What is the Digital Operational Resilience Act (DORA)?
Table of contents
Who does DORA apply to? Who is considered critical under DORA? How does DORA relate to NIS2? Obligations under DORA What about the UK? ConclusionStarting in December 2023 and going into 2024, several new important regulations on cybersecurity and digital operational resilience are coming into effect, affecting both the United States and the European Union (EU).
The SEC cybersecurity rule was announced in July 2023, came into effect December 18, 2023 for most US public companies, will take effect June 15, 2024 for smaller reporting companies, and primarily will impact US public companies in 2024 and beyond. Lacework previously provided a solution brief, webinar, and SEC materiality framework, which we encourage you to review for further information relating to the SEC cybersecurity rule.
NIS2 will come into effect in the EU on October 17, 2024. In January 2023, it was announced that the EU Network and Information Systems (NIS) law would receive an overhaul. NIS2, the sequel to NIS, expands the initial 2016 regulation to eliminate inconsistency and establish a common set of cybersecurity standards and risk management practices, including incident reporting and information sharing obligations. The goal is to create a coordinated response through Cyber Crises Liaison Organizations Network (EU-CyCLONe) across EU member states, sectors, and businesses, with compliance mandated by October 17, 2024.
DORA will come into effect in the EU on January 17, 2025. The Digital Operational Resilience Act (DORA) is a new EU regulation on digital operational resilience for the financial sector, and for information communication technology (ICT) companies providing services to the financial sector, such as cloud service providers, and data analytics providers. The United Kingdom has introduced a related law, the Financial Services and Markets Act, which has many similarities to DORA, but with an added ability to issue sanctions for non-compliance. The UK Act received royal assent on June 29, 2023.
This article will focus primarily on DORA compliance, and is a counterpart to the Lacework NIS2 article.
Who does DORA apply to?
DORA applies to financial entities (including brokerages, insurance, credit institutions, investment managers, crowdfunding providers, crypto entities, and more) doing business in or with the European Union. DORA is extraterritorial in scope, similar to NIS2 and GDPR.
DORA also applies to information and communication technology (ICT) third-party service providers deemed critical by European regulators and authorities, including cloud service providers (CSPs) and providers to the CSPs and financial entities.
What is considered critical under DORA?
For an ICT entity to be considered as critical under DORA, certain criteria, both qualitative and quantitative, must be met. These criteria include:
- The level of systemic impact which would occur if the ICT third-party provider were to have a significant operational failure
- The systemic importance of the financial entities that rely on the ICT third party provider
- The level of substitutability of the ICT third-party provider (i.e., how easily it could be switched out in the event of a significant operational failure)
- The level of reliance by financial entities on the ICT third party provider in regard to critical or important functions
Certain categories of ICT third-party providers may be excluded from DORA, particularly when providing services with its own group of companies, within a single EU member state, or when financial entities are providing services to other financial entities.
Cloud computing providers to financial entities are expressly covered under DORA:
Preamble (63): “To address the complexity of the various sources of ICT risk, while taking into account the multitude and diversity of providers of technological solutions which enable a smooth provision of financial services, this Regulation should cover a wide range of ICT third-party service providers, including providers of cloud computing services, software, data analytics services and providers of data centre services.”
How does DORA relate to NIS2?
DORA and NIS2 have a relatively similar timeline for coming into effect (Oct 17, 2024 for NIS2; Jan 17, 2025 for DORA). NIS2 greatly expands the scope of NIS1 and adds new sectors including digital providers such as online marketplaces and social media platforms. NIS2 covers cybersecurity, including risk management and reporting, and information sharing. Of specified note, for any overlap between NIS2 and DORA, DORA is the controlling law, so financial entities will be subject primarily to DORA.
Obligations under DORA
The core obligations under DORA include:
- Management governance and controls
- ICT risk management
- Incident reporting
- Third parties
This article will address each of these in turn.
Management governance and controls
DORA puts specific requirements on senior management of financial entities, in relation to governance, supervision, training, and more.
Under Article 5 (Governance and organisation) a member of senior management of financial entities is expressly required to oversee the related risk exposure and relevant documentation. Effectively, the company board is required to actively participate in understanding and managing the company’s ICT risk and preparations. This includes (under Article 13) security training which is required for both employees and senior management.
Management is also responsible for ensuring the financial entity carries out a gap analysis between current processes and what is required by DORA, and to get appropriate processes and tooling in place.
ICT risk management standards
DORA introduces roles relating to risk management including required cybersecurity tooling, reporting of incidents, and periodic testing of systems, including penetration testing.
In particular, DORA Article 15(b) requires technical standards for “monitoring anomalous behaviour in relation to ICT risk through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices.”
DORA Article 15(c) requires technical standards to “develop further the mechanisms specified in Article 10(1) enabling a prompt detection of anomalous activities and the criteria set out in Article 10(2) triggering ICT-related incident detection and response processes.”
Note: This requirement for monitoring of anomalous activity is key to early detection of a cyber incident, enabling a system owner to quickly isolate or shut down impacted systems prior to data exfiltration or a ransomware attack.
ICT risk management framework
Management of entities subject to DORA are required to establish an ICT risk management framework, reviewed at least annually.
Article 6 (ICT risk management framework) requires financial entities to have a risk management framework including:
“8(e) outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it.”
The ICT risk management framework requires a clear identification of risk:
“(c) setting out clear information security objectives, including key performance indicators and key risk metrics.”
The ICT risk management framework requires a tooling for detecting incidents (i.e., intrusion detection, such as using composite alerts), preventing their impact (reducing the blast radius, such as by using a CIEM tool to limit access privileges to only those required), and protecting against the incidents (such as cloud posture and vulnerability management):
“(e) outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it.”
“(g) implementing digital operational resilience testing”
Financial entities are required to put plans and processes for recovery from a cyber-incident as specified in Article 11 (Response and recovery) section 2:
Respond and limit damage:
“(b) quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions.”
Contain the incident and have response and recovery:
“(c) activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures established in accordance with Article 12.”
Clean backup and recovery:
Article 12 (Backup policies and procedures, restoration and recovery procedures and methods) specifies backup and restoration, including clean backups that don’t jeopardize the system, which need to be periodically tested.
Required testing under DORA:
Article 25 (Testing of ICT tools and systems) requires
“1. The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.”
ICT risk management reporting
Article 19 (Reporting of major ICT-related incidents and voluntary notification of significant cyber threats) requires financial entities to report major ICT-incidents, including an initial report, an intermediate report, and a final report including:
“4. (c) a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates.”
Third Parties
Entities covered by DORA must ensure that their contracts with third-party ICT providers meet specific requirements set out in DORA. This includes a description of services provided by the third party-provider and any limitations on subcontracting, assistance with managing incidents, and vendor security training participation For entities outside the EU, localisation is required for third country ICT providers, so they should plan early for this.
What about the UK?
Following Brexit, when the UK departed from the EU, the UK enacted a financial services and markets bill, which is similar in scope to DORA. However, the enforcement mechanism of the UK bill is stronger than DORA, as the UK bill allows UK regulators to make rules and give specific directions to critical third parties and to issue sanctions. Effectively, the UK has a stiffer compliance regime than the EU DORA, with stronger enforcement and sanctions mechanisms available.
Conclusion
DORA will substantially raise the cybersecurity and compliance obligations of financial entities and critical third parties which provide ICT services to financial entities. With the rapid approach of NIS2 (October 17 2014) and DORA (January 17 2025) companies and entities subject to these rules would be well advised to start preparing now, and ensure they have the right process, tooling, and training in place to be ready and compliant when these rules take effect.