Be DORA Ready: DORA Compliance Checklist

Be DORA Ready: DORA Compliance Checklist

The enforcement date for the Digital Operational Resilience Act (DORA) regulation is fast approaching – January 17, 2025. 

Financial institutions across the European Union must be prepared for the upcoming changes, using tools like a DORA compliance checklist, as the act seeks to improve the digital resilience of financial entities against cyber threats. 

Does the industry need this? Absolutely. According to the IBM Cost of a Data Breach Report 2023, financial institutions rank second in the global cyber attack damage statistics, with losses amounting to approximately $5.9 million per cyber attack in 2023. The average across all industries is $4.45 million. The report also shows that there were twice as many cyber attacks on financial institutions in 2023 compared to 2022.

Index

 

Introduction to DORA

DORA is a regulatory framework established by the European Union (EU) to strengthen digital resilience in financial institutions. It aims at making these entities able to withstand, respond to, and recover from various IT-related disruptions and risks. It forms part of wider efforts to enhance cyber security, including security testing and sound operation within Europe’s finance sectors.

DORA should also deal with the increasing complexity and interdependence of digital systems underpinning financial services. It helps ensure uniform standards among member states, guaranteeing high levels of protection and continuity of operations. 

The requirements are stringent. Financial institutions must re-engineer their internal processes and systems, creating a more resilient and secure environment. Overall objectives include establishing a solid framework that reduces risk and enhances trust and stability within an evolving digital threat landscape.

DORA applies to most financial institutions, including banks and credit unions, insurance providers, investment firms, fintech companies, etc. If it’s a financial institution, chances are high that DORA applies to it. Third-party IT providers supporting these companies must also follow DORA compliance regulations. It’s the entire financial ecosystem.

DORA complements existing EU cybersecurity regulations, such as the GDPR and NIS2 Directive – both the GDPR and NIS2 Directive are legal measures that boost cybersecurity in the EU.

 

Integrating GDPR and NIS2 requirements

It complements DORA by providing broader cybersecurity and data protection guidelines applicable across the EU. The GDPR focuses on protecting personal data and privacy so financial institutions can engage in responsible, transparent information management. NIS2, however, emphasises the robustness of cyber security areas and incident reporting for essential entities.

To establish a cohesive, comprehensive cybersecurity approach, financial institutions must integrate their efforts to comply with DORA to ensure it aligns with GDPR and NIS2. It’ll ensure all aspects of data protection, cyber security, and operational resilience are covered, creating a holistic framework for digital threat management and regulatory compliance.

 

Compliance Timeline

On January 16, 2023, DORA officially became active. Organisations have two years to realign themselves with the new requirements, ensuring full DORA compliance by January 17, 2025. To this effect, European supervisory authorities have been developing regulatory technical standards (RTS), which provide comprehensive guidelines for compliance that our DORA checklist follows.

 

DORA Requirements

Within the regulatory technical standards are five essential pillars:

IT Risk Management

Institutions must establish a comprehensive IT risk management framework/s. These involve ongoing monitoring, identifying potential cyber threats, and deploying appropriate cyber security measures. Regular assessments and updates are essential for effective risk management purposes.

IT Incident Reporting

Companies must promptly report any significant ICT-related incidents to their respective regulators. It aims to improve understanding of IT risks across the financial sector and promote a coordinated response mechanism for incidents.

Digital Operational Resilience Testing

Entities must regularly test their digital operational resilience abilities against IT disruptions. That includes performing Threat-Led Penetration Testing (TLPT) that emulates cyberattacks and assesses how robustly the cyber security defences are designed.

IT Third-Party Risk Management

Third-party IT service providers should be closely monitored with due diligence, following DORA regulations. To minimise the chances of their disruption and breaches, these providers should be subjected to proper risk management processes by finance firms.

Information and intelligence sharing

Sharing information about cyber threats with different financial entities helps improve overall robustness within the industry. It’ll also assist in detecting threats more efficiently and addressing them more effectively. Cooperatively, this facilitates easy detection and protection against responding to or reacting to any attack.

 

Crisis Management: Ensuring Preparedness and Resilience

As the enforcement date for the Digital Operational Resilience Act (DORA) approaches, financial institutions must not only comply with regulatory requirements but also be prepared for potential crises that could disrupt their operations. Effective crisis management is a critical component of digital resilience, enabling organisations to respond to and recover from cyber attacks or other operational disruptions swiftly and efficiently.

A robust crisis management plan includes clear procedures for handling:

• Public Relations (PR) and communication
• IT investigations
• Client and supplier notifications
• Regulatory notifications

Organisations must be prepared to face regulators, legal challenges, the press, customers, suppliers, and possibly the general public, depending on their industry.

Leveraging Crisis Management Platforms

To modernise the approach to crisis management, Acora, in partnership with Immersive Labs, offers a comprehensive platform that manages all elements of a crisis simulation. This platform enables businesses to conduct engaging and contextualised crisis management sessions with executive teams, ensuring that everyone understands their roles and responsibilities.

Key Features of the Platform:

• All-in-One Management: Integrates various aspects of crisis response into a single platform.
• Role Clarification: Helps executives understand their specific roles during a crisis.
• Voting Mechanism: Encourages participation and decision-making across the team, exposing different responses to the same problem.
• Scenario-Based Training: Utilizes real-world scenarios to prepare teams for various types of cyber incidents, including data breaches and ransomware attacks.

Benefits of Crisis Management Simulations

Running regular crisis management simulations provides several benefits:

• Enhanced Preparedness: Teams become familiar with their roles and can respond more effectively during a real crisis.
• Improved Decision-Making: Simulations highlight the importance of quick and informed decision-making in stressful situations.
• Operational Stability: By refining incident response plans, businesses can minimise downtime and maintain operational continuity during disruptions.

Example Scenarios:

• Data breaches involving sensitive information
• Cyber attacks targeting critical infrastructure during peak business periods
• Phishing attacks leading to unauthorised transactions

 

Your DORA Requirements Checklist

To aid your understanding of the intricate provisions of DORA, this is a comprehensive DORA compliance checklist you can use to ensure compliance:

Delineate Scope and Applicability

• Find out whether your organisation falls under the scope of DORA (remember, most financial institutions do). You can find that information here.
• Evaluate which third-party IT service providers are critical and must be complied with.

Undertake a Gap Analysis

• Conduct a systemic maturity assessment against DORA requirements to find gaps in your current information and communication technology systems and processes.
• Assess the risks linked to third-party suppliers.

Create a Road Map for Remediation

• Establishing a detailed plan to address identified gaps and prioritising actions based on risk and feasibility.
• Set realistic timelines for implementing remediation activities.

Deploying IT Risk Management Frameworks

• Establish strong IT risk management policies, procedures, and standards.
• Monitor and examine cyber threats and vulnerabilities continuously for changes in patterns or intensity over time or space.

Establish Procedures for Reporting Incidents

• Develop protocols for immediate reporting to the relevant authorities of significant cyber incidents.
• Availability of clear communication paths for incident response

Conduct Regular Resilience Testing

• Implement a Three-Layer Protection System (TLPT) to test your IT systems against simulated cyber attacks.
• Regularly test and review results to enhance defences.

Third-Party Risk Management

• Ensure that stringent oversight is implemented, including due diligence on third-party providers of IT services.
• These providers have to adhere to DORA’s risk management requirements.

Promote Information Sharing

• Participate in industry initiatives aimed at sharing cyberspace-related threat information.
• Establish internal procedures to share essential financial-related information with other financial institutions.

Educate Your Board

• The board members and senior executives must understand their roles under DORA.
• Continuous training on IT risks and digital operational resilience strategies is necessary.

Continuous Monitoring and Improvement

• Regularly updating IT risk management frameworks.
• Periodic assessments are essential to ensure continued conformity with DORA requirements.

 

Consequences of Non-Compliance

Breaking DORA rules can result in huge fines, revoked permission to operate, and public reprimands that institutions can avoid with the DORA checklist. Financial penalties could be a serious deal, with potential fines amounting to as much as 1% of the average daily worldwide turnover of the previous year, which was $3,117 billion in April 2023. And – non-compliance leads to reputational damage, loss of customer trust, and increased exposure to cyber risks.

The consequences of failing to meet DORA compliance requirements go beyond immediate financial losses. Regulatory authorities may continuously examine these institutions, diverting their attention and resources from core business operations. The result? Legal challenges and the possibility of civil litigation only add to the costs and complexities associated with non-compliance. 

Ignoring DORA also strains partners’ relationships, including stakeholders, who depend on robust cybersecurity practices in a financially interconnected ecosystem.

Complying with DORA is paramount for EU-based financial entities. It protects against regulatory penalties and enhances its overall security posture. Financial institutions can finally be resilient to emerging IT threats in the finance sector. Do you feel DORA ready with our DORA complaint checklist?