A digital edge for financial services: Navigating Cybersecurity in the Era of the Digital Operational Resilience Act (DORA)

An Executive summary

As financial institutions grapple with the digital revolution, the Digital Operational Resilience Act (DORA) is emerging as a game-changing legislative framework mandated by the European Union (EU). With cyber threats looming large, DORA aims to strengthen operational resilience in the financial sector, requiring a fundamental shift in cybersecurity governance.

To thrive in this new landscape, financial organizations must adopt a top-down approach to cybersecurity, with board-level From smoke signals and carrier pigeons to high-tech devices and networks, like the telephone, internet, and Global System for Mobile Communications (GSM)/2G, the communication journey has come a long way. at the forefront. In addition, proactive threat mitigation, robust risk management frameworks, and diligent third-party risk management are essential to DORA compliance.

As DORA gears up for full implementation by January 17, 2025, download our point of view to learn about the essential cybersecurity elements mandated by DORA and the necessary steps financial organizations must take to ensure compliance.

INTRODUCTION

In an era dominated by digital transformation, the financial sector faces a dual challenge: embracing technological innovation while countering sophisticated cyber threats.

On September 24, 2020, the European Commission adopted the 2020 Digital Finance Package*, consisting of a digital finance strategy and legislative proposals on crypto-assets and digital resilience, for a competitive EU financial sector that gives consumers access to innovative financial products, while ensuring consumer protection and financial stability. From this Digital Finance package, the Digital Operational Resilience Act (DORA) emerges as a pivotal legislative framework introduced by the European Union (EU).

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk primarily through the allocation of capital, but they did not manage all components of operational resilience. Under DORA, they must now comply with rules on protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardize the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories.

By setting a comprehensive set of cybersecurity requirements DORA aims to consolidate and elevate previous risk requirements across various regulations. These new standards aim to manage cyber risks, streamline incident reporting, implement resilience testing, monitor third-party risks, and facilitate information sharing to enhance the operational resilience of financial entities within the EU.

For the first time, it applies not only for financial institutions settled in European Member States but also for their (critical) ICT providers and suppliers, in line with the 2022 NIS2 Directive. As DORA gears up for full implementation by January 17, 2025, this article explores the essential cybersecurity elements mandated by DORA and the necessary steps financial organizations must take to ensure compliance.

1. Set a “top-down” mandate for your Cybersecurity Governance

Cybersecurity governance plays an essential role in shaping an organization’s security stance. DORA requires the creation of strong governance frameworks tailored to comprehensively address ICT risks. This includes defining clear policies, roles, and responsibilities and integrating cybersecurity into all departments of the organization. These frameworks facilitate informed decision-making, proactive and continuous risk management, and compliance.

Board-level involvement is crucial to ensure that cybersecurity initiatives are closely aligned with broader business objectives and to foster a culture of security awareness across the organization. Their oversight extends beyond the CISO’s office, including strategic direction, risk management, policy development, resource allocation, incident response, and regulatory compliance.

Under DORA, the Board of Directors is personally liable for cybersecurity governance and risk management, including all aspects such as reporting, testing and other necessary measures. This requires a comprehensive understanding of cyber threats to inform decision-making. Moreover, they define and approve the organization’s risk management framework, including third-party strategy, emphasizing the importance of informed decision-making to address emerging cyber threats effectively.

Security awareness of the board plays a key role in this regard, especially considering the potential financial and administrative penalties outlined in DORA, which can include fines, operational restrictions, or even the revocation of licenses or permits.

2. Be proactive with threat mitigation thanks to a robust cyber risk management framework

Organizations must systematically identify, assess, and prioritize cyber risks, aligning with DORA’s requirements. This involves a comprehensive understanding of the ever-changing threat landscape. By staying up-to-date on emerging threats and vulnerabilities, organizations can allocate their resources effectively, ensuring that they are directed towards the most critical areas of risk mitigation.

However, ensuring that this information reaches the right audience and management levels across the organization is equally vital. Often enough, advanced cyber threat intelligence is gathered but not effectively communicated or translated into actionable advice for key stakeholders, such as board members. This proactive approach not only helps in safeguarding sensitive data and maintaining operational resilience but also plays a crucial role in maintaining the trust of stakeholders, including customers, partners, supervisors, and regulatory bodies.

There are several frameworks and standards available to help define and implement a cyber risk management framework. Organizations often turn to internationally recognized standards such as ISO 31000, COBIT5 framework, or the NIST Cybersecurity Framework, which provide guidance in cybersecurity risk management.

Many organizations within the financial sector already have some form of risk management framework in place, often incorporating national good practices, such as those outlined by De Nederlandsche Bank (DNB). However, these good practices will need to align with the stricter requirements introduced by DORA to ensure compliance and enhance cybersecurity governance within the financial sector. By taking a proactive stance on cybersecurity, organizations can effectively strengthen their resilience against potential threats and demonstrate their commitment to safeguarding critical assets and maintaining operational resilience.

3. Secure your digital supply chain by maintaining visibility into your third-party risks and dependencies

In today’s interconnected business environment, the reliance on ICT third-party service providers (ICT TPP) exposes organizations to significant cybersecurity risks. According to a study by ENISA, more than 60% of cyber incidents are caused by supply chain attacks. A supply chain attack is a type of cyberattack that targets both a trusted ICT TPP that provides services or software and its customers across the supply chain. Organizations must extend their security measures beyond internal systems and encompass the entire ICT supply chain, to be able to protect their data.

The risk of ICT TPPs should be reflected in contractually agreed security measures, including the necessary exit strategies when agreements are not met. Furthermore, it is essential ICT TPPs are assessed on their risk before they are contracted and continuously monitored throughout the business relationship to assess their security practices. By proactively managing the risks that ICT TPP may cause, organizations are able to fortify their defenses against potential threats originating from ICT third-party vulnerabilities, safeguarding their assets, reputation, and operational continuity.

Certain ICT TPPs are designated as “critical” (CTTP), requiring direct oversight by EU financial authorities. Designating CTTPs involves a careful examination of their role in the ICT supply chain and how their services could affect the organization’s operations and security. Thorough risk assessments, considering service importance, data access, and potential disruptions, enable effective resource allocation and implementation of targeted security measures.

DORA requires organizations to keep track of all their CTTPs in a register, that must be shared with the local European Supervisory Authority (ESA). This register includes the classification of vendors or suppliers, the services provided, and their importance to the organization’s primary processes. Any new ICT TPP arrangements must be reported to the appropriate authority on a annual basis.

4. Be and stay resilient to maximize your recovery from a cyber disruption

While traditional cybersecurity measures focus primarily on defending against cyber threats, DORA emphasizes the importance of resilience—the ability to recover swiftly and effectively from cyber disruptions, crucial in the face of the evolving threats. In line with DORA’s requirements, organizations are urged to prioritize strategies to prevent and mitigate cyberattacks, shifting focus from impenetrability to resilience, thus building robust mechanisms to minimize damage and downtime during crises.

DORA outlines specific measures that financial institutions must take to enhance their cyber resilience:

• Establish and regularly update data backup procedures to ensure the availability and integrity of critical information in the event of a cyber disruption.
• Develop and implement ICT disaster response plans and business continuity plans that outline procedures for responding to cyber disruptions and ensuring the continuity of operations. These should be periodically reviewed & actualized, completed, and regularly tested in various ways to be well prepared for future contingencies.
• Continuous employee training initiatives to build cyber resilience.

By adopting the proactive approach to cyber resilience, organizations can not only minimize potential disruptions to their operations but also reinforce their ability to maintain operational continuity and protect sensitive data. By prioritizing cyber resilience, organizations not only fortify their defenses against potential breaches but also cultivate a culture of preparedness and responsiveness. In doing so, they not only mitigate risks but also position themselves as trusted custodians of data and stewards of digital trust.

5. Coordinate your plan to respond to a cybersecurity incident

An organized and systematic approach to managing the aftermath of a major ICT related (or security or operational payment-related) incident is essential under DORA.

Organizations must have a tailored incident response plan in place to swiftly detect and respond to incidents, while mitigating the impact on operations and reputation. This includes technical remediation efforts, communication strategies, and legal considerations. By coordinating these response efforts effectively, organizations can promptly contain and eradicate threats, thus facilitating a smoother recovery process. Additionally, national CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team) provide vital operational support to help organizations fight cyberthreats. They offer guidance, threat intelligence sharing, forensic investigation assistance, and facilitate collaboration with other entities and government agencies to strengthen overall cyber resilience.

Under DORA, organizations are required to report major ICT related incidents to relevant competent authorities. An initial notification should be reported within one business day, an intermediate report within a week after the first notification, and a final report when the root-cause analysis has been completed, no later than one month.

To determine what is considered as a major ICT related incident, the Joint Committee of the European Supervisory Authorities has provided further guidance on the criteria for classifying ICT-related incidents. In their report, which was published on January 17^th 2024, they stated that ICT incidents can be categorized into three layers:

• Layer 1: To determine if an incident affects critical services.
• Layer 2: To determine if the incident is the result of a successful malicious intrusion.
• Layer 3: To determine whether the incident impacts at least two out of the following six criteria:
• Number of clients affected
• Amount of data loss affected
• Reputational impact
• Duration and service downtime
• Geographical spread
• Economic impact

Under DORA, an ICT incident is classified as major when Layer 1 is applicable in combination with either Layer 2 or 3, and therefore should be reported to the authority accordingly. In addition, clients and users must be informed if they are victimized and within a timely manner. This means that all employees throughout the organization should be aware of their responsibility to report incidents accordingly and in a timely manner.

6. Regularly test your defense capabilities to address vulnerabilities

Operational resilience testing assesses an organization’s ability to maintain critical functions during and after a cyber incident. This involves various exercises such as scenario-based simulations, penetration testing, and simulated cyber-attacks to identify vulnerabilities. By subjecting defences to rigorous stress-testing, organizations pinpoint areas for improvement, ensuring their cybersecurity measures remain robust and adaptable, effectively mitigating the evolving landscape of cyber threats.

These operational resilience tests consist of vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, or penetration testing.

Furthermore, it’s important that resilience tests are performed by independent parties. While vulnerability assessments are usually done on a continuous basis, threat-driven penetration tests can be caried out every three years. Maintaining operational resilience is crucial for organizations, and these efforts align with the requirements outlined in the EU Cyber Resilience Act.

7. Foster information sharing across borders

As the 2025 deadline approaches, financial institutions face a pivotal moment.  They must align their cybersecurity strategies with DORA’s mandates while maneuvering through a complex network of European cybersecurity regulations, including the Critical Entities Resilience Act, focusing on physical security, the Cyber Resilience Act, addressing connected devices, and the Cybersecurity Act, governing ICT products, processes, and services. In anticipation of ongoing regulatory adjustments, organizations must move beyond initial compliance efforts, remaining vigilant as the Joint European Authorities will release multiple sets of criteria expected to offer additional clarity and specificity on the operational resilience requirements outlined in DORA.

Looking ahead, financial institutions must see cybersecurity compliance as an integral part to their business strategy and risk management, not just a checklist item. Collaborating with experts, engaging in sector dialogues, and monitoring emerging threats are crucial. Taking proactive steps will ensure compliance with regulations like DORA, enhancing resilience in the digital landscape and safeguarding assets and reputation.

Capgemini guides organizations within financial services in their journey towards DORA compliance. Interested to know more?