Exploring DORA: What is the new EU legislation and who will it impact?
February 15, 2023
Let’s answer the key questions about the Digital Operational Resilience Act. What is it? Who does it affect? And when?
There’s a new DORA in town. The children’s TV character has been nudged aside by the EU’s Digital Operational Resilience Act, a wide-ranging regulation that ensures financial institutions and their service providers are mitigating the operational risks that arise from their reliance on ICT.
It impacts contracting, legal departments, procurement, HR (for training), governance, compliance, risk and audit functions, and more. Organizations need to begin their change management process now so they’re compliant when the regulation comes into force.
DORA came into law on 16 January 2023 and will start to apply from 17 January 2025. So, we all have two years to prepare. This article gives a summary of what the act involves, and you can learn more about DORA in our whitepaper on What security leaders need to know about the Digital Operational Resilience Act.
- What is DORA?
- Which organizations are affected by DORA?
- Does DORA apply outside of the EU?
- How will DORA impact cybersecurity controls?
- How will DORA affect the board?
- How will DORA affect concentration of risk?
- How can Panaseer help with DORA?
What is DORA?
The full name of the regulation is…
“Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance).”
Really rolls off the tongue, doesn’t it? Even Digital Operational Resilience Act is a bit of a mouthful. Hence DORA.
In short, DORA is an EU regulation that will ensure that financial institutions follow strict rules for protecting their operational resilience, specifically around ICT risk. The five key pillars of DORA are:
- ICT risk-management
- Incident reporting
- Operational resilience testing
- Managing third-party risk
- Intelligence sharing
It means financial services institutions must actively manage the risks associated with their digital operations arising from their reliance on ICT, with a focus on ensuring a high level of cybersecurity protection. Or suffer the consequences.
Which organizations are affected by DORA?
If you’re a financial institution of any sort in the EU, DORA probably applies. There are 22,000 financial entities and ICT service providers operating in the EU that will be affected, plus many more outside.
The list is quite extensive:
- Credit institutions
- Account information service providers
- Credit agencies
- Pension funds
- Investment firms
- Crypto firms
- Alternative investment fund managers
- Crowdfunding providers
Crucially, ICT third-party service providers are also affected by DORA. While the details are different, if your organization provides services to any institution in scope, then you’re also in scope.
In terms of organization size, there is a principle of proportionality. The bigger the risk, the greater the expectations of the regulation. This may not directly correlate with the size of an organization, but it can be something of an indicator. There are also exclusions for micro-organizations (meaning companies with less than 50 employees) and some details may change varying from country to country.
Does DORA apply outside of the EU?
DORA is an EU regulation. But, even if your organization is located outside the EU, it’s considered in scope if you have offices in the EU or provide services to a financial institution that provides services in the EU. For example, if you’re US-based and provide services to a US-based bank, you may still be affected in some way if that bank operates in the EU.
While it isn’t yet law in the UK, DORA will still likely apply, with authorities hinting that it will become UK law.
Whether in the EU, UK, or otherwise, all organizations should assess whether they will fall within scope of DORA and what actions they’ll need to take to comply. For those that are directly in scope, there will be a huge amount of effort required to comply with this new law.
How will DORA impact cybersecurity controls?
DORA explicitly states that security and ICT tools must be continuously monitored and controlled to minimize risk.
This suggests that an institution’s security posture must be actively managed and its controls continuously monitored, giving organizational and cascading views of performance against cybersecurity policies and appropriate regulation.
To illustrate, article 9.1 of DORA reads:
“For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.”
DORA also requires that organizations set, evolve and evidence risk-based policies to ensure continued resilience. To achieve this, they must measure KPIs across their security metrics program. Many organizations will already be doing this, but it’s often a manual process. It will be almost impossible to continuously measure these, and evidence them to a regulator, without advanced automation.
How will DORA affect the board?
One of the crucial mandates of DORA is that boards of financial services organizations will be accountable for ICT risk, by law. This is a big step forward – while cybersecurity is recognized as a board-level risk, it’s now codified in EU law.
The board must also be educated in the threats and risks of their digital estate. This means that scrutiny on CISOs and other cybersecurity leaders will likely increase, as will their influence within the boardroom.
How will DORA affect concentration of risk?
DORA prohibits concentration of risk and states that organizations shouldn’t rely on a single service provider for business-critical processes. This means that if you’re running Azure as your cloud service provider, all your devices are Surfaces running Windows 11, and you’re reliant on MS 365 E5, you’re in trouble. Because if Microsoft goes down, then your organization will follow it under.
Under DORA, organizations will likely need to use multiple cloud service providers, a range of security vendors, etc, so that if one of them stops working, you still have others in place.
How can Panaseer help with DORA?
As mentioned above, DORA explicitly mentions that organizations need to “continuously monitor and control the security and functioning of ICT systems and tools”.
Many security tools have a monitoring element, but they only monitor their own status in isolation. Taking the data from tools and other data sources across security, IT, and the business, the Panaseer platform automates the continuous monitoring of your security controls in one place.
The first step of Continuous Controls Monitoring is establishing a near real-time asset inventory, which helps identify crown jewel assets. Extremely useful for cybersecurity in general, but this is also mandated by DORA. Asset inventories must be maintained and periodically updated, which will require automation.
Crucially, organizations will have to prove they are DORA compliant. Adopting an automated approach for evidence gathering is the only realistic way to be successful in meeting DORA requirements, especially around the needs for continuous monitoring of security tools.
This short blog has barely scratched the surface as to how DORA will affect security leaders and how Panaseer can help. To find out more, look out for our upcoming whitepaper which will go into more depth on what security leaders need to know about DORA.
We have also prepared a DORA Readiness Assessment. By answering a series of simple questions, you’ll get a high-level view of where you might already be compliant with DORA and where you’ll need to take action. If you take a few minutes to assess your capabilities against the five pillars of DORA, you’ll get an instant performance dashboard and will be able to request an executive report.