Helping the EU’s financial sector comply with the Digital Operational Resilience Act (DORA)

The European finance sector is heavily digitized and IT dependent, relying on digital technologies to drive significant advancements and foster innovation. However, this IT dependence and rapid digitization are also expanding the potential cyberattack surface area. As a result, banks, insurance companies, investment firms, and other financial-services providers (FSPs) have been forced to enhance their cybersecurity measures, vigilantly monitoring their online ecosystems to protect them against evolving threats.

Currently, cyberattacks are doubling each year, emphasizing the importance of cybersecurity across your IT landscape. According to Check Point’s global reporting, the financial sector experienced a 52% increase in weekly cyberattacks in 2022 compared with the previous year. A regional breakdown also revealed that cyberattacks across all sectors in Europe surged by 26% between 2021 and 2022.

As best-practice guidance to mitigate attacks, many European countries have been developing their own information security standards, such as the Good Practice Information Security document in the Netherlands, the Supervisory Requirements for IT in Financial Institutions (BAIT) in Germany, and the Financial Crime Guide (FCG) in the UK. Despite many proactive measures such as these, it is concerning to observe that cybercrime continues to show an upward trend.

Introducing DORA

The European Union (EU) has responded to the cybercrime acceleration in the financial sector by rolling out a new European standard for IT security called the Digital Operational Resilience Act (DORA). DORA introduces a framework for information security that applies to financial businesses operating within EU-member states, requiring them to maintain a high level of resilience. According to the EU council, this resilience ensures companies can “withstand, respond to, and recover from all types of Information and Communication Technology (ICT)-related disruptions and threats” in a way that safeguards business continuity and economic interests while protecting customers.

The act is not limited to FSPs – such as European banks and subsidiaries of foreign banks in Europe –operating in EU member countries. It also extends to the third-party technology partners these FSPs work with, for example, data-reporting consultancies or cloud service providers, amongst others. If your business falls under any of these categories, it’s crucial that you ensure it is DORA-compliant by January 2025 to avoid potential fines. This gives you exactly a year to make the necessary preparations.

Key steps for your business’s DORA compliance

At its core, DORA is focused on mitigating cyberattacks. This is achieved by establishing standardized requirements for managing ICT risk, reporting ICT incidents, vetting the ICT risk of third parties, testing digital-operations resilience, and sharing information.

ICT Incident Reporting encompasses the actions you’ll take to enable ‘business as usual’ in the face of disruption. It’s a process that monitors, records, categorizes, prioritizes, communicates, and addresses incidents. It covers areas like communications plans for keeping staff informed, your business’s backups strategy, and incidence-response planning. Meanwhile, Digital Operational Resilience tests should be regular and conducted by an impartial third party, providing you with the latest insights into your company’s vulnerabilities. It involves putting your organization’s threat-detection capabilities to the test. By identifying vulnerabilities, you’ll be better placed to enhance your incidence response planning.

ICT Risk Management involves the documentation of how your company runs business-critical operations, and the digital infrastructure that supports these operations. Establishing frameworks and processes for identification, classification, and mitigation of ICT risks, and creating action plans and recovery strategies to address these risks fall under this area.

Questions you might ask include which individuals are involved in each step of a process, what access control is in place for these staff, and which technologies are leveraged – from multifactor authentication (MFA) and virtual private networking (VPN), to remote desktop protocols (RDPs) and endpoint detection and response (EDR). Detailed operations mapping is crucial if you are to gain insights into vulnerabilities and their potential impact in the event of a cyberattack.

Your business will also need to understand its own risk profile by establishing a framework for classification, documentation, and reporting of cyber threats. In the realm of third-party ICT risk assessment, one of the most challenging tasks lies in assessing the third-party ICT providers your business collaborates with. Contracts with these external vendors need to be regularly reviewed to ensure these providers are DORA-compliant. You’ll need a risk strategy, too, for mitigating the potential knock-on effects on your business of breaches experienced by third parties.

Finally, FSPs must establish processes for deriving lessons from both internal and external ICT-related incidents. DORA promotes participation in voluntary threat-intelligence-sharing agreements.

Supporting FSPs on their compliance journey

DORA-compliance may seem deceptively simple, considering there are only five core areas to focus on – but, as always, the devil is in the details. The reality is that understanding the gaps in your existing digital-security landscape will require expertise in both compliance regulation and technical cybersecurity. This is because each FSP has a unique security landscape at various maturity levels depending on what measures are already implemented, meaning that the compliance process won’t be a one-size-fits-all solution.

Dual-specialty expertise is part of Capgemini’s DORA compliance offering. As a DORA-compliant company, we offer an end-to-end solution for FSPs aiming to meet the act’s requirements. Capgemini’s approach respects the fact that your business won’t be starting compliance from scratch – your organization may have some of the necessary security measures already in place. By assessing your organization’s current state, Capgemini can recommend a tailored, modular solution. This is a more cost-effective way to ensure you are tackling identified areas of vulnerability by building on your existing cybersecurity efforts. Once your risk profile is mapped, Capgemini can craft suitable remediation, response, and mitigation plans to help you prioritize actions and prepare you for worst-case scenarios with confidence.

Capgemini’s team can also assist with third-party vetting and the execution of vulnerability tests, both of which require ongoing attention. In fact, it’s important to recognize that meeting DORA requirements is a continuous evolving process rather than a one-off task. This is why part of the customized solution is to implement secure automated systems for continuous threat monitoring that enables active, real-time responses to potential security issues.

Automation comes in many forms. For instance, Security Information and Event Management (SIEM) solutions can help FSPs speed up collection and analysis of security data from various sources, enabling rapid identification of anomalies or threats. Automated incident response systems are valuable, too, as are automated penetration-testing tools that accelerate and broaden the testing scope to maintain your organization’s security posture. Automated patch management systems are vital as they ensure that the latest security updates are applied consistently across the IT landscape. To strengthen access authorization and change management, automation through an AI-led Identity and Access Management (IAM) solution gives your business better control so you can monitor user access to critical systems. Configuration management tools also offer an automated way for FSPs to maintain records of system configurations, making it easier to track changes and ensure compliance with DORA requirements.

Regulatory compliance plays a pivotal role in the success of organizations in the financial sector, which is why so many FSPs actively seek expert guidance and are keen to adopt AI-led automated tools. The key lies in selecting a DORA-compliant service provider who not only assists in meeting the initial compliance requirements but also empowers you with a comprehensive roadmap for resilience and the essential technology infrastructure to sustain and enhance it.

To know more about our solution, click here.