The Digital Operational Resilience Act (DORA): legislation and technology going and in hand

The Digital Operational Resilience Act (DORA), entered into force on the 16th of January 2023 and will be applicable starting from the 17th of January 2025. The DORA introduces an overarching framework for the management, by financial institutions, of their cybersecurity risk — both internal and spurring from third-party
providers. Due to the specific risks to which the financial sector is exposed, the legislator has deemed it necessary to provide for a specific, more stringent, framework laid down by the NIS Directive.

 

These technical standards aim at ensuring a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.

 

Its main purpose is enhancing and strengthening the digital operational resilience concerning dissimilar entities across the EU financial sector and harmonizing key digital operational resilience requirements of such entities.

  • Compliance with the DORA is mandated to financial institutions (FI). However, DORA’s scope embraces a somewhat ample definition of this category. Eminently, together with entities traditionally identified as FI – as credit institutions – the DORA also encompasses new types of players, such as crypto-assets service providers. The aim is to guarantee that any entity which is a nexus of the financial system has in place sufficient cyber-safeguards to protect its customers and the system at large. In this sense DORA encompasses the following categories:
    • Credit institutions; payment institutions; account information service providers; electronic money institutions; investment firms; central securities depositories; central counterparties; trading venues; trade repositories; managers of alternative investment funds; management companies; crowdfunding service providers
    • Crypto-asset service providers as authorized under MiCAR and issuers of asset referenced tokens
    • Institutions for occupational retirement provision, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
    • Data reporting service providers; credit rating agencies; administrators of critical benchmarks; securitization repositories.
    • ICT third-party service providers

 

Life in Codes is teaming up with Gabriele Mele to tackle this milestone for financial organizations in Europe and beyond.


Gabriele has a very solid background and practical experience in the European Digital Law and its application. He is bringing his legal expertise in the service of financial organizations that need guidance in the process of becoming DORA-compliant concerning the cybersecurity framework of Nis 2 Directive and ISO:IEC 27001:22.


While the legal angle is the first one to be covered, it is closely seconded by the technical expertise of the Life in Codes team. For years we’ve been serving financial organizations in the purpose of reaching ambitious objectives when it comes to work, service, or knowledge management. The most popular solutions came from the Atlassian umbrella, while the expertise of the consultants go way beyond this.


The DORA legislation is implying a very close collaboration of the legal and technical expertise, which is why this partnership came together to serve the financial organizations.

 

An organizational framework design supported by improved control functions could help banks to enhance and better integrate the ICT Risk framework and the ICT resilience strategy & architecture design.

 

We can design and implement models for the Business Continuity & Operational resilience framework and enforce Cyber security awareness with tailored training program design.

 

The financial entity’s management body is ultimately responsible for establishing the organization and governance structure to effectively manage ICT risk. DORA outlines a set of responsibilities and requirements that the management body must fulfill, one of which is for them to enhance and sustain their understanding of ICT risk.

 

Our team has a successful track record in supporting banks with: Cyber Incident Response Framework designing, reviewing and leveraging on advisory skills and technical capabilities related to security incident management response processes.


We can support banks improving and strengthening their Cyber Incident Response Framework, in terms of organization, processes, and tools.

 

Jira Service Management (by Atlassian) is a powerful application designed and built by Atlassian for all kinds of Service Management.

It is highly customizable to fit an organization of any complexity and size, loaded with powerful automation features, and highly compatible with the rest of Atlassian’s ecosystem, providing seamless collaboration, easy access to information and documentation, and allowing for expansion to adapt to current business needs.

It can be used for (but not limited to): incident management, problem management, change management, Support / Helpdesk, CMDB / Asset management.

 

Statuspage (by Atlassian): easily communicating real-time incident status to users, we can make a difference and avoid duplicate support tickets.

 

Confluence (by Atlassian) is the perfect team workspace where knowledge and collaboration meet. To be used for collaboration, contracts, procedures, versioning documents and attachments. It allows the creation of a single source of truth with flexible support for documents, spreadsheets, text, tables, images, timelines, and more. It also comes with lots of templates, including: vendor agreement, incident communication, product requirements. We also propose the use of the add-on Requirements Yogi to allow requirements management in Confluence.

 

To further provide the tools necessary for DORA compliance, some add-ons can be installed on top of Jira Service Management:

  1. Hedge: Risk Management, Risk Register & Risk Matrix for Jira: although basic risk management can be achieved by adding custom fields with proper values to be available to be filled either by the reporter or team members, for more sophisticated requirements and reporting Hedge is very useful, providing features such as Risk Matrix and Risk Register
  2. Xray Test Management for Jira, the most popular test management add-on for Jira, allows us to management test plans, test executions and test steps
  3. Refined Sites for JSM | Theme ITSM, HR, Help & Service Desks and Refined Sites for Confluence | Intranets, Documentation, KBs allows us to build custom, themed service desks
  4. eazyBI Reports and Charts for Jira and/or Dashboard Hub Pro for building advanced dashboards and reports
  5. Revyz Data Manager for Jira to manage and restore backups

 

Our team can enforce policies and procedures concerning the cyber resilience testing program and implementation of testing activities (tabletop, cyber range, red teaming, physical security analysis).


Furthermore, it can lead the implementation of Threat-Led Penetration Testing (TLPT) test according to the TIBER EU framework as threat intelligence and red teaming provider, also considering banks security advisory capabilities.


Firms will need to change their incident classification methodology to fit with the requirements. They will also need to set up the right processes and channels to be able to notify the regulator fast in case a major incident occurs. Based on what gets classified as “major”, this might happen frequently.

 

Digital Operational Resilience testing biggest challenge: It is likely that critical firms will need to organise this threat-led penetration test by the end of 2024 and this type of test requires a lot of preparation. The fact that it needs to involve critical ICT third parties will also mean they need to be involved in the preparation. Firms that are in scope (might be firms already in the scope of NIS regulation) should start thinking about the scenario as soon as possible to enable validation with the regulator at least 2 years before the deadline.

 

We can support banks designing and reviewing the framework for third party management.

 

Our team can evaluate the critical third-party providers and services outsourced or contracted to ICT third-party services providers in regular (once every three years or once per year based on complexity and risk profile).

 

In conclusion, our team can provide continuous support throughout all the steps foreseen in the Third Party Risk Management (TPRM) process and provide information sharing guidelines and policies.


ICT third-party providers will need to determine (through legal and IT experts) if they’ll fall under the critical category. This will require an evaluation of all the characteristics that define criticality according to the DORA.


Third-party providers that fall under this category will need to start planning how they will ensure oversight framework compliance – a strategy that could involve the establishment of dedicated regulatory teams and data security software.


Financial firms will also need to determine which of their third-party cloud service providers will be classified as critical.


The level of DORA compliance of all critical vendors should be tracked through risk assessments and third-party attack surface monitoring software.


All non-critical vendors should be mapped to alternate outsourcing options in the event of an ICT incident impacting each vendor.


Financial entities not currently implementing Threat-Led Penetration Testing (TLPT) will need to source independent providers for this service.


The activity of ESAs will need to be closely monitored for advanced exposure to testing requirements when the details become available.

 

Current response and recovery strategies will need to be measured against DORA’s requirements with a specific focus on the legislation’s incident reporting process.

 

Alignment with DORA’s reporting process could involve the optimization of current resource allocations and modifications to current internal reporting channels.

 

A maturity risk assessment should be completed against all of DORA’s requirements to determine all compliance gaps. This will encourage a more efficient reformation of all impacted ICT systems such as the incident management, asset management and risk management tools.


To share some concrete examples from our portfolio, we’re proud to have supported a large organization like Swift with control testing framework and asset management solutions. When it comes to incident management, a good case study would be the implementation we’ve recently worked on for Salt Bank.

 

We can help financial institutions comply with the DORA regulatory requirements by leveraging our expertise in IT risk management, outsourcing, operational risk and operational resilience. We have helped a multitude of clients in understanding operational resilience regulatory requirements and implementing them by adapting internal processes and procedures and/or developing new solutions to achieve full compliance.

 

DORA, which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities.

 

The ESAs expect to submit the draft technical standards to the European Commission and issue the guidelines by 17 July 2024.

 

The first batch consists of four draft Regulatory Technical Standards (RTS) and one set of draft Implementing Technical Standards (ITS). Based on the feedback received to the public consultation, the legal instruments will be finalized and will be submitted to the European Commission by 17 January 2024. The first batch covers the following areas: Art.15, 16(3), 28 (9) and 28 (10) DORA. The second batch, to be submitted to the Commission by the 17 of June 2023, covers the following areas: Art. 11(11) Response and Recovery, Harmonization of Reporting content and Templates 20a, 20b, Advanced Testing of ICT tools, systems and process based on Threat-Led Penetration Testing (TLPT) 26 (11), Key contractual provisions 30 (5), Structure of Oversight framework 32 (7) and 41 Harmonization of conditions enabling the conduct of the oversight activities DORA.


Furthermore, given the complexity of the compliance framework the DORA envisions, the legislation provides for a grace period. Eminently, covered entities are required to be prepared and compliant by the 17th of January 2025.

 

Other Articles

Discover the joy of collaborative working

We are your experienced and certified local partner and we are determined to find the best solution for your challenges. 

Download Resources

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua...

    Email address

    Full name

    Company name

    Phone number