DORA is an European Union (EU) law that updates and outlines uniform rules on the security of network and information systems of financial entities, such as banks, insurance companies and investment firms. It covers a wide range of EU regulated financial entities, requiring them to withstand, respond to and recover from any disruption or threat involving information and communication technologies (ICT). In addition to financial institutions, DORA is also applicable to critical ICT third-party service providers providing ICT services to financial institutions.
DORA's five foundational pillars into actionable steps for small financial entities.
Pillar 1: ICT Risk Management & Governance
This pillar focuses on proactive and continuous management of all ICT-related risks. EU Financial entities are required to have a comprehensive framework to identify, assess, and mitigate threats.This approach is formalized through the entity’s strategies, policies, procedures, and ICT tools.
Governance and Accountability: The management body (e.g., the board, executive leadership) is ultimately responsible for defining, approving, and overseeing the ICT risk management framework.
Proactive Risk Assessment: Organizations must regularly conduct risk assessments to identify, classify, and document all ICT-supported business functions, assets, and dependencies.
Protection and Prevention: The framework must include measures to protect against and prevent the impact of ICT incidents. Which includes developing relevant policies to protect the availability, authenticity, integrity, and confidentiality of your data.
Detection and Response: Entities must establish protective mechanisms to identify anomalous or suspicious activities, supported by well-defined procedures for incident response and recovery. The objective is to ensure timely detection, effective containment, and remediation of incidents, minimizing operational impact and safeguarding critical services.
Continuous Improvement: Establish a comprehensive ICT incident management framework that includes post-incident reviews, maintaining audit trails, mandatory staff training on security obligations, and timely regulatory reporting of major incidents (e.g., initial report within four hours).
Pillar 2: Incident Management
This pillar aims to standardize and streamline the process of reporting significant ICT-related incidents to relevant authorities. EU financial entities are required to establish a robust ICT incident management process capable of detecting, managing, recording, and reporting all ICT-related incidents.
Incident Management Process: Financial entities must have a process in place to identify, track, log, and classify ICT incidents based on their priority and severity.
Timely Notifications: Significant incidents must be reported to the relevant national authorities in a timely and structured manner.
Standardized Reporting: DORA mandates the use of a reporting standardized format to ensure consistency of information.
Internal and External Communication: Entities must establish clear communication plans for staff, external stakeholders, and clients to manage the impact of an incident.
Lessons Learned: Following an incident, a review must be conducted to analyze its causes and identify improvements to prevent recurrence.
Pillar 3: Digital Operational Resilience Testing
Digital operational resilience testing is a critical component of DORA, aimed at ensuring that an entity's digital systems can withstand cyber threats and quickly recover from disruptions.
Note: A key distinction is that the most advanced form of testing, Threat-Led Penetration Testing (TLPT), is reserved only for the largest, "significant" financial entities. Small firms are explicitly exempted from this requirement.
Risk-Based Approach: Testing programs should be based on the organization's risk profile, taking into account the criticality of their functions and the evolving threat landscape.
Annual Testing: All critical tools, applications, and systems must be tested at least annually to assess their operational resilience.
Independent Parties: Testing should be carried out by independent internal or external parties to ensure objectivity.
Remediation: Identified weaknesses, deficiencies, or gaps must be promptly addressed and documented to demonstrate that corrective actions have been taken.
Pillar 4: ICT Third Party Risk Management
DORA recognizes the increasing reliance on third-party ICT service providers and establishes a framework for managing the risks associated with these dependencies.
Due Diligence: Financial entities must conduct thorough due diligence when selecting and onboarding ICT service providers to assess their security and operational resilience.
Robust Contracts: Contracts with third-party providers must include clear provisions regarding service levels, security standards, incident reporting, and audit rights.
Ongoing Monitoring: Entities are required to continuously monitor the performance of their ICT third-party providers to ensure compliance with contractual agreements and regulatory standards.
Multi-Vendor Strategy: Adopt a comprehensive ICT multi-vendor strategy that reduces dependency on any single provider, enhances operational resilience, and ensures continuity of critical services in the event of provider disruption or failure.
Exit Strategies: Financial entities are required to maintain a clear exit strategy that enables a seamless transition to an alternate provider and ensures services can be terminated in an orderly manner without compromising business continuity.
Pillar 5: Information Sharing Arrangements
The final pillar of DORA encourages, but does not mandate, financial entities to exchange cyber threat information and intelligence.This sharing of information, including indicators of compromise, tactics, techniques, and procedures, is a collaborative effort aimed at strengthening the sector's overall resilience.
Active Participation: Actively participating in industry groups, forums, or specific information-sharing arrangements to stay informed about emerging threats and best practices.
Types of Information: Entities may share information on cyber threats, including indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and cyber security alerts.
Leveraging Collective Intelligence: Using the collective intelligence gathered from these collaborations to pre-emptively protect against potential risks, thereby enhancing the entities own digital operational resilience.