measures. This process involves conducting thorough risk assessments, establishing explicit contractual obligations, and continuously monitoring the performance and compliance of third-party providers. Effective TPRM helps mitigate the risks posed by external dependencies, enhancing the overall resilience of financial institutions.

Information Sharing among Financial Institutions

DORA promotes a culture of information sharing among financial institutions to amplify collective resilience against digital threats. By sharing threat intelligence, best practices, and lessons learned, financial institutions can strengthen their individual and collective defenses. Establishing secure, efficient mechanisms for information sharing is essential for fostering collaboration and improving sector-wide resilience. This collaborative approach not only enhances the ability to combat emerging threats but also builds a more robust and interconnected defense system.

Key Challenge: Threat-Led Penetration Testing (TLPT)

Overview of TLPT

One of the most challenging requisites under DORA is the mandate for Threat-Led Penetration Testing (TLPT), aimed at evaluating an organization’s resilience against real-world threats through simulated sophisticated cyber-attacks. Based on the TIBER-EU framework and drawing insights from global standards such as the G7 framework and the UK’s CBEST, TLPT seeks to mimic the tactics used by actual cyber attackers. By exposing vulnerabilities in technological defenses, organizational procedures, and human factors, TLPT helps identify critical gaps and provides actionable insights for enhancing overall security posture.

Preparation and Execution of TLPT

Preparing for TLPT is an extensive and meticulous process demanding detailed planning and execution. The scope of testing is defined by collaboration between financial institutions and regulatory authorities, focusing on critical functions and encompassing third-party systems where necessary. The preparation phase involves gathering credible threat intelligence and developing realistic attack scenarios tailored to the organization’s specific vulnerabilities. During the execution phase, simulated attacks are carried out by experts, testing the robustness of the organization’s defenses. Following the tests, comprehensive documentation must be presented to regulatory authorities, demonstrating adherence to test protocols and highlighting specific findings for certification. This exhaustive process ensures that testing remains aligned with regulatory expectations and provides meaningful insights for security improvements.

Challenges in TLPT

Conducting TLPT presents several challenges for financial institutions, primarily due to the complexity and resource-intensive nature of the testing process. One significant challenge involves addressing gaps in threat intelligence, which can misalign with the testing requirements and diminish the value of the tests. Operational coordination for detailed and frequent reporting adds another layer of complexity. Additionally, maintaining precise audit trail documentation and developing distinct technical scenarios for each test complicate the process further. Identifying and recruiting qualified red team managers with the necessary technical skills and credibility is also a formidable task. Aligning TLPT outputs with widely recognized frameworks such as ISO 27001 and NIST CSF can be challenging due to their distinct focus areas. These intricate challenges necessitate a sophisticated approach to TLPT, emphasizing meticulous planning, execution, and continuous improvement.

Key Challenge: ICT Third-Party Risk Management (TPRM)

Overview of TPRM

Managing ICT third-party risks is another crucial and challenging aspect of achieving DORA compliance. Given the criticality of functions in financial institutions, DORA’s Pillar 4 outlines extensive requirements for ICT Third-Party Risk Management (TPRM). Financial institutions must implement finely tuned risk management frameworks that integrate with the organization’s overall risk model to ensure comprehensive oversight and control. Aligning current risk frameworks with DORA standards poses significant challenges, requiring a thorough understanding and strategic adaptation of existing practices. A comprehensive approach to TPRM is essential for safeguarding against the risks introduced by third-party service providers.

Initial Steps for TPRM

Eviden recommends conducting a thorough diagnostic of existing ICT risk management measures before directly adhering to DORA’s specific articles. This involves evaluating the alignment of current measures with strategic goals, integration into the broader risk model, and ensuring risk-based decision-making throughout the procurement lifecycle. Identifying missing or counterproductive practices early in the process can help prepare organizations for upcoming regulatory audits. By understanding the current state of risk management, financial institutions can make targeted improvements and align their frameworks with DORA’s stringent requirements. This proactive approach not only facilitates compliance but also enhances the overall resilience of the organization against third-party risks.

Challenges in TPRM Projects

Eviden’s extensive engagements with multiple financial clients have highlighted key recurring issues in TPRM. One major challenge is the inconsistency in scoring ICT suppliers, which leads to fragmented assessments and inadequate risk communication. Additionally, many contracts with third-party providers either lack audit rights or clear cybersecurity standards, hindering the ability to ensure compliance. Resource constraints further impede effective risk management, with limited resources and uncoordinated approaches being common obstacles. These challenges underscore the need for a structured and strategic approach to TPRM, emphasizing thorough assessments, clear contractual obligations, and continuous monitoring.

Recommendations and Solutions

In addressing the significant challenges associated with DORA compliance, several strategic recommendations and solutions have emerged from Eviden’s extensive experience.

Aligning ICT Risk Management with TPRM

Eviden advocates for aligning ICT risk management frameworks with organizational objectives and clearly defined risk-acceptance levels. Standardizing terminology based on ISO/IEC 27036-1 and ISO 22300 helps avoid misinterpretations and ensures consistent risk communication. Developing policies that support clear and effective communication of risks, as well as seamless integration of risk-based decision-making throughout the procurement lifecycle, is crucial for overcoming TPRM challenges. By establishing robust and aligned frameworks, financial institutions can effectively manage third-party risks and adhere to DORA requirements.

Streamlined Evidence Collection

A clear, managed process for gathering and storing evidence is essential for supporting incident analyses and protecting against negligence claims. This includes security configurations, Service Level Agreements (SLAs), and contracts, all of which should be readily accessible and organized. Ensuring that evidence is comprehensive and up-to-date facilitates compliance and supports regulatory audits. Streamlined evidence collection processes also help organizations respond swiftly and effectively to security incidents, further enhancing resilience.

Business Impact Analysis (BIA) Review

Reviewing and updating the Business Impact Analysis (BIA) is imperative for identifying functions labeled as critical under DORA. This involves mapping key processes and services to those listed in existing BIA documentation and aligning recovery objectives with DORA’s stringent requirements. Clear outlining of services, SLAs, and responsibilities in contracts ensures alignment with disaster recovery metrics. Regularly reviewing and updating the BIA helps maintain an accurate and current understanding of critical functions, which is essential for effective incident response and recovery.

Improving Data Quality in Contract Registers

Maintaining updated and accurate contract information is paramount for effective third-party risk management. Many entities lack a unified contract management system, leading to incomplete or outdated contract records. Integrating advanced tools such as AI for managing contract registers can significantly enhance data quality, ensuring that all contract information is accurate, up-to-date, and easily accessible. Improved data quality supports more effective oversight and management of third-party relationships, facilitating compliance with DORA’s stringent requirements.

Contractual Remediation and Renegotiation

Updating supplier-management procedures to include explicit audit rights and compliance requirements is essential. Aligning new procurement contracts with DORA standards, providing training for vendors, and promoting awareness of regulatory obligations ensures that third-party providers understand and comply with the necessary standards. Regularly reviewing and renegotiating contracts to address any gaps or shortcomings helps maintain compliance and strengthens third-party risk management frameworks.

Regular Audits and Assurance

Conducting regular audits and using industry-recognized frameworks such as SOC 1 and SOC 2, Cyber Essentials, and NIST SSDF ensures thorough and consistent assessments. Promoting cybersecurity best practices among suppliers helps strike a balance between comprehensive audits and resource constraints. Regular audits provide ongoing assurance that third-party providers adhere to required standards, reinforcing the overall resilience of financial institutions.

Prudent Resource Allocation

The financial sector has experienced notable benefits from digital transformation, yet this shift has also heightened vulnerability to cyber threats. In addressing these escalating risks, the European Union has introduced the Digital Operational Resilience Act (DORA). This landmark regulation is designed to enhance the security and resilience of financial institutions. Set to be fully enforceable by January 2025, DORA requires a comprehensive and organized framework for managing Information and Communication Technology (ICT) risks.

The regulation aims to ensure that financial institutions can withstand and recover swiftly from any ICT-related disruptions. This includes cyber-attacks, system failures, and other technological breakdowns. Compliance with DORA necessitates that financial entities, along with their ICT service providers, implement stringent measures to safeguard against such risks. More than 22,000 financial institutions and their associated ICT service providers are subject to these extensive requirements.

Adhering to DORA will undoubtedly be demanding for the sector. The regulation not only imposes strict guidelines but also necessitates a cultural shift towards prioritizing resilience and security in ICT operations. Despite these challenges, the ultimate goal is to fortify the financial system against the growing landscape of cyber threats and ensure the stability and trustworthiness of financial services in Europe.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later