Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act or DORA is the EU’s proposed digital finance package, seeking to improve ICT resilience standards within the financial sector. The legislation oversees any companies that indirectly deal with the financial sector too, including IT operations in particular seeking to harmonise digital resilience in the European Union through the introduction of requirements on ICT risk management, third party lifecycle management and ICT-related incident reporting.

DORA will form a regulatory framework on digital operational resilience whereby all in scope entities must ensure they can withstand all types of ICT-related disruptions and threats.

It will ensure that participants of financial systems are subject to a common set of standards to manage ICT risks and ensure safeguards are in place to protect, detect, identify, respond and recover from cyber-attacks.

It comprises 5 main requirements:

• ICT Risk Management: Adopt ICT governance and control frameworks, including an IT risk management framework to be documented and reviewed at least annually incorporating:
  • Identification
  • Protection and prevention
  • Detection
  • Response and recovery
  • Learning and evolving
• ICT Incident Reporting: Streamline ICT incident reporting through the logging and classification of ICT incidents and reporting of major incidents to competent authorities using common templates and procedures.
• Digital Operational Resilience Testing: Performance of basic digital operational resilience testing at least yearly for all financial entities, and advanced threat-led penetration testing at least every 3 years.
• Management of ICT Third-Party Risk: Monitor third-party contractual arrangements at all stages and enable European Supervisory Authorities (ESAs) oversight of ICT third-party service providers deemed ‘critical’ by ESAs.
• Information-Sharing Arrangements: Voluntary participation in intelligence sharing through the exchange of cyber threat information among financial entities, including tactics, procedures, and signs of compromise.

Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

Currently it is an EU regulation but there is strong indication that the UK will also be adopting the Act.

The scope of DORA is sufficiently wide to capture a comprehensive list of every conceivable type of financial entity – from banks to statutory auditors – but it will also apply to third-party IT service providers. e.g., cloud service providers who could be subject to compliance regulations:

• credit institutions
• payment institutions
• electronic money institutions
• investment firms
• crypto-asset service providers
• central securities depositories
• central counterparties
• trading venues
• trade repositories
• managers of alternative investment funds and management companies
• data reporting service providers
• insurance and reinsurance undertakings
• insurance intermediaries
• reinsurance intermediaries and ancillary insurance intermediaries
• institutions for occupational retirement pensions
• credit rating agencies
• statutory auditors and audit firms
• administrators of critical benchmarks
• crowdfunding service providers

Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU to facilitate effective regulatory oversight. (Third country – Outside the EU e.g., UK and USA)

• 24 September 2020 - The European Commission presented the DORA proposal
• The European Council adopted its negotiating mandate on DORA on 24 November 2021
• 11 May 2022, European Council - Provisional agreement reached on the Digital Operational Resilience Act (DORA)
• Expected to be finalised in October 2022 at the European Parliament plenary session

Work will now continue at a technical level to finalise the provisional agreement on the full legal text. This agreement is subject to approval by the European Council and the European Parliament before going through the formal adoption procedure.

The DORA will likely have a 12-18 month implementation period from the date of issue, however important technical standards will take longer to finalise, leaving firms with less time for preparation to comply with the new requirements they will face.

Organizations that will be in scope for DORA should already be considering what successful implementation requires in order to be ready when the political process is complete, and the Act is enforced.

At BSI, we have a large team of highly experienced, industry leading consultants that will help ensure that you and your business have all the security requirements you need to get ahead of the new DORA regulation, which will help you avoid potential financial penalties and will instil further confidence in your customers. We can help you put in place a detailed and comprehensive framework on digital operational resilience enhancing your capabilities to enable you to withstand and recover from ICT Incidents.

BSI currently offer the following services in relation to the 5 main DORA requirements:

• ICT Risk Management
  • IT Risk Management Framework development and implementation (ISO 27005)
  • Cyber Security Posture/Maturity Assessments
  • Information Security/Cyber Strategy Development
  • Gap Analysis and Implementation support (ISO 27001)

• ICT Incident Reporting
  • Incident Response planning and implementation (ISO27035)
  • Threat Modelling
  • Threat assessments
  • Assessment of current incident response planning and reporting capability
  • Incident response testing
  • Incident response staff training

• Digital Operational Resilience Testing
  • Business Continuity (ISO 22301)
    • BIA (Business Impact Analysis)
    • Policy Development
  • Business Continuity Planning
  • Disaster Recovery Support, Implementation, and periodic testing
  • TLPT (Threat Led Penetration Testing)
  • OSINT (Open-Source Intelligence)
  • Physical Security Assessments
  • Attack simulation (Red/Blue/Purple team)

• Management of ICT Third Party Risk
  • Third Party Risk management (ISO 27036-2)
    • Current state assessment of third-party lifecycle management
    • Development of end to end supplier management framework
    • Implementation of third-party risk management framework alongside ongoing risk management support
  • BSI work with technology partners who have specialist tooling to facilitate the entire supplier lifecycle management

• Information sharing arrangements
  • Threat Intelligence
  • CERT (Computer Emergency Response Team) Certification
  • Assess current position and determine future state
  • Build a reporting framework

We have world class capabilities specifically designed to provide confidence to clients in all areas of cyber security and cyber security hygiene. 

Global cross sector experience with a core understanding of the issues impacting the public sector and emerging threats, along with pragmatic industry experience in the area of managing ICT risk and resilience.