Boosting Business Continuity Through the Digital Operational Resilience Act (DORA)
While digitalization has brought many benefits, it has also increased the finance sector’s reliance on information and communication technology (ICT), leading to more digital risks like cyber attacks, ICT disruptions, data corruption and loss. To address security threats and improve operational resilience in the finance sector, the European Union ratified DORA, the Digital Operational Resilience Act.
This blog explores how the new EU regulation can help financial entities improve ICT risk management for a more secure financial ecosystem. It also covers how NAKIVO can assist financial institutions in achieving DORA compliance.
What Is the Digital Operational Resilience Act (DORA)?
Overview and Purpose of DORA
The Digital Operational Resilience Act (DORA) is European regulation 2022/2554, formally ratified by the European Parliament and Council of the European Union in November 2022. The first DORA draft was suggested in 2020 as part of the Digital Finance Package (DFP), which set out the EU strategy, recommendations and legislative proposal on crypto assets, blockchain and digital resilience for the finance sector.
The regulation aims to establish a standardized legal framework for EU financial institutions and their third-party IT providers to strengthen the operational resilience and security of ICT systems. In other words, one of the main DORA goals is to mitigate cyber threats, ICT breaches and disruptions in the finance sector.
Financial institutions and their third-party ICT providers should implement the DORA framework and technical standards by January 17, 2025.
Regulatory Bodies Enforcing DORA
Even though the EU officially adopted DORA in 2022, the EU Supervisory Authorities (ESAs) are still developing the regulatory technical standards (RTS) under the Act. Three ESAs – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – have released the first draft in January 2024 and are expected to finalize RTS by the end of the year. After the ESAs submit the final RTS to the EU Commission, the standards will be ratified by the Parliament and Council.
The RTS enforcement and compliance oversight lies with respective national competent authorities, who have yet to be finalized. Enforcement begins once the authorities are designated and the January 2025 deadline has passed.
Key Requirements of the DORA Act
The DORA regulation sets out security requirements for the network and ICT systems of finance institutions and their third-party providers. These requirements cover four major aspects of ICT security:
- ICT risk management (Chapter II). Emphasizing management responsibility for ICT disruptions and establishing a common framework for detecting, identifying, managing and mitigating ICT threats.
- ICT incident management, classification and reporting (Chapter III). Standardizing ICT incident reporting obligations and broadening the scope of incidents to be reported to authorities.
- Digital operational resilience testing (Chapter IV). Mandating risk-based resilience testing of critical ICT systems, with advanced threat-led penetration tests (TLPT), to be carried out at least every 3 years.
- ICT third-party risk management (Chapter V). Requiring financial institutions to set risk monitoring rules for their third-party providers, including risk-related provisions in their contracts, and imposing penalties for non-compliance.
- Information sharing (Chapter VI). Introducing information-sharing arrangements where financial entities can exchange their cyber threat information and intelligence to raise awareness of new threats and share threat mitigation strategies.
Who Must Comply with the Digital Operational Resilience Act?
Organizations Covered Under DORA
Financial institutions and entities whose activities are critical for the finance sector’s infrastructure fall under DORA’s scope:
- Credit and payment institutions
- Electronic money institutions
- Crypto-asset service providers
- Investment firms and managers of alternative investment funds
- Insurance and reinsurance companies and intermediaries
- Trading venues and trade repositories
- Pension funds
- Central securities depositories, central counterparties and securitization repositories
- Service providers, including services like account information, data reporting, management, crowdfunding
- Credit rating agencies
- Administrators of critical benchmarks
- Third-party ICT service providers, including cloud service providers
Risks of Non-Compliance with DORA
DORA authorizes member states to decide on administrative penalties or remedial measures for non-compliance. The Act also allows member states to apply criminal penalties for breaches subject to national criminal law.
Thus, DORA sets possible minimal measures that member states can use to ensure effective implementation of DORA’s guidelines, including issuing public notes and, in some cases, requests to cease any non-compliant activity, temporarily or permanently.
The DORA regulation also empowers ESAs to designate ITC third-party service providers critical for the finance sector and appoint a lead overseer for each critical provider. Lead overseers receive the same authority as competent authorities and can demand remedial measures and penalties from non-compliant ITC providers. DORA authorized lead overseers to impose fines of up to 1% of the ITC provider’s average daily worldwide turnover in the previous year. This fine can be imposed daily for up to 6 months or until compliance is achieved.
How DORA Impacts Financial Entities and Third-Party Providers
Even though the actual standards have yet to be finalized, DORA outlines general requirements and recommendations on how the financial sector should standardize its ICT management practices and security measures.
If you are a third-party ICT provider, such as a cloud service vendor, your initial step should be to determine whether you are considered critical according to Article 31 (Section II). Critical providers fall under DORA’s regulation just like other finance entities.
DORA requires finance institutions to measure the risk of third-party providers and stipulate incident management in the service agreements. So, as a non-critical vendor who works with finance organizations, you will be required to mitigate risks that can potentially impact the finance organization.
Operational Adjustments Required by DORA
DORA emphasizes management responsibility for ICT disruptions and requires financial institutions to develop and maintain a comprehensive framework for mitigating ICT risks. The framework should include the following:
- Defined roles and responsibilities for management and involved personnel
- Regular ICT risk assessment for identifying and monitoring risks across ICT systems, processes and assets
- Ongoing ICT system monitoring for potential threats
- Structured and detailed procedures for preventing, managing and responding to ICT incidents, including incident response and business continuity plans
- Continuous update and enhancement of practices and measures based on incident analysis
- Incident communication protocols for customers and other stakeholders, both external and internal, to ensure transparency and trust during ICT disruptions
- Clear protocols for reporting incidents to regulatory bodies and other relevant entities based on the severity of the incident
Strengthened Risk Management Practices
Along with continuous ICT risk monitoring, DORA enforces regular testing of systems and assets for ICT risk exposure. Finance institutions become responsible for the risks associated with third-party ICT service providers and for dealing with non-compliant providers. Namely, DORA requires finance entities to include provisions for managing ICT risks in their contracts with providers they work with.
The Act emphasizes the importance of prevention strategies, which include testing existing resilience and security measures to identify system and protocol vulnerabilities and post-incident analysis and reporting. DORA also encourages industry-wide learning and event arrangements where financial institutions can share their experience and knowledge.
Enhanced Cybersecurity and Data Protection Standards
DORA recognizes cybersecurity and data protection as the main factors affecting an organization’s operational resilience and requires finance entities to:
- implement security measures like access controls and encryption
- develop business continuity and disaster recovery plans
- use tools for continuous ICT threat monitoring and real-time malware detection
- ensure timely software and hardware updates to mitigate vulnerabilities
- conduct regular vulnerability assessments that include penetration and scenario-based tests
For critical environments and high-risk areas, entities are expected to run periodic advanced testing like red team testing and even be required to participate in industry-wide testing exercises.
- report incidents swiftly to stakeholders and authorities for transparency purposes during incidents and to enable other organizations to learn from incidents
Expert Opinions on the Digital Operational Resilience Act
Insights from Cybersecurity Professionals
“DORA requires finance institutions to develop a proper data security policy and a robust network based on a risk-based approach. Are the practices that the DORA specifies new to the industry? No, they have been there for decades. However, despite the ever-growing risk of cyberattacks like ransomware, some organizations haven’t yet implemented or only partially implemented the most basic security measures,” says Sergei Serdyuk, Vice President at NAKIVO.
Predictions for the Future of DORA
“DORA is paving the way for stronger cybersecurity in the finance industry. And hopefully, over time, this regulation will extend to other sectors as well. With global digitization and AI advancements, more industries and organizations have become subject to cybersecurity risks. In many cases, this doesn’t mean an organization’s individual loss, be it financial or reputational, but an increased risk of industry and cross-industry disruptions due to codependencies between organizations.” —Sergei Serdyuk, Vice President at NAKIVO.
Steps to Ensure DORA Compliance with NAKIVO
DORA gives special attention to backup and replication procedures (Articles 11-12) as they directly affect the company’s service availability, continuity and data security. DORA enforces entities to ensure data transfer security and minimize the risk of data corruption and loss, as well as poor data management practices and human errors.
NAKIVO Backup & Replication is a comprehensive data protection solution that enables you to back up, replicate, configure and automate disaster recovery workflows and monitor workloads from a single web-based interface.
The solution supports virtual, cloud, physical, NAS, SaaS and hybrid environments, which makes it well-placed to help financial entities of different sizes ensure top-notch data protection. The solution seamlessly works with various storage types, including deduplication appliances and NAS devices, public clouds, S3-compatible cloud platforms, and tape, to ensure the level of flexibility required for different business and compliance needs.
Conducting an Initial Compliance Assessment
Perform the gap analysis to identify areas where improvements may be needed to comply with the DORA regulation. Focus on 4 key areas that we mentioned above:
- ICT risk management
- ICT incident management, classification and reporting
- Digital operational resilience testing
- ICT third-party risk management
Developing a DORA Compliance Strategy
When developing a DORA compliance strategy, there should be a yearly roadmap with defined steps, objectives and priorities. The strategy will differ depending on the organization’s IT infrastructure complexity and its current resilience level against digital threats.
DORA requires finance organizations to have appropriate business continuity plans, ICT response and recovery plans and to conduct a business impact assessment (BIA) of their exposure to severe disruptions.
DORA also requires organizations to have at least one remote secondary site (a disaster recovery site) to ensure the continuity of critical business operations when the primary site is down. To minimize downtime and limit disruption or loss, an organization should develop a disaster recovery plan that includes the following:
- The backup and disaster recovery scope based on the importance of software and hardware components and stored data;
- Dependencies between IT components and VM recovery order;
- Recovery objectives (recovery time and recovery point) for each function depending on its importance and overall impact on business operations (this also means that you need to have the recovery point rotation scheme based on the frequency of data updates and its importance);
- Assigned roles and responsibilities for personnel;
- Established hardware requirements for a secondary DR site to ensure sufficient CPU, memory, disk capacity and network bandwidth for a smooth transition.
Navigating DORA Compliance with NAKIVO
The NAKIVO solution’s advanced functionality can help you minimize DORA compliance efforts and automate most cybersecurity-related processes. To help you better navigate through all use cases, we here illustrate how you can address specific DORA security requirements by using the NAKIVO solution:
- Data resilience (Article 9). The NAKIVO solution allows you to easily meet the 3-2-1 backup rule for better data resilience. According to this rule, you need to store at least 3 copies of your backup data in 3 different locations; 2 copies should be offsite and 1 in the cloud.
- Data integrity (Article 12). With app-aware backups and replicas, you can rest assured that application data is consistent even when the backup is performed while the app is running. The solution also supports backups of Oracle DB, Microsoft applications like Active Directory and Exchange Server, as well as Microsoft 365 apps and services (Teams, Exchange Online, SharePoint Online, OneDrive for Business).
- Resilience against ransomware and other cyber threats (Article 9). NAKIVO’s solution enables you to create immutable backups locally, in the cloud or on HYDRAstor devices to ensure that nobody can alter or delete your data. You can also take advantage of air-gaping by sending backup copies to tape or any other detachable storage where cybercriminals can’t access them over the network. The solution also enables you to scan backups for malware before recovery so that you can rest assured that backup data is not infected.
- End-to-end encryption (Article 9). With NAKIVO’s solution, you can encrypt backup data before it leaves the source machine and encrypt the network and backup repositories to ensure your data is secured both in transit and at rest.
- Unauthorized access prevention and strong authentication mechanisms (Article 9). You can protect all backups and data protection workflows with role-based access control and multi-factor authentication.
- Real-time threat monitoring (Article 10). The best way to ensure real-time detection of anomalies is to use comprehensive anti-malware software. However, NAKIVO’s solution has features that can help you enhance threat monitoring. For example, with the IT Monitoring feature for VMware, you can detect issues and suspicious activity before they become a bigger problem. The feature allows real-time monitoring of all performance metrics, including CPU, RAM and disk usage, so you can swiftly notice any unusual consumption.
- Operational resilience against ICT risks and minimal downtime in case of disruptions (Articles 11-12). NAKIVO’s advanced Site Recovery functionality allows you to automate and test site recovery workflows. You can configure automated sequences and trigger them with 1 click during disasters to instantly switch to replicas located at a secondary site.
- Regular testing of DR workflows and protocols (Article 12). To ensure that recovery is smooth and objectives are met during the disaster, you can schedule regular testing of failover and failback workflows in a test mode that doesn’t disrupt your production activities. The testing enables you to check the sequence of actions and verify network connectivity.
Summary
The Digital Operational Resilience Act is a strategic leap toward a more resilient financial sector and secure financial operations. By enforcing the implementation of the best cybersecurity practices and encouraging learning and awareness, the Act helps financial institutions face current threats and future challenges while setting a benchmark for other industries.
Make NAKIVO a part of your journey toward a more resilient ICT system.
