DORA Compliance Guide: The Road to Building Digital Operational Resilience

Introduction

The European Union implemented the Digital Operational Resilience Act (DORA) in 2022 with the objective of strengthening operational resilience in the financial sector in the region. DORA aims to create a comprehensive framework for managing and mitigating the digital or ICT risks facing financial organizations. It includes specific standardized requirements for all EU states and third-party providers ranging from cloud platforms to data analytics and audit services. 

As organizations prepare for DORA compliance by January 2025, MetricStream, in association with Deloitte, hosted a webinar that delved into the nuances of the legislation, highlighting how it can strengthen digital operational resilience and impact business. 

The panel of speakers included: 

• Viktor Paggio, Manager, Risk Advisory (Cyber and Strategic Risk), Deloitte Czech Republic
• Jakub Ptáčník, Manager, Risk Advisory (Cyber and Strategic Risk), Deloitte Czech Republic
• Martin Antoš, Manager, Risk Advisory (Cyber and Strategic Risk), Deloitte Czech Republic
• Markus Priller, Director, Risk Advisory (Regulatory and Legal Support, Financial Services), Deloitte Germany 
• Richard Rivett, Market Development, MetricStream Europe

The panel of experienced practitioners discussed the key pillars of DORA, the importance of third-party risk in DORA compliance, and how to prepare for DORA compliance. Read on for the key highlights of their engaging discussion. Want to hear the original in its entirety? 

Watch now: Preparing for DORA: Fortifying Operational Resilience in Financial Landscapes

The Five Pillars of DORA

Like most legislations DORA is complex and detailed with multiple requirements, but broadly, it outlines five key functional areas or pillars: 

• ICT Risk Management Framework - Although DORA uses different risk management terminology, at its core, it is aligned to ISO 27000 and requires organizations to map out its business functions, assets, hardware, software as well as interdependencies. They have to set up a comprehensive information security management system (ISMS), plan for contingencies and manage risks effectively.
• ICT Incident Management – This requires organizations to manage the entire lifecycle of an ICT incident. They must have early warning thresholds that can monitor the environment and detect anomalies. Once anomalies are detected they have to be SSH classified. DORA provides guidelines on how to classify major incidents and report to local DORA authorities.
• Digital Operational Resilience Testing- Organizations must carry out independent testing, with a wide range of tests including threat penetration tests. Most financial institutions carry out some level of penetration testing or cybersecurity testing, but DORA mandates the entire gamut of resilience testing. It also requires organizations to carry out testing on live environments which is not commonly done within the industry.
• ICT Third Party Risk Management – Third party risk is a significant concern for regulators and organizations alike and DORA includes third party risk management as one of its fundamental pillars. This includes establishing a third-party register, including security clauses in the contract itself, and covers concentration risk as well.
• Threat Intel and Sharing – DORA is not specific about what risks are to be shared but requires organizations to share technical intel on IOC, blacklisted IPs and malwares, as well as specific threats on phishing campaigns and patterns, fake identities. The banking industry has specialized cyber security groups within national associations where information on cyber risks and threats are shared voluntarily. DORA will help the sector continue and finetune this larger initiative in the long run.

Deep Dive into DORA’s Focus on Third-Party Risk

DORA puts the spotlight on third-party risk mitigation in an increasingly interconnected world where a breach in a connected third-party system can also immediately impact the organization. The challenge is compounded by the fact that most organizations today work with a large network of technology providers and partners. DORA aims to regulate the kind of vendors organizations work with, their risk awareness, and the processes they should have in place to prevent breaches. Any part of the financial organization’s business that is supported by a third-party vendor is subject to DORA. The legislation requires organizations to define third party ICT risks, and define them in the contract. The third-party provider will be monitored by the European supervisory authority at a pan Europe scale. DORA establishes an oversight framework to monitor and enforce compliance, including a lead overseer for major ICT service providers. Articles 28, 29, and 30 pertain to third party risks:

Article 28 – General Requirements

This defines how organizations must manage their ICT third party providers. Not many European financial organizations have such detailed processes for their third-party risk management processes. It mandates:

• Management of third-party risks
• Periodic reviews of its strategy for managing ICT third-party risks
• Managing and updating a register of information
  • Many organizations have basic vendor lists, but DORA requires it to go a few steps deeper, requiring extensive data about each ICT third- party provider
  • Collect and maintain information about subcontractors

Article 29 – Preliminary Assessment of ICT concentration risk at entity level

The requirements under this Article are new for most financial institutions in the EU.

• Consideration of a risk of ICT concentration
• Due consideration of the provisions of the insolvency law
• Consideration of compliance with union data protection rules and effective law enforcement in the third country

Article 30 –Main Contractual Provisions

DORA stresses the importance of contractual provisions with vendors for ICT risk management. 

• Clear separation and written anchoring of the rights and obligations of the financial entity and the third-party ICT service provider
• A full contract including service level agreements and its execution in one written document which must be available in paper, or downloadable, durable, and accessible
• Specification of the elements that comprise the contractual arrangements for the use of ICT services.

Preparing for DORA Compliance

DORA has been designed in sync with global regulatory initiatives to enhance the organization’s ability to establish, maintain and verify its resilience, and ensure integrity. Of course, there are already several regulations pertaining to risk management and digital operational resilience but DORA presents enormous depth, breadth, and scale of impact. It necessitates a deep dive into the full extent of its provisions as they will require robust infrastructure and compute capabilities. Many organizations may need to first transform their legacy and siloed infrastructure to prepare for DORA. For example, the requirement on incidents and testing includes a detailed framework on how to classify and report severe incidents. These reports need to be prepared within a very short timeframe. Organizations need to have an integrated information landscape which can make the relevant data available quickly for incident reporting within the specified timeframes.

There are some discussions around proportionality or the reduction of regulatory effort. But the truth is that implementing DORA’s requirements may prove to be challenging for many organizations. They must act proactively. Understanding preceding regulations and prioritizing regulatory compliance efforts are essential steps in navigating the complexities of DORA.

Organizations across the EU have already started laying the groundwork for DORA compliance. For example, a leading financial services insurance provider was operating with legacy siloed infrastructure with little to no integration between different systems. As a result, the organization was facing inconsistent processes and methodologies, poor data quality, and reporting delays with quarterly reports taking up to four months to be prepared.  While the organization initially approached MetricStream to boost their operational resilience, the requirement soon expanded to include DORA compliance. It sought to revamp its governance, risk, and compliance (GRC) platform, laying the groundwork for comprehensive operational and digital resilience, ICT risk management and regulatory compliance. Most importantly, it aimed to make DORA awareness a company-wide initiative. They recognized that ICT risk management can no longer be confined to a GRC function and requires active awareness and action from those in the frontlines for effective management. MetricStream opted to deploy a phased implementation strategy to ensure continuity in day-to-day operations while integrating DORA compliance measures. This approach helped to streamline processes, enhance data integrity, and foster collaboration across departments. And the phased implementation allowed for continuous improvement, aligning with the evolving requirements of DORA and other regulatory standards.

Start Your DORA Compliance Journey with MetricStream

MetricStream can help organizations prepare for and comply with DORA by integrating diverse touchpoints across the organization. Enterprise regulatory compliance involves key elements that sit outside the traditional GRC system. These include, the infrastructure, threat and vulnerability assessment, content or control frameworks, the CMDB, that manages all important assets across the enterprise landscape, and the ratings agency or external assessments that provide that valuable insight into the supply chain. Data is spread across the entirety of this ecosystem and must be aligned with and integrated across all disciplines.

MetricStream’s CyberGRC product ensures effective collation, management, and utilization of enterprise data followed by accurate measurement and reporting. It provides a single pane of glass view into risk data for unified reporting across all five pillars. Additionally, your organization can ensure DORA compliance with CyberGRC that helps:

• Provide built-in frameworks, strong policy management, and ongoing controls monitoring
• Identify, track, log, categorize, and classify ICT-related incidents according to the priority, severity, and criticality of services and initiate automated processes for investigation and remediation
• Ensure rapid disclosure with a comprehensive risk register, incident reporting, third-party management, and archiving of incidents and actions taken
• Create, maintain, and execute BCP & DR plans using built-in templates and workflows
• Automate BCP testing to obtain real-time status updates
• Identify and promptly eliminate/mitigate risks with pre-configured remediation measures and actions 
• Ensure contract compliance and sound monitoring of risks emanating from ICT third-party providers 
• Configure and automate risk monitoring of third-party providers with built-in control libraries and automated risk assessments and obtain detailed status and performance reports including contract compliance

Digital operational resilience in the face of a continuously evolving and intensifying threat landscape is critical today. DORA provides a comprehensive framework for enterprises to build the required resilience and fortify their operations against threats and disruptions. Compliance is mandatory but organizations have to focus on building an unified view into their data and infrastructure to meet DORA requirements. Partnering with MetricStream can help your organization enhance data integrity, streamline operations, improve risk management and deliver a cohesive compliance strategy that can help ease the enterprise journey to DORA compliance.

To learn more about how MetricStream can help with DORA compliance, request a personalized demo today!