DORA: Compliance With The EU Digital Resilience Act

Uploaded on 2023-08-14 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Financial

The EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554) is a significant development in how the Bloc regulates finance. The deadline for complying with the EU’s new DORA regulation is fast approaching.

But what exactly is DORA, and what are the risks associated with non-compliance?

What Is DORA?

Currently, financial institutions manage the main operational risk categories via capital allocation. The difference post-DORA is that they will now be expected to manage all areas of operational resilience and adhere to a set of rules around protecting, detecting and containing ICT-related threats. 
 
DORA also sets out rules explicitly pertaining to ICT risk management, incident reporting, operational resilience testing and third-party risk monitoring. Within the regulation is the acknowledgement that such incidents and a lack of preparedness for them have the potential to impact the entire financial system in a major way – this is despite a “sufficient” level of capital for traditional risk assessments. 
 
Why Is DORA Important?
 
The main objective of DORA is to ensure all parties involved in the European financial system have adequate protection against cyber-attacks and other data-related risk factors. Part of this will require organisations to prove their resilience against various ICT-related threats.
 
Many of the finer technical details are still being finalised by local regulators. However, some key areas where DORA will impact have already been identified. These include:  

•    Risk Management
•    Incident Reporting
•    Testing and Scenario Analysis
•    Outsourcing Assessment
•    Supervision   

As a result, cyber-attacks – such as the recent event at Capita, should be avoided. In March 2023, Capita experienced a security breach that compromised its pension fund, with members being informed that their data had been stolen. The attack on the outsourcer’s administration services led to multiple private sector pension funds being affected.

The Problem

As promising as this sounds, there are inevitably some issues. All financial entities operating in the EU have a deadline of 17th January 2025 to be DORA-compliant – less than 18 months away. Time is of the essence here, as ISMS.online’s recent “The State of Information Security” report highlights. Drawing from 500 UK infosec professionals representing managers, directors and C-level executives, the average company takes 15.5 months to align its operations with any given regulation fully. 
 
Although the survey also found that just 27% of companies say they are struggling to comply with the regulation, this time window suggests otherwise. 
 
The Solution
 
Apart from the external pressure of deadlines, companies should be motivated to comply. One reason is that strong cyber-security, far from being a burden, is a significant competitive asset for any organisation. In today’s digital, fast-paced business environment, ensuring sound information security, data privacy, and cybersecurity is becoming ever more vital to the success and longevity of a business. 
 
To this end, smart, forward-thinking business leaders are mobilising their people and various software to place information security at the heart of the organisation. In doing so, they are positioning themselves ahead of their competition in multiple ways. 
 
One crucial benefit is the increased confidence stakeholders have in the business. Staff, customers and decision-makers can leverage this “digital trust” to seize new opportunities unavailable to those without superior information security. This increased level of trust will, in turn, accelerate regulatory compliance. 
 
Conversely, businesses that do not invest in this will have to deal with increased cyber-attacks, potentially deadly costs to finances and reputation. Worse still, the scope of cybercriminal activity is only becoming wider as we increase our reliance on data and cloud services. The result is a rise in industrial-scale cybercrime, as nefarious actors operate as businesses.
 
Safeguarding Future Prosperity 
 
As the deadline for DORA compliance draws closer, businesses must step up infosec investment to ensure they meet it on time. So, how does a business start making the transition?

It all begins with investments into the right technology, processes, and people that will ensure businesses have all they need to deliver a swift, effective counter to any inbound cyber threats and ensure regulatory compliance. 
 
But this cannot be achieved unless members of the organisation are well-informed. In the event of a crisis, employees are the first line – and often strongest – of defence and understand the role they have to play in safeguarding data and critical assets. Crucially, senior members of the organisation must demonstrate sound leadership and communication skills to establish a robust security culture.

Investing in this training and infrastructure today is the best way to ensure consistent, future-proof growth tomorrow.

Christopher Gill is Governance, Risk Management, Compliance and Audit Specialist at ISMS.online  

Image: Peter Linforth

You Might Also Read: 

Imminent: Cybersecurity Regulations For US Financial Services:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Understanding Malvertising Attacks
Beyond Traditional Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

AppSec Labs

AppSec Labs

AppSec Labs specialise in application security. Our mission is to raise awareness in the software development world to the importance of integrating software security across the development lifecycle.

herdProtect

herdProtect

herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines in the cloud.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

Proton Data Security

Proton Data Security

Proton Data Security is a certified small business specializing in the design, manufacturing and sales of data security products for permanent erasure of hard drives, tapes and optical media.

Viakoo

Viakoo

Viakoo is an Enterprise IoT Applications Management company providing performance, security, and compliance. Viakoo enables you to be proactive in maintaining cyber hygiene and protecting your network

Digital Pathways

Digital Pathways

Digital Pathways is an award-winning data security provider that helps businesses protect their digital assets.

ADVA Optical Networking

ADVA Optical Networking

ADVA is a company founded on innovation and focused on helping our customers succeed. Our technology forms the building blocks of a shared digital future and empowers networks across the globe.

Zaviant Consulting

Zaviant Consulting

Zaviant Consulting is a leading data security and privacy consulting firm assisting organizations comply with constantly evolving security frameworks and privacy regulations.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.

Trustifi

Trustifi

Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

Secrutiny

Secrutiny

Scrutiny's core services include Cyber Maturity, Cyber Risk Analyser, Cyber Controls, Incident Response, SOC, Cyber Recovery and Assurance Testing.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

CipherStash

CipherStash

CipherStash is a complete data governance and breach prevention platform.

WeVerify

WeVerify

WeVerify is a platform for collaborative, decentralised content verification, tracking, and debunking.