The EU’s Digital Operational Resilience Act: What it means for the continent, the UK and you.

In September 2020, the European Commission published its first draft of the Digital Operational Resilience Act, also known as DORA. With our world becoming ever-more digitalised, cyber threats in the form of phishing and ransomware have the potential to cause a systemic crisis that could threaten financial stability across the continent.

DORA aims to tie together risk-management initiatives already developed by EU institutions into a single act and ensure the EU financial sector has effective digital resilience. By consolidating third-party risk management requirements in financial entities across Europe DORA proposes to harmonise the union’s ICT risk-management practices.

The Digital Operational Resilience Act can be broken into several specific pillars:

• ICT Risk Management: DORA frameworks and guidelines are intended to help organizations build more mature risk management programs and improve operational resiliency.
• ICT Incident Management Reporting: DORA expands the scope of incident reporting and attempts to streamline the reporting process. DORA encourages rapid incident investigation and response, which helps to mitigate the impact of a breach.
• Digital Operational Resilience Testing: DORA suggests that covered organisations implement resiliency testing programs based on their risk assessments. This helps to identify and correct any issues before they pose a threat to critical operations.
• Information & Intelligence Sharing: Through the sharing of information on breaches and risks, DORA helps the entire industry become more prepared to face ongoing cyber threats.
• Supply Chain Management: DORA imposes requirements on financial institutions’ contractual relationships with their suppliers. Financial institutions are required to have strategies for managing the risks that these suppliers create, including the potential for exiting relationships and moving to substitutes.
• Audit Access: The DORA regulations enable regulators to perform audits throughout the supply chain in the financial industry, driving compliance.
• Retrospective Analysis:  DORA encourages studying and revising policies based on external incidents as well. This is intended to prevent multiple organisations from falling victim to the same types of attacks.

The types of firms listed as being under DORA’s scope are vast. From credit institutions, investment firms to crypto-asset service providers.

Once DORA is passed into law, financial institutions will have one year to reach a compliant status with the regulation’s requirements in a way that is compliant with the relevant technical standards. Entities that are identified as being exposed to higher degrees of cyber risk will have an additional 36 months from the entry date to prepare and conduct advanced penetration tests.

The UK’s DORA Equivalent

Cyber security is an inherently transnational enterprise and, despite the break from the European Union, the United Kingdom has still played a crucial role in helping European countries tackle cybercrime. Similarly, the UK Government has suggested that it will legislate a UK-equivalent of the EU’s DORA in a move to introduce new regulatory requirements for technology providers in the financial services sector.

A document published in May 2022, accompanying the Queen’s Speech, outlined the Government’s plans for new legislation to support resilient outsourcing to technology providers in the financial services sector. Operational resilience in financial services has clearly become a major focus for UK regulators. Angus McFadyen, partner at international law firm Pinsent Mason and an experienced technology lawyer, claims it “is a logical extension … that the Government would seek to legislate in this area.”

In anticipation of the UK’s-DORA

While the UK has yet to officially establish its equivalent to the EU’s DORA, it looks to be fairly certain that we will see this introduced in the near future. Financial service organisations ought to use the requirements of DORA as a guide to building, and upgrading, their own security infrastructures. Not only will this give them the advantage when such regulations are passed in the country, but for companies that are serious about continuing existing relationships with EU based financial firms, which may prove critical to their survival, then taking proactive action now is a must.

There will be a great deal of work needed for financial institutions to ensure compliance with the regulations set out in DORA, alongside an increased need for resources dedicated to managing supply chains, therefore paying particular attention to this area of compliance now should ease the strain in the run up to DORA and the UK’s equivalent coming into force.

Moreover, regular testing of their organisation’s security environment can identify any gaps, allowing them to manage, mitigate and eliminate risk. This should be combined with periodic cyber security awareness training for staff, identifying any additional potential for risk through human error, and helping to build stronger digital operational resilience.

Third-party risk can also be minimised by introducing Zero Trust Network Access solutions, helping to control what systems third parties have access to on the network and ensuring they don’t compromise organisational security.

This, combined with an increased focus on risk reporting and information sharing, will strengthen the security of the UK’s financial services sector – not only preparing it for the likelihood of increased regulation, but building trust in the sector and securing the valuable information and investments held within the industry.

Red Helix – your Digital Operations Resilience partner

If you need help with testing, improving, and reporting your digital and cyber security resilience compliance, or indeed the means to quickly stop, investigate, and report the detail of breaches, contact us today to discuss your needs. We have a wide range of managed services and self-run solutions to test and harden resilience, as well as to alert, remediate and report on attacks and breaches.

And if you are moving applications as part of your resilience initiatives, we can also enable the smooth migration from on-prem to cloud hosted.