What is the Digital Operational Resilience Act (DORA)?
DORA: A Brief Overview
The European Commission introduced the Digital Operational Resilience Act (DORA) as part of the Digital Finance Package in September 2020. DORA aims to enhance Information and Communications Technology (ICT) risk management in the financial sector by establishing common standards for all financial institutions within the EU. The Act was passed into law by EU member states after finalization and implementation in late 2022. The European Supervisory Authorities will develop technical standards for financial institutions, and national competent authorities will oversee compliance.
It also introduces an oversight framework for critical third-party providers. The Act requires firms to have measures in place to withstand ICT-related disruptions and threats. DORA creates a binding ICT risk management framework for the EU financial sector, with technical standards that must be implemented by financial entities and their critical third-party technology service providers by January 17, 2025.
On November 10, 2022, the Digital Operational Resilience Act was approved at the European Parliament’s plenary session to establish a more homogenous regulatory landscape for digital resilience and ICT-related risk management in the financial services sector. Companies will need to focus on a Digital Resilience Strategy and Framework, considering the entire ICT landscape that supports critical business functions, and address business continuity, incident management, and third-party risk.
Who Will Be Affected by the Act?
The Digital Operational Resilience Act (DORA) applies to all financial services institutions in the EU, encompassing both traditional entities like banks and investment firms, as well as non-traditional ones such as crypto-asset service providers and crowdfunding platforms.
Additionally, DORA extends its coverage to certain entities that are usually not included in financial regulations, like third-party service providers supplying ICT systems to financial firms (e.g., cloud service providers and data centers) and firms offering critical third-party information services (e.g., credit rating services and data analytics providers).
The Act covers a wide range of financial institutions, including credit institutions, payment institutions, e-money institutions, investment firms, central securities depositories, managers of alternative investment funds, UCITS management companies, administrators of critical benchmarks, crowdfunding service providers, and ICT third-party service providers. Consequently, many companies that were not previously subject to specific ICT regulations are now within the scope of DORA.
When Does DORA Come into Effect?
The European Commission initially proposed DORA on September 24, 2020. After receiving feedback from the European Central Bank, European Data Protection Board, and European Cyber Security Challenge, the Council granted the negotiating mandate on November 24, 2021.
Following discussions, both the Council of the European Union and the European Parliament formally adopted the Digital Operational Resilience Act in November 2022, completing the legislative process. Due to its complexity, the standard implementation period of 12 months was extended to 24 months. As a result, DORA will become applicable from January 17, 2025.
What Are Some of the Key Obligations under DORA?
The regulation mandates the implementation of a thorough ICT Risk Management Framework to address and mitigate ICT risks effectively. It prescribes specific criteria, templates, and instructions for financial organizations to manage both ICT and cyber risks. EU regulators will be taking an active role in overseeing this process, emphasizing frequent reporting, communication, and assessments in standardized formats. The five primary obligations areas that DORA will focus on include:
ICT Risk Management
Articles under this chapter of the Act aim to minimize ICT risk by implementing more detailed risk identificationand treatment processes. The management body of the financial entity holds ultimate responsibility for managing ICT risk. They must establish a comprehensive ICT risk management framework that guides and oversees all ICT risk-related activities. Additionally, regular testing of response and recovery activities is emphasized to ensure preparedness for potential incidents.
ICT-Related Incident Reporting
The Act requires the establishment of an ICT-related incident management process and the development of capabilities to monitor, handle, and follow up on incidents. Incidents must be classified according to specific factors outlined in the proposal. Major incidents must be reported to the relevant competent authority, following a three-tiered process as described in the proposal.
Digital Operational Resilience Testing
The proposal advocates for a digital operational resilience testing program that is proportional and risk-based. The testing should be conducted by independent parties, though external parties are not mandatory, and supported by sufficient internal resources. ICT systems and applications supporting critical or important functions must be tested at least annually. Additionally, non-micro financial entities are required to perform advanced “Threat-Led Penetration Testing.”
ICT Third-Party Risk
The proposal addresses risk management by incorporating ICT third-party risk as an integral part of the ICT risk management framework. It requires the adoption and regular review of a strategy for handling ICT third-party risk. A Register of Information must be maintained, documenting all contractual arrangements with ICT third-party service providers. Key contractual provisions for procuring and monitoring ICT services from third-party providers are emphasized. Furthermore, the proposal mandates Third-Party Risk Assessment requirements and ESA-driven assessments.
Financial entities are required to establish processes for learning from both internal and external ICT-related incidents. The Digital Operational Resilience Act promotes the participation of entities in voluntary threat intelligence-sharing arrangements to facilitate this learning. However, it emphasizes that any information shared through such arrangements must still be protected in accordance with relevant guidelines. For instance, personally identifiable information (PII) remains subject to GDPR considerations even in the context of threat intelligence sharing.
How Can Pathlock Help You Prepare for DORA?
Pathlock provides multiple modules that work both individually and as an integrated solution to implement fine-grained controls within your ERP and business applications. These solutions continuously monitor your ERP applications and are governed using globally recognized compliance rulesets to ensure that you not only stay compliant but also have a complete view of your cyber risks and security posture across applications via a centralized control framework. Here are some of the modules that enable you to prepare your application ecosystem for DORA:
Pathlock’s Vulnerability Management module continuously scans your SAP applications to identify critical vulnerabilities. It dynamically visualizes your SAP landscape, shows you where your vulnerabilities are, automatically prioritizes them, and then shows you how to remove the weaknesses in your applications. The module automates audits by applying a comprehensive ruleset that continuously monitors SAP systems. This lets you stay current on the latest patches, recommended configurations, patch deployment guidelines, and patch testing requirements. It also scans custom ABAP code to detect security vulnerabilities and compliance problems in both production and pre-production environments.
Threat Detection and Response
Pathlock’s Threat Detection and Response module provides security and application teams with focused visibility into threats facing their critical business systems. It analyzes logs from more than 60 data sources to identify critical events and combinations of non-critical/complex events to identify threats in your application environment. The module also allows security teams to prioritize their response using rule-based filtering and alerts. In addition to securing applications, Pathlock’s solution integrates with leading SIEM solutions, enabling the consolidation of incidents within your application with the rest of your IT infrastructure.
Pathlock’s Code Scanning module is a content enhancement of your existing SAP ABAP Test Cockpit (SAP ATC) with a focus on security test cases. It offers over 70 test cases that extend the scope of ATC to fill the security analysis gaps while using all the advantages of the standard SAP solution. The module also automates the manual, time-intensive process of code checking to identify ABAP code vulnerabilities resulting in faster remediation and ensuring better security and compliance.
The Pathlock Transport Control module enables organizations to continuously monitor, review, and block transports containing suspicious content by extending SAP Transport Management System (TMS) capabilities with preconfigured security controls and additional automation. The solution allows you to orchestrate security alerts, effectively respond to threats with prioritized remediation efforts, and continuously monitor the entire transport lifecycle. Users can also visualize and track critical transport activities through a centralized dashboard.
Pathlock’s Access Analysis module automates the analysis and reporting of SOD and sensitive access risks across all business applications, including ERP, HCM, and CRM platforms. With pre-defined, easily customizable rulesets for all the leading ERP systems as well as critical business applications such as SAP, Ariba, Coupa, SuccessFactors, PeopleSoft, and more, Pathlock ensures quick time-to-value for your organization by reducing risk and costs using an automated, cross-application approach to risk analysis. The module provides a centralized view of SOD risk and the ability to quickly resolve all existing role conflicts eliminating the need for traditional risk identification using spreadsheets.
Pathlock provides the industry’s most robust library of compliance controls for business-critical applications. This controls library is aligned with data security mandates and frameworks such as SOX, PCI, HIPAA, GDPR, CCPA, and more.
Get in touch with us today for a demo.