Don't let the January 2025 deadline catch you off guard. Discover how to prepare your organisation for the Digital Operational Resilience Act (DORA) and strengthen your cyber resilience.
In an era where digital operations have become the backbone of the financial sector, the European Union (EU) has taken a significant step to proactively enhance financial institutions' cybersecurity and operational resilience. The Digital Operational Resilience Act, commonly known as DORA, is set to reshape the landscape of risk management and cybersecurity practices across the EU's financial services industry. As the January 17, 2025 deadline approaches, financial institutions are grappling with the complexities of this new regulation and its far-reaching implications.
DORA addresses the increasing frequency and sophistication of cyber incidents targeting the finance sector. Bojan Zdrnja is a SANS Certified Instructor and coauthor for SEC542TM: Web App Penetration Testing and Ethical HackingTM and Chief Technical Officer and penetration team lead at INFIGO IS. “The European Central Bank, which is the main authority over any bank in the EU, noticed that there should be one regulation that helps financial institutions guide their investments in cybersecurity and other important digital aspects”, he says about the genesis of DORA.
Unlike the Network and Information Security (NIS2) Directive, DORA applies uniformly across all EU member states without the need for individual transposition into national law. This harmonized approach aims to create a consistent cybersecurity framework across the EU's financial landscape. As Zdrnja notes, DORA's broad scope and immediate effect are significant, making the audience feel the magnitude of the regulation.
Risk Management, Third-Party Providers, and Mandatory Testing
DORA’s implications for financial organisations are profound and multifaceted. At its core, DORA mandates a comprehensive information and communication technology (ICT) risk management framework, which forms the foundation for all other requirements. This comprehensive framework necessitates a thorough understanding and documentation of an organisation's digital assets, services, and interdependencies. “Banks should have clear documentation of how their services depend on other components, correlated to each other. They can have everything up and running, but now they need clear documentation of how their services depend on something else”, Zdrnja says.
Third-Party Risk Management
One of the most significant implications is the heightened focus on third-party risk management. DORA recognises the potential vulnerabilities introduced by the complex web of service providers and suppliers that modern financial institutions rely upon. Organisations must maintain a detailed catalogue of all third-party providers, assess risks, and develop exit strategies for critical services. “DORA covers that nicely because, they hold all parties accountable now. Let’s say you are a front-end third-party provider and reselling services. Now under DORA, the company that actually provides the services, will be subject to the regulation as well”.
This level of scrutiny extends to the oversight of critical third-party service providers, including cloud services providers (CSPs), which may now be subject to direct audits by supervisory authorities. “If there is a cloud provider that is part of your critical service, like mobile banking, for example, then this provider is subjected to, what DORA calls, ‘the Oversight Framework’, which means that there will be a supervisor that can directly audit your critical service provider.”
Resilience Testing
Another key implication is mandatory resilience testing. “DORA now makes that very, very strict. You have to do weekly vulnerability scanning and yearly penetration testing of critical functionality”, says Zdrnja. DORA stipulates specific requirements for security testing. Moreover, it introduces the concept of threat-led penetration testing (TLPT), which must be conducted at least once every three years. Inspired by the TIBER-EU framework , this approach simulates real-world cyber-attacks to test an organisation's detection and response capabilities.
Incident Reporting
“DORA also introduces stringent incident reporting requirements. When an organisation classifies an incident as critical, it must inform its authorities within four hours. That's quite severe. And obviously, the reasoning behind this makes sense because we are talking about a critical incident impacting that particular financial institution and their customers”, Zdrnja notes. This rapid reporting timeline underscores the regulation's emphasis on swift action and transparency in the face of cyber threats.
Challenges of DORA
DORA’s challenges are as significant as its implications. Compliance with DORA is a substantial undertaking for smaller financial institutions or those with less mature cybersecurity practices. "Not every single bank will be able to do this overnight because this will be quite a bit of investment that smaller organisations in particular will struggle with", Zdrnja points out. "It's a big document, and I already see a lot of banks, insurance companies, and other financial institutions struggle with DORA and even with an understanding of all the requirements".
One of the primary challenges lies in creating and maintaining the comprehensive documentation required by DORA. Organisations must map out their critical services, understand their dependencies, and document the relationships between various components of their ICT infrastructure. This level of detail and transparency is unprecedented for many institutions and requires significant time and resources. Zdrnja believes the biggest challenge to organisations will be to “create documentation that describes the dependency of services, figure out which third parties they depend on, and perform a proper risk assessment of those third parties."
Another major challenge is the potential need to reevaluate and possibly change third-party relationships based on the risk assessments mandated by DORA. "I wouldn't be surprised if some financial institutions have to change some of their third-party providers. If the third parties cannot mitigate against identified risks, banks or financial institutions will no longer be able to work with them”. For instance, a CSP with inadequate security measures or a payment processor with a history of data breaches might be candidates for re-evaluation. Such changes can be complex and expensive, adding to the overall cost of compliance.
Implementing advanced security testing approaches, particularly TLPT, is another challenge for organisations. Many organisations may lack the internal expertise to conduct such sophisticated tests and must either develop these capabilities in-house or engage external specialists. This requirement incurs additional costs and demands a cultural shift towards a more proactive and adversarial approach to security testing. "Other things like resilience testing, to be honest, is something they should have been doing for many years. It will require a bit more organisation and management. If your organisation is already at 80 per cent, you’ll need to improve by 20 per cent, which is doable. However, if you're at 20 per cent, it will take a bit more time and effort".
Relating Frameworks and Regulations
DORA's relationship with existing frameworks and regulations, such as TIBER-EU and NIS2, is an aspect organisation’s must consider. While DORA incorporates elements of TIBER-EU, particularly in its approach to threat-led penetration testing, it goes beyond TIBER-EU by making these tests mandatory. “They took the TIBER-EU methodology and modified it a little bit, so it's not a 100 per cent copy and paste of the TIBER-EU methodology, but more like 98 per cent”. This means that financial institutions with experience with TIBER-EU will have a head start in understanding and implementing DORA.
As for NIS2, while there is some overlap in areas such as risk management and incident reporting, DORA is specifically tailored to the financial sector and introduces more stringent and detailed requirements. However, organisations that have already made progress in complying with NIS2 may find that they have a head start in certain aspects of DORA compliance.
Start Preparing for DORA
Given DORA's complexity and breadth, organisations must prepare well before the 2025 deadline. “Start from the ICT risk management perspective, which is like the foundation of DORA. Go through identification and enumeration of critical services you provide because many other activities are based on these”.
Zdrnja advises organisations to conduct a comprehensive gap analysis as a crucial first step in preparation. This involves comparing the organisation's current practices and capabilities against DORA's requirements to identify areas for improvement. Based on this analysis, you can develop a roadmap for achieving compliance, prioritising the most critical areas and those that require the most time and resources to address.
Developing or enhancing the ICT risk management framework should be a priority, as this forms the basis for many other DORA requirements. This includes creating detailed inventories of digital assets, mapping service dependencies, and establishing robust risk assessment processes. Organisations should also focus on strengthening their third-party risk management practices. This involves assessing the risks associated with current providers, developing strategies for ongoing monitoring, and establishing clear exit plans for critical services.
Another crucial aspect of preparation is implementing or enhancing security testing regimes which may involve investing in new tools and technologies, developing internal capabilities, or engaging with external security testing providers. Organisations should also review and update their incident response plans to meet DORA's strict reporting timelines.
Help in the DORA Compliance Journey
As a global leader in cybersecurity training and certification, SANS Institute is uniquely equipped to assist organisations in their DORA compliance journey. SANS offers many courses covering many technical skills required for DORA compliance, including risk management, penetration testing, and incident response. These courses help organisations build the internal capabilities needed to meet DORA's requirements and maintain ongoing compliance. SANS can also provide guidance on best practices for implementing the various components of DORA, from establishing effective ICT risk management frameworks to conducting threat-led penetration tests. “I think our expertise can be invaluable in helping organisations navigate the regulation's complexities and develop effective compliance strategies”, Zdrnja says.
As the deadline for DORA compliance approaches, financial institutions across the EU face a significant challenge and an opportunity to enhance their operational resilience and cybersecurity posture. By taking a proactive approach, leveraging expert guidance, and investing in the necessary skills and technologies, organisations can achieve compliance and build a more robust and resilient digital infrastructure for the future.
Unlock essential strategies for achieving cyber resilience in the financial sector with SANS Institute’s DORA Resource Hub. Gain expert insights on DORA and TIBER-EU to protect your organization from evolving threats today.
