Digital Operational Resilience Act (DORA)

28.07.2024

Pillar I: ICT Risk Management

  • Organisations will have to set up a structured and detailed risk-management process that classifies and monitors the cybersecurity risks from a structured and broad business perspective, and that tests and evaluates the cybersecurity measures. Attention is also required for the risks of legacy systems, complete insight into the existing IT assets and the corresponding risks. The intended result is a high and safeguarded level of cyber resilience.
  • The organisation shall produce a uniform ICT risk management framework that includes at least strategy, policy, procedures, IT protocols, and tools. This is required to protect all the information and IT resources, including computer software, hardware, servers, physical components and infrastructure, buildings, data centres and sensitive environments. This highlights that the framework is to be elaborated in detail, based on the current operational IT situation and that it should involve cyber threats in determining risks.
  • Organisations should identify and classify all sources of cybersecurity risks. The risks and their classification should be monitored continuously. The classification and monitoring also includes the services of any IT third-party service providers. Important changes in IT resources or infrastructure require a new evaluation of the risks. Periodically or at least annually, a specific risk assessment should be carried out of legacy systems that no longer receive adequate security updates.
  • Top management is responsible for the cyber resilience risk management and framework and shall ensure that adequate knowledge of cybersecurity and resilience is available at board level. The responsibilities and tasks for cybersecurity are defined and implemented in the organisation. At the request of the supervisory authority, a financial institution shall be able to present the entire ICT Risk Management Framework and supporting documentation. This framework should also comprise the cyber risks.

Pillar II: ICT Incident Reporting

  • DORA has a duty to report serious cybersecurity incidents to the relevant competent authorities and a voluntary opportunity to report less serious incidents. Organisations should have a centralised system for recording IT and cybersecurity related incidents.
  • Measures aimed at detection are also a requirement within DORA, and they concern detecting non-conformities in dataflows, network traffic and cyber-attacks in particular.

Pillar III: Digital Operational Resilience Testing

  • DORA does not only impose requirements on having an ICT business continuity policy including a recovery plan, but also that this policy is verifiably implemented and that periodic recovery tests are carried out. DORA points out that the outsourced activities to IT third-party providers should also form part of this.
  • Testing the cyber resilience is another express element of DORA with specific attention to aspects of the cyber resilience for incident response, disaster recovery and back-up facilities and procedures.
  • Carrying out penetration tests should take place on the basis of risk analyses and recognising cyber threats (threat-led penetration testing). These obligations also apply to any IT third-party service providers. Requirements are imposed on the penetration tests in terms of approach and reputation. Penetration tests and red teaming activities must be founded on a risk-based approach and carried out in accordance with a structured approach. Penetration testers must be accredited by a European body or work under professional and ethical rules.
  • Financial institutions should use updated systems, software and tools focused on managing risks and they should be able to cope with any crisis situations and safeguard continuity of processes.

Pillar IV: ICT Third-Party Risk Management

  • First of all, DORA is the first legislative framework in the world to give financial supervisory authorities a mandate to supervise IT third-party providers that are crucial to a financial institution, and that includes any Cloud Service Providers (CSPs).
  • DORA imposes requirements on contractual agreements between financial institutions and IT service providers regarding cybersecurity, and on IT service providers' obligations to cooperate with cybersecurity assessments and with off-site and on-site cybersecurity audits by supervisory authorities. It is fairly certain that organisations will have to revise / tighten up the agreements reached in the area of cybersecurity in order to make them DORA compliant.

Pillar V: Information And Intelligence Sharing

  • DORA creates a statutory framework for exchanging cyber-threat information and everything that is associated with that, be that techniques, indicators of compromise, or security tooling. This links in well with existing exchanges in the area of cybersecurity, such as the P(ension)-ISAC, P(ayment)I(nstitutions)-ISAC and the F(inancial)I(nstitutions)-ISAC. Smaller financial institutions will have to join sector-based or other Information Sharing and Analysis Centres (ISAC).
  • Supervisory authorities have the option to impose fines in the event of non-compliance with the DORA obligations.


Share
© 2018 El blog de Xavi Torrens : entre dos mundos Vinos & Cavas + Sector Seguros.
Creado con Webnode
¡Crea tu página web gratis! Esta página web fue creada con Webnode. Crea tu propia web gratis hoy mismo! Comenzar