Deciphering DORA – Cracking open the Digital Operational Resilience Act

Ready for a new compliance regime. Victor Marchetto Manager of Advisory Services for Evolve Security is ready to jump into the enjoyable details of DORA. The European Union’s new Digital Operational Resilience Act (DORA) and starts with a compliance target of January 17, 2025.

Deciphering DORA – Cracking open the Digital Operational Resilience Act

We live in an age where cybersecurity threats and operational disruptions are nightly news. The critical need for robust ICT operational resilience cannot be overstated. Enter the European Union’s Digital Operational Resilience Act (DORA) and it's setting a fresh benchmark for resilience in the financial sector. As conversations around DORA gain traction, it's essential for financial institutions to take note of the impending January 17, 2025 compliance deadline. There is pressure for organizations to align with DORA’s requirements if they have not yet started preparing accordingly. The following sections delve deeper into what DORA encompasses and why meeting this deadline is crucial for safeguarding the stability and security of the financial sector.

Unveiling the DORA Framework

DORA is a governmental framework aimed at ensuring that financial institutions can endure and recover from disruptions to their critical services and systems. This, in turn, helps in safeguarding the stability of the broader economy that relies on these institutions. The regulation lays out standardized processes for managing, reporting, and responding to ICT operational risks within the financial sector. Implementing DORA is vital for fostering uniformity and resilience, particularly as the sector increasingly becomes a target for cybercriminals. Key components of DORA include mandatory reporting of ICT-related incidents, risk management of third-party ICT service providers, and extensive operational resilience testing through methodologies like TIBER-EU and threat intelligence-led penetration testing/red teaming. A primary objective is to create a robust financial ecosystem capable of effectively mitigating threats from varied sources, including cyberattacks, technological failures, and human errors. By ensuring that financial institutions maintain their operations even under adverse conditions, DORA aims to increase resilience of the financial system's across Europe.

Reporting Responsibilities in DORA

The reporting procedure of DORA is crucial for understanding the nature and frequency of incidents. It enables organizations to craft more effective mitigation strategies. Sharing incident information and responses or near misses among financial institutions fosters a collective learning environment, boosting resilience strategies. Beyond immediate incident management, DORA also focuses on managing ICT third-party risks. Financial institutions must ensure that their suppliers, including managed ICT service providers, IT hardware suppliers, and consultancy services, adhere to cybersecurity standards. This requirement aims to mitigate the risks emerging from supply chain vulnerabilities, the rise of these incidents have been well documented across many news organizations for the last 5 years. Continuous Penetration testing has been identified as a path to reducing incidents. Year round pentesting uncovers the findings that take place between pentests.

TIBER-EU impact on DORA

The TIBER-EU methodology involves threat intelligence -led penetration testing and red teaming exercises that simulate actual cyberattacks to recon and discover vulnerabilities in critical systems. By subjecting financial institutions to rigorous testing, DORA ensures they are adequately prepared to respond to actual adversaries. TIBER-EU testing is mandated at least once every three years, with the option for more frequent, self-guided testing in between.

These assessments differ from traditional penetration testing by utilizing tactics techniques and procedures in use by modern threat actors targeting financial institutions (Investment banks, payment systems, central counterparties, exchanges, etc.)

During the Testing Phase, a Threat Intelligence provider produces a Targeted Threat Intelligence Report for the entity which will illustrate multiple possible scenarios. The Red Team will test the effectiveness of the entities Preventative controls and Response Capabilities against the identified techniques, tactics and procedures on critical live production systems.  This effort process not only tests the controls in place but also the supporting processes, planning , communication and skills of the defending entity.

This strategy allows organizations to maintain high preparedness levels while offering testing flexibility. Regulatory authorities' involvement ensures that these exercises are comprehensive and uphold the highest standards. 

DORA Compliance Implementation 

Implementing DORA, while broad, comes with its set of challenges. The expansive nature of DORA means businesses may struggle to prepare adequately. Misinterpreting DORA’s guidelines could lead to a flawed implementation, with many organizations mistakenly believing they are compliant. Adopting threat intelligence-led methodologies like TIBER-EU can be particularly challenging for those not used to it. The need for collaboration with trusted parties, vendors, and regulatory authorities adds another layer of difficulty. These challenges underscore the importance of seeking expert guidance and adopting a clear, well-structured approach to preparation for DORA. 

Countdown to January 17th 2025 

By safeguarding the operations of all financial institutions, DORA aims to shield the broader EU market down to the consumer from the cascading impacts of the battle against cyber adversaries. The act drills preparedness, resilience, and continuous improvement, which are crucial for maintaining financial systems' functionality and ensuring a swift return to normalcy after disruptions. As the compliance deadline of January 17, 2025 draws near, larger organizations are expected to lead in adopting these standards. However, all affected entities must start preparations early to avoid severe non-compliance penalties. Communication with regulatory authorities, coupled with regular intelligence sharing, will be key in achieving DORA’s objectives and enhancing overall financial sector resilience. In closing, DORA represents an additional compliance challenge for financial institutions and mapping controls across all frameworks will be key to managing DORA but all local, regional and international standards.