What is DORA?
The Digital Operational Resilience Act (DORA) is a legislative proposal by the European Union (EU) aimed at enhancing the operational resilience of the financial sector in the digital age. It establishes a comprehensive framework for managing Information and Communication Technology (ICT) risks and cyber threats faced by financial entities. The main objectives of DORA are to ensure the continuity of critical financial services in the face of cyber incidents, strengthen oversight and coordination of ICT risk management by relevant authorities, enhance cooperation and information-sharing, and improve reporting and transparency of significant ICT-related incidents.
Since when is DORA in force?
DORA, the Digital Operational Resilience Act, has been in effect since January 16, 2023. Anticipated for June 2023, the European Supervisory Authorities (ESAs) are set to release consultation papers concerning several Level 2 Regulatory Technical and Implementation Standards (RTS & ITS). These papers aim to outline specific requirements. Financial firms are required to adhere to this regulation by January 17, 2025, following a two-year implementation period and the development of technical regulatory standards by the European Supervisory Authorities (ESAs).
Which companies are eligible to the DORA regulation?
DORA has a broad scope, impacting various entities such as banks, credit institutions, payment institutions, investment firms, electronic money institutions, central counterparties, and providers of crypto asset services, among others. Furthermore, critical third-party ICT providers are also subject to regulation, with each designated a Lead Overseer, which could be either EBA, ESMA, or EIOPA.
- DORA adopts a comprehensive approach, encompassing a wide array of financial institutions. While banks and insurance companies, already acquainted with EBA/EIOPA guidelines on ICT security and outsourcing, are included, the scope extends to trading venues, institutions offering occupational retirement plans, crypto service providers, insurance intermediaries, and various other financial entities under this new framework.
- FinTechs are not granted exemptions solely based on their smaller size if they fall under the categories specified in the DORA regulation. Nevertheless, companies with less than 10 employees and limited annual revenue are subject to less stringent requirements under the regulation.
- ICT providers - including cloud service providers that provide services to financial firms - may now be subject to the supervisory framework if they are classified as "critical ICT providers." The criteria for this classification are further specified by the European Supervisory Authorities (ESAs), but are mainly based on how critical the services provided are to the financial market, as well as the degree of dependency on the ICT provider or how easily it can be replaced
Why is DORA compliance important?
- DORA compliance strengthens operational resilience by identifying and addressing vulnerabilities.
- Compliance with DORA safeguards the stability of the financial system by preventing disruptions with potential systemic implications.
- DORA compliance helps mitigate cybersecurity risks by implementing robust measures and protocols.
- Compliance enhances customer trust and confidence by demonstrating a commitment to protecting their data and ensuring service continuity.
- Organisations must comply with DORA to meet legal and regulatory obligations and avoid penalties and reputational damage.
- DORA compliance encourages innovation in the financial sector by addressing risks and providing a secure foundation for adopting new technologies.
- Compliance fosters collaboration and cooperation between market participants and supervisory authorities, enabling effective incident response and communication.
- Adhering to DORA helps organisations stay ahead of the evolving threat landscape and adapt to emerging risks and technologies.
- DORA compliance aligns organisations with international standards and expectations, promoting harmonization across jurisdictions.
- Achieving DORA compliance can provide a competitive advantage in the market by showcasing a strong commitment to operational resilience and cybersecurity.
What are the 10 Steps to DORA compliance?
- Overview of DORA: Gain a thorough understanding of DORA's objectives, provisions, and the entities it applies to, such as credit institutions, payment institutions, electronic money institutions, central counterparties, and data service providers.
- Mapping DORA Requirements: Identify the specific requirements and obligations outlined by DORA, such as resilience testing, ICT risk management, incident reporting, third-party risk management, and cybersecurity capabilities.
- Appointing a DORA Compliance Officer: Designate a dedicated individual or team responsible for overseeing DORA compliance efforts within your organization.
- Creating a DORA Compliance Framework: Develop a comprehensive framework that outlines policies, procedures, and controls necessary to ensure compliance with DORA's requirements.
- Identifying Risks: Perform a detailed assessment to identify potential risks and vulnerabilities specific to your organization's operations, processes, and systems.
- Assessing Impact and Likelihood: Evaluate the potential impact and likelihood of identified risks, considering both internal and external factors.
- Designing Resilience Testing Scenarios: Develop a robust program for resilience testing that simulates realistic scenarios, including cyberattacks, system failures, and other disruptive events.
- Evaluating Testing Results: Analyse and interpret the results of resilience testing to identify areas of improvement, vulnerabilities, and gaps in operational resilience.
- Establishing an ICT Risk Management Framework: Develop and implement a framework to identify, assess, mitigate, and monitor ICT-related risks, including cybersecurity risks, technological vulnerabilities, and operational disruptions.
- Regular Review and Updates: Continuously review and update the ICT risk management framework to align with emerging threats, evolving technologies, and industry best practices.
- Establishing Incident Reporting Procedures: Develop clear and well-defined incident reporting procedures that outline how and when significant incidents should be reported to the relevant supervisory authorities.
- Foster Effective Communication Channels: Establish effective communication channels within the organization to ensure prompt and accurate reporting of incidents and facilitate coordinated response efforts.
- Conducting Due Diligence: Implement a robust due diligence process to assess the cybersecurity and operational resilience capabilities of third-party service providers before entering into partnerships or outsourcing arrangements.
- Contractual Provisions: Include specific contractual provisions that address third-party risk management, outlining the responsibilities, expectations, and standards required to ensure compliance with DORA.
- Implementing Strong Authentication Mechanisms: Deploy multi-factor authentication solutions to enhance the security of access to critical systems and sensitive information.
- Encryption and Data Protection: Implement encryption protocols to protect data at rest and in transit, ensuring the confidentiality and integrity of sensitive information.
- Proactive Monitoring and AI driven Threat Detection: Deploy advanced monitoring tools and AI driven cyber threat detection systems to detect and respond to cybersecurity threats in real-time.
- Developing Comprehensive Incident Response Plans: Create detailed and well-structured incident response plans that define roles, responsibilities, escalation procedures, and communication channels for effective incident management.
- Testing and Exercising Incident Response Plans: Regularly test and exercise incident response plans to ensure their effectiveness, identify areas for improvement, and familiarize personnel with their roles and responsibilities.
- Establishing Compliance Monitoring Mechanisms: Implement a robust compliance monitoring program to assess ongoing adherence to DORA requirements, identify gaps, and drive continuous improvement.
- Staying Abreast of Regulatory Updates: Keep a close watch on regulatory developments, updates, and guidance related to DORA to ensure continued compliance.
Complying with the Digital Operational Resilience Act (DORA) requires a comprehensive and proactive approach to operational resilience and cybersecurity. By implementing the best practices outlined in this guide, organizations can navigate the complexities of DORA successfully, fortify their operational resilience, and contribute to the overall stability of the financial system. Embrace these recommendations, adapt them to your specific context, and embark on the journey towards DORA compliance with confidence and resilience.
Who should be involved in delivering DORA compliance?
Delivering DORA compliance requires a collaborative effort involving various stakeholders within an organization. The following key individuals or teams should be involved in the process:
- Senior Management: Senior executives, including the CEO, CFO, and CIO, should provide leadership and support for DORA compliance efforts. They play a crucial role in setting the tone at the top and allocating necessary resources.
- DORA Compliance Officer/Team: Designate a dedicated DORA compliance officer or team responsible for overseeing and coordinating compliance efforts. They should have a deep understanding of DORA's provisions and requirements.
- Legal and Compliance Department: The legal and compliance department plays a critical role in interpreting and understanding DORA's legal obligations. They ensure that the organization's policies, procedures, and practices align with the legislative requirements.
- Risk Management Team: The risk management team is responsible for conducting risk assessments, identifying potential vulnerabilities, and implementing risk mitigation measures. They should collaborate closely with the compliance team to address DORA-specific risks.
- IT and Cybersecurity Teams: The IT and cybersecurity teams are instrumental in implementing the necessary technological measures to meet DORA requirements. They play a crucial role in deploying cybersecurity capabilities, resilience testing, and incident response plans.
- Operations and Business Units: Operational teams and business units have an important role in implementing DORA compliance measures within their respective areas. They should collaborate with compliance, risk management, and IT teams to ensure alignment and implementation of DORA requirements.
- Internal Audit: The internal audit team provides independent assurance by evaluating the effectiveness of the organization's DORA compliance efforts. They conduct audits and assessments to ensure ongoing adherence to DORA provisions.
- Third-Party Service Providers: If the organization relies on third-party service providers, they should be involved in delivering DORA compliance. This includes assessing their cybersecurity and operational resilience capabilities and ensuring compliance through contractual provisions.
- Communication and Training Teams: Effective communication and training are crucial for ensuring organizational-wide understanding and compliance with DORA. The communication and training teams should develop and deliver educational programs to raise awareness and provide guidance on DORA requirements.
- External Consultants and Advisors: Organizations may seek external expertise from consultants or legal advisors specialized in DORA compliance. They can provide guidance, assist with risk assessments, and help navigate the complex landscape of DORA.
By involving these key stakeholders and fostering collaboration among them, organisations can effectively deliver DORA compliance, ensuring a holistic and comprehensive approach to operational resilience and cybersecurity.
How Vectra AI Enables DORA Compliance?
Vectra AI offers advanced threat detection and response solutions in perfect alignment with the requirements of the Digital Operational Resilience Act. Let's explore how Vectra AI can help organisations achieve DORA compliance:
- Real-time Threat Detection & Response
Vectra AI's platform leverages AI-driven behavioural analysis based on MITRE Att&ck techniques and machine learning models to detect and analyse Network, SaaS, Identity, AWS Cloud Microsoft 365 Cloud and Hybrid Cloud threats in real-time. By continuously monitoring network traffic and behaviours, Vectra AI can identify potential threats before they escalate, enabling swift responses to mitigate risks promptly. Learn more!
- Enhanced Incident Response
In the event of a cyber incident, Vectra AI's platform provides valuable insights and actionable intelligence to incident response teams based on MITRE D3FEND. This empowers organisations to take decisive measures to contain, investigate, and remediate threats, meeting DORA's incident reporting requirements effectively. Read the blog!
- Proactive Risk Management
Vectra AI's proactive threat hunting capabilities allow organisations to stay ahead of potential risks. By detecting hidden threats and vulnerabilities, financial institutions can take proactive steps to strengthen their security posture and comply with DORA's risk management provisions. Visit the KPMG & Vectra solution page.
- Automated Compliance Reporting
Complying with DORA requires comprehensive reporting on security incidents and risk management practices. Vectra AI simplifies this process by automating compliance reporting, saving time and effort for financial institutions in meeting regulatory obligations.
Let's explore how Vectra AI can help organisations achieve compliance with specific DORA chapters and article:
Chapter II, Article 5 Digital Operational Resilience Act (DORA), ICT risk management framework
Built-in advanced threat hunting capabilities for proactive threat and risk management.
- Classification of crown-jewel assets to ensure enhanced visibility.
- Automatic prioritization of potential incidents affecting crown jewels within the scope defined in Chapter I.
- Enhanced visibility of on-premises, cloud, and hybrid assets, zones, services, and interactions of all assets, including entities.
Chapter II, Article 9 Digital Operational Resilience Act (DORA), Detection
Advanced threat capabilities across all Vectra products using state-of-the-art methodologies to detect attack signals based on MITRE Att&ck techniques mapped on the cyber kill-chain, with AI models, signature-based models, campaign consolidations, and accessible visualization or reporting.
Chapter II, Article 10 Digital Operational Resilience Act (DORA), Response and Recovery
Vectra provides AI-driven behavioural analysis & detection capabilities based on MITRE Att&ck techniques to promptly detect anomalous activities in Network, SaaS, Identity, and Cloud in real-time. Additionally, Vectra provides built-in prioritisation of incidents using AI, and recommended response procedures based on MITRE D3FEND to support your ICT-related incident response.
Chapter II, Article 12 Digital Operational Resilience Act (DORA), Learning and Evolving
Continuous and integrated representation of attack procedures based on the cyber kill-chain and MITRE Att&ck for learnings and AAR (After Action Reviews).
Chapter II, Article 13 Digital Operational Resilience Act (DORA), Communication
MITRE Att&ck based reporting of all events, detections, and incidents for standardized communication with internal and external stakeholders, including authorities, national and regional CSIRT or Cybersecurity centers.
Chapter III, Article 15 Digital Operational Resilience Act (DORA), ICT-related incident management process
Automatic classification of threats and AI-driven prioritization for integrated processing using SOAR or ITSM solutions.
Chapter III, Article 16 Digital Operational Resilience Act (DORA), Classification of ICT-related incidents
4-stage classification (Low, Medium, High, Critical) and a score-based prioritization for simplified processing of incidents.
Chapter III, Article 17 Digital Operational Resilience Act (DORA), Reporting of major ICT-related incidents
Built-in reporting capabilities of incidents based, including documentation of used MITRE Att&ck techniques, Cyber kill-chain stage, and applied MITRE D3FEND procedures.
Chapter III, Article 18 Digital Operational Resilience Act (DORA), Harmonisation of reporting content and templates
Standardised, on-demand reporting contents based on templates for integrated reporting capabilities across your tooling landscape.
Learn more about DORA
How to benefit from the Digital Operational Resilience Act (DORA)
Watch this online panel featuring KPMG experts on Cyber Security as we explore the EU’s DORA (Digital Operational Resilience Act) and its profound impact on resilience of the financial sector.
DORA: A Path to Secure and Stable Financial Systems
Discover essential insights on complying with DORA in our blog. Get expert guidance and implementation strategies for meeting regulatory standards.
The Digital Operational Resilience Act (DORA): an impact assessment
Enhancing digital resilience in the European financial sector through improved IT risk management, incident handling, and information sharing.
The Digital Operational Resilience Act - what should banks be doing?
Provisional agreement reached on DORA, posing challenges for European banks. What actions must they take to meet these challenges effectively?
Assess Your DORA Compliance with our Experts
Book a meeting with KPMG and Vectra AI to understand the steps you need to take to ensure compliance with DORA regulations. Learn who is affected and what you need to do before the January 2025 deadline.