By Perry Menezes for Forbes Technology Council
In November 2022, the European Union published the Digital Operational Resilience Act (DORA). The intent of this act is to add information and communications technology (ICT) requirements to the previously adopted operational resilience regulation for financial services providers in EU member states. Financial services organizations operating in the EU—and organizations providing services to EU financial service firms—are expected to comply with DORA requirements before January 17, 2025.
Why DORA?
DORA is the latest addition to the EU Digital Finance Package (DFP). The need for DORA stems from the financial sector’s dependence on ICT and information in a digital form, which has been exacerbated in the post-pandemic era. DORA is designed to promote increased digitalization of services in the financial services sector while supporting robust and resilient operations. DORA extends operational resilience requirements that were established by EU financial services regulatory bodies to include oversight for digital ICT—an important evolution to improve incident response.
Who Does DORA Affect?
DORA is an EU regulation, approved by the EU Parliament. It affects financial services organizations that operate within EU member states, including third-party service providers. U.S. firms are required to comply if they provide financial services within EU member states directly or as a third-party service provider.
DORA describes requirements in five service areas, including:
- ICT Risk Management: Borrows the basic NIST framework for how organizations should detect, prevent, respond to and recover from cybersecurity incidents.
- ICT Incident Reporting: Requires organizations to standardize how they classify incidents by using defined templates and reporting. Regulators will require initial, intermediate and final incident reports.
- Digital Operational Resilience Testing: Relates to the end-to-end testing of the organization’s recovery strategies and recovery playbooks to identify and address gaps, failures or other required improvements.
- ICT Third-Party Risk: Requires that dependencies, including third-party service providers, are properly contracted and risk-aligned to demonstrate management of third-party risk with full visibility into operational resilience capabilities.
- Information Sharing: Requires the sharing of risk data and threat intelligence with the community to improve threat detection and response.
Preparing for DORA Compliance
Full compliance with DORA is required before January 17, 2025. However, it is recommended that organizations begin the compliance journey as soon as possible.
In summary, most organizations will need to:
- Validate that the previous operational resilience requirements have been achieved, starting with clear definitions and mapping of the most critical business services.
- Perform an assessment of policy, procedures and security controls against DORA requirements.
- Perform an assessment of third-party contracts to ensure they are aligned with risk and resilience impact data.
- Prepare documentation that demonstrates overall operational and digital operational resilience capabilities.
Some organizations will require significant actions to support the basic operational resilience expectations, with new DORA requirements extending implementation to include all five service areas.
…
Read the full article here: Strengthening Cybersecurity In Finance: A Look At EU DORA Regulations (forbes.com)