Understanding the Digital Operational Resilience Act (DORA)

Navigating the ever-evolving landscape of IT regulations presents a significant challenge for organizations, especially in the financial sector. With the rapid pace of technological advancements and the increasing sophistication of cyber threats, regulatory frameworks are becoming more stringent and complex. Compliance requires substantial investments in technology, continuous monitoring, and rigorous risk management practices. Starting January 17, 2025, compliance with the newly enacted Digital Operational Resilience Act (DORA) will become mandatory for financial institutions that operate business within Europe. Here’s an overview of this groundbreaking regulation and how you can start preparing today.

Introduction from Marla Crawford, General Counsel, Cimplifi and Executive Advisor to Calamu

Cybersecurity is the bedrock for just about everything today. It's square one - if you don't have your cyber-health, you don't have anything. For the most regulated sectors, various legislation around the world is aimed at securing the data of companies critical to the global economy.  Financial institutions in particular are scrutinized by governments to ensure that their data is protected from threats. The European Union is once again in the forefront of cyber regulation with the DORA regulation that goes into effect early in 2025. Financials are ramping up their efforts implementing contract analytics and other measures to determine where their third party risks lie and evaluating their providers' cybersecurity protocols.

The Calamu Data Harbor is exactly the type of protection that companies are looking for to give themselves assurance that their partners meet these new standards. Calamu's solution provides an environment where data can be rendered unhackable with the parallel promise of accessibility. The regulations in this space will inevitably continue to explode and regulated companies are going to insist upon doing business with partners who get cybersecurity compliance right and innovate in safeguarding their sensitive data.

- Marla Crawford, General Counsel, Cimplifi  

What is DORA?

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation designed to enhance the security of information and communication technology (ICT) for financial institutions and their suppliers. Published in December 2022, the regulation took effect on January 16, 2023, and mandates that all European financial institutions achieve compliance by January 17, 2025.

Goals of DORA

1. Comprehensive ICT Risk Management: DORA aims to address ICT risk management holistically, ensuring that financial institutions adopt robust measures to mitigate and manage risks associated with digital operations.

2. Strengthening ICT Governance: The regulation emphasizes the importance of governance, holding executive management personally responsible for ICT risks.

3. Enhancing Resilience: DORA mandates the establishment of business continuity and disaster recovery plans to ensure that financial institutions can maintain operational resilience in the face of disruptions.

4. Improving Incident Response: Institutions are required to maintain detailed logs of ICT-related incidents and follow a structured incident reporting process.

DORA’s Impact on US Businesses

DORA will have a significant impact on US businesses that offer financial services in the EU or provide services to EU financial services companies, requiring them to comply with DORA’s requirements to continue operating within the EU financial sector.

Even for those organizations not operating in the EU, It is essential for US firms to prepare for regulations like the Digital Operational Resilience Act (DORA). As the global emphasis on cybersecurity and digital resilience intensifies, it is likely that similar regulatory standards will be adopted by the US and other territories. By proactively aligning their operations with these standards, US businesses can stay ahead of potential regulatory changes, ensuring they are not caught unprepared. This not only mitigates the risk of non-compliance but also positions them as industry leaders in cybersecurity, ready to meet the highest standards of digital resilience.

Key Requirements of DORA

ICT Risk Management and Governance

• Executive Accountability: Senior management can be held personally responsible for ICT risks, emphasizing the need for top-level commitment to cybersecurity.

• Critical Asset Classification: Institutions must classify their critical assets, identify dependencies, and document mitigation steps.

• Business Continuity Plans: Establish robust business continuity and disaster recovery plans to ensure resilience against disruptions.

Incident Response and Reporting

• Incident Logs: Maintain comprehensive logs of all ICT-related incidents.

• Structured Reporting: File three types of incident reports - an initial notification to authorities, an intermediate report on progress, and a final report analyzing the root cause. The definition of what constitutes a critical incident is expected soon.

Digital Operational Resilience Testing

• Annual Tests: Conduct annual tests including vulnerability assessments and scenario-based tests.

• Threat-Led Penetration Testing: Critical institutions must undergo threat-led penetration testing (TLPT) every three years.

Third-Party Risk Management

• ICT Provider Oversight: DORA applies to ICT providers servicing the financial sector. Financial firms are expected to actively review vendor audits, performance targets, and the integrity and security of their services. While this may be a daunting process, there is significant opportunity for those vendors that can prove their commitment.  See below for more.

• Dependency Mapping: Map dependencies and decentralize important functions to reduce risks.

Information Sharing

• Threat Intelligence: While not mandatory, DORA encourages voluntary sharing of threat intelligence to enhance collective security.

Opportunity Through Compliance

For businesses that embrace these changes, particularly for the vendors that service the financial sector, there are considerable opportunities. Adhering to stringent IT regulations not only safeguards the organization but also enhances its reputation, instilling greater trust among clients and stakeholders. Companies that prioritize compliance can differentiate themselves as leaders in security and resilience, potentially attracting more customers who value robust protection for their assets. Furthermore, the broader community benefits when businesses maintain high security standards, as it fosters a safer and more stable digital environment, reducing the risk of widespread disruptions and data breaches. By committing to regulatory compliance, businesses play a crucial role in enhancing the overall security and resilience of the digital ecosystem.

Preparing for DORA 

To ensure compliance with the Digital Operational Resilience Act (DORA) and enhance their overall cybersecurity posture, businesses should focus on three key steps.

1. Critical asset audit:  First, conducting a thorough critical asset audit is essential. This involves identifying and classifying vital digital assets, understanding their dependencies, and implementing robust measures to protect them. We discussed how to prioritize and classify data and other workloads in a recent webinar:  Zero Doubt Strategies for Cyber Recovery.

2. Resilience testing: Second, resilience testing should be a priority, including regular vulnerability assessments, scenario-based tests, and threat-led penetration testing (TLPT) for critical systems. These tests help identify weaknesses and ensure that systems can withstand and recover from potential disruptions. Calamu’s Data Harbor solution is uniquely built to boost resilience. Through groundbreaking data geo-dispursion technology, the Data Harbor absorbs ransomware and other cyberattacks to keep businesses running while ensuring no lost or stolen data and no downtime. 

   
   

   Learn more about how the Data Harbor boosts resilience.

3. Reduce Third Party Risk: Lastly, decentralizing reliance on third-party systems is crucial. By mapping dependencies and reducing over-reliance on any single provider, businesses can mitigate risks and ensure continuity even if a third-party system fails.

   The Calamu Data Harbor addresses this risk by supporting a multi-cloud infrastructure, sending encrypted data fragments to multiple cloud providers, which significantly reduces the risk of data exposure from a cloud breach.

   Learn more about the Data Harbor’s multi-cloud architecture.

We Can Help!

Join us for a monthly product briefing or schedule a one-on-one demo to see how the Calamu Data Harbor can help you prepare for regulations such as DORA.