Understanding DORA: Key Areas of Focus
The Digital Operational Resilience Act (DORA) is a critical framework established by the European Union to ensure the resilience of financial entities' digital operations. By January 17, 2025, over 22,000 entities, including ICT service providers, must comply with DORA. This initiative aims to create a uniform standard across companies in and outside the EU.
DORA emphasizes five main areas:
- ICT Risk Management: Procedures for assessing and managing risks related to information and communication technology.
- Incident Management: Guidance on classifying and reporting ICT-related incidents.
- Resilience Testing: Implementing regular digital operational resilience tests.
- Third-Party Risk Management: Addressing risks associated with external service providers.
- Information Sharing: Establishing protocols for exchanging cybersecurity information.
Recap of the First Batch
The first batch of DORA regulations was launched in January 2024, focusing on ICT risk management and incident classification. It included Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) for streamlined risk management and incident reporting. Third-party risk management was highlighted, given the increase in vendor-related issues, like the MOVEit and Ivanti hacks.
Businesses are encouraged to prioritize vendor security, continuous monitoring, and robust incident response plans to mitigate risks and protect their operational environment.
What's New in the Second Batch
The second batch, released on July 17, 2024, introduced advanced reporting frameworks and oversight requirements:
- Incident Reporting: New RTS and ITS for major ICT-related incidents and cyber threat reporting.
- Oversight Activities: Harmonized conditions for oversight, including the formation of a joint examination team (JET).
- Penetration Testing: Enhanced threat-led penetration testing guidelines to identify security vulnerabilities.
Two new guidelines were also introduced for estimating costs from ICT incidents and ensuring effective oversight cooperation among authorities.
Preparing for Compliance
As DORA's full implementation approaches, businesses must:
- Enhance Third-Party Risk Management: Focus on vendor security and proactive risk assessments.
- Conduct Security Tests: Regular tests and simulations to reveal and address vulnerabilities.
- Integrate Cyber Resilience Strategies: Utilize comprehensive strategies, including cybersecurity insurance, to mitigate risks.
The European Commission's review of these policy products is underway, with an RTS on subcontracting pending. By January 2025, all relevant entities should be compliant, ensuring continued safe operation amidst geopolitical challenges. DORA provides an effective regulatory framework that aligns with the best interests of EU firms.
Si West, Director of Customer Engagement at Resilience, emphasizes these steps as crucial in navigating the ever-evolving digital landscape.
