DORA: new rules to step up operational resilience for cloud-based systems across Europe by 2025

What is DORA?

DORA lifts IT security best practice to a new level to enable resilient operations that can function through any disruption caused by cyber security incidents and IT issues. The EU sees this as necessary to protect financial institutions that are increasingly digitising their services. Without a proper framework for operational resilience, one single IT incident could potentially destabilise the EU’s entire financial system. DORA is designed to prevent this.

DORA is therefore for the common good. It will benefit businesses by providing a clear path to a higher level of operational resilience, and it protects consumers from the kind of disruption suffered by TSB customers in 2018.

It is not just a set of guidelines but rather criteria, templates and instructions that will shape how financial organisations manage ICT risk. It demonstrates that EU regulators want to be very hands-on on the topic, with a lot of reporting, communication and assessments that need to happen frequently, enabled by standardised MI and reporting.

DORA revolves around the five pillars of:

• Risk management
• Incident reporting
• Digital operational resilience testing
• 3rd party risk management
• Sharing information about cyber security threats

The EU recently agreed the principles for DORA and is now in the preparation period. During this time, businesses should make their senior leadership aware and review their risk management and cloud strategy in the light of the coming regulations. From there, they can form a plan to reach DORA compliance by late 2024.

Who must comply with DORA regulations?

DORA directly affects all EU businesses in the financial services sector, right through from banking to investment and crowdfunding. DORA compliance is not an option for them.

The regulations extend to the IT service providers who provide critical infrastructure to these organisations. The legislation therefore brings cloud service providers into the spotlight because of the crucial role they play in enabling services. They should respect DORA because it gives European Supervisory Authorities (ESAs) greater powers to investigate, request information and escalate in cases of non-compliance.

Where IT services cross national borders, DORA applies to any UK organisation that provides IT infrastructure to EU financial services businesses.

DORA should benefit other UK entities because it defines the necessary testing and precautions for operational resilience more tightly than current UK laws. With cyber security a top priority for most businesses and the government, UK enterprises should not ignore this more rigorous approach to operational resilience.

There are similarities with the UK’s own financial regulations, which may overlap with DORA in some areas such as reporting. However, DORA adds some new areas, such as the formal sharing of information about cyber security threats.

Even though the UK is outside the EU, the precautions required for DORA compliance equal a series of sensible steps to guard against the kind of penalties that TSB had to pay. TSB paid out £48 million to the PRA and the FCA plus £33 million to compensate over five million customers. All organisations can therefore benefit from knowing the DORA principles and adapting them to strengthen their own operational resilience needs.

Our experts note that DORA is attracting attention in the US as well. It may well be that DORA will become like GDPR (General Data Protection Regulation), which is now followed in other countries outside the EU.

Now is a good time for businesses to assess how far DORA applies to their operations and plan a way forward.

In practice, expect DORA to bring:

• New mandatory internal threat testing
• Advanced testing three times per year
• Closer management of third-party risks – especially the cloud services providers you depend on. DORA may imply a multi-cloud strategy to avoid dependence on one provider. This adds resiliency because one network can failover to the other.

Experts recommend starting with a gap analysis to see what should be added to gain DORA compliance. Organisations may need to build a DORA team now and allocate budgets and resources for project and implementation.

There is no silver bullet to achieve DORA compliance. It needs to be a corporate imperative, lead from the top down. With the CEO supporting the CISO, it ensures the wider business adheres to the rules by adopting the necessary training, updating processes, and implementing the right technology.

When approaching DORA compliance, here are five areas of consideration:

1. Scope the project to understand the team you need to involve and your risk appetite.
2. Mitigate risks in your existing software and infrastructure where vulnerabilities could be exploited, and breaches could occur through penetration testing and patching.
3. Provide user training and implement layers of technology to mitigate day-to-day operational risks from phishing attacks or ransomware.
4. Minimise the impact of attacks by adopting monitoring and controls to detect threats and respond to them quickly in the event of a breach.
5. Ensure you have visibility of third-party supplier risks and ask them to demonstrate the appropriate steps they are putting in place to protect your infrastructure and address risks and threats in a timely manner.

CSI can help clients achieve DORA compliance

CSI has an established client base in highly regulated industries, including financial services, where our expert teams have designed and deployed secure, compliant solutions. Working with leading technology vendors within our partner ecosystem, we are confident we can help businesses to comply with the strictest rules and governance required by the regulators.

As CSI’s CISO, my official stance is as follows:

“CSI has deep technical expertise across the Digital Operational Resilience obligation areas including ICT Risk Management, ICT and Cyber Resilience and Incident Management, ICT Third Party Risk Management in addition to broad Governance, Risk and Compliance skills. CSI adopts a standards based approach to governance, risk and compliance including certification to ISO 27001 (Security) and ISO 22301 (Business Continuity) and has supported numerous clients with their broader Operational Resilience challenges.”

DORA is complex, so our advice is to plan for it now. It brings critical changes for cloud services providers and a new, more thorough approach to operational resilience. The good news is that a service provider like CSI is already supporting clients by laying the foundations to ease their pathway into this new regulatory environment.

Want to know more?  Whether you need a no-obligation chat with a compliance expert, or need support navigating DORA, get in touch today and one of our experts will help.