The TL;DR on DORA

Are you thinking, “I’m not a financial institution in the EU, so I can ignore DORA.” Well, not so fast. Sorry to bring you some bad news. DORA's reach extends to the ICT service providers of financial institutions too. Everyone who works with financial institutions in the EU will be impacted. This includes SaaS and cloud providers, insurers, investment firms, payment services, credit institutions, and users of ICT systems, etc.

Let’s start with what it is. The Digital Operational Resilience Act, or DORA, is a new EU law. It aims to boost cyber defenses in the financial sector. Adopted on January 16, 2023, it will take effect on January 17, 2025. DORA establishes a unified framework for securing information and communication technology (ICT). DORA has 64 articles. So, here's the TL;DR: All financial sector organizations must prove they can withstand, respond to, and recover from all types of tech-related disruptions and threats. They must prove they are set up to be resilient. Not just from cloud outages and natural disasters but also from cyberattacks too.

Compliance with DORA is two-fold

Organizations must prove ironclad cyber defenses and robust digital operational resilience. Secondly, they must prove a strong governance structure to manage risks. This includes ICT Risk Management and monitoring of Third-Party Risk Providers. So, let's dive in.

The Five Pillars of DORA

1. ICT Risk Management and Governance

Mandates internal governance and control frameworks to identify, assess, and mitigate ICT risks required.

• You must identify and classify all critical data. Also, document all dependencies clearly.
• Rules require documented plans for business continuity, disaster recovery, and business impact analysis. They also mandate data backup and recovery, a restoration process, and communications plans.
• Policies on IAM (Identity and Access Management), anomaly detection, malware scanning, threat response, data insights, SIEM/SOAR, vulnerability, and patch management are mandated.
• Risk management strategies required. Clarifies that an entity’s management body (board members, executives, and senior managers) are all responsible for ICT management. Failure to comply could lead to personal accountability.

2. ICT-Related Incident Management

Mandates organizations detect, manage, and promptly report major cyber or ICT-related incidents.

• Mandatory, entities must file three different kinds of reports for critical incidents. An initial report notifying authorities. A second report on progress toward resolution. A third and final report that analyzes the root causes of the incident.
• DORA requires all entities to follow rules for quick, uniform communication.

3. Digital Operational Resilience Testing

Mandates rigorous testing to find, fix, and reduce vulnerabilities.

• Entities must perform vulnerability and scenario-based testing yearly.
• Additional requirement for threat-led penetration testing (TLPT) every three years to those deemed critical to the financial system.
• Entities must also fully address any vulnerabilities identified during tests.

4. Third-Party Risk Management

Mandates oversight and management of ICT third-party service providers, including cloud computing services to ensure compliance with DORAs resiliency requirements.

• DORA requires entities to conduct thorough third-party service provider assessments, map their dependencies, ensure security and integrity including arrangements for clear exit strategies.
• Meaningful plans must be in place for how to transition data, applications, and services from a cloud computing environment back to on-premises or to another cloud provider.
• Contracts are not allowed with entities that do not meet these requirements.
• Entities will be empowered to forbid providers from entering contracts with those that don’t comply with DORA.

5. Information Sharing

Mandates sharing cyber threat intelligence among organizations to boost collective resilience against cyber threats.

Quick Highlights: Get Prepared

I will admit that the list above is still dense.  So, here are the highlights in TL;DR style. 
 
Top Ten DORA Takeaways:

1. Strong cyber defenses required. Including annual reporting and documentation on policies, procedures, protocols, and tools for cyber resilience.
2. Faster recovery SLAs. Must be able to recover faster and more efficiently from both a cyber attack and/or ICT-related disruption. Recovery time must be reported and align with the SLAs that you have set with your critical functions. Must include an ironclad data protection solutions built to address recovery SLAs.
3. Efficient, non-disruptive recovery testing capabilities. Recurring resilience and recovery testing must occur, and entities must provide proof in an annual report.
4. Isolated recovery and clean room capability. Must have the ability to isolate and recover to second site with a distinct risk profile. Ability to identify the malware threat required.
5. Physically and logically segregated. Data Protection infrastructure must be independent from production environment. Must have physically and logically segregated backup systems.
6. Secure data protection.  Capabilities for confidentiality, availability, and integrity of data are vital, with things like encryption, immutable storage, Multi-Factor Authentication and authorization mechanisms.
7. Robust digital operational resilience. Must be able to quickly identify weaknesses, deficiencies and gaps in digital operational resilience, and promptly implementing corrective measures.
8. Anomaly and anomalous user behavior detection. Must be able to monitor for cyber treats   by detecting for anomalous activities and promptly detect anomalous user behavior activities. These capabilities must be tested regularly
9. Flexible recovery options. Must be able to address multiple recovery scenarios and have the flexibility to recover anywhere needed.
10. Integrated recovery orchestration and automation capabilities. Required to implement tools to reduce the overhead of Recovery Testing and reduce the required recovery time.

Want to learn more about how to get prepared for DORA?  Read our DORA: Get Prepared guide.

How Veritas Can Help

Today’s teams need to know the specifics—controls, processes, technologies, and reporting requirements for achieving resilience and DORA compliance. Veritas can help! This is our business. We offer a variety of solutions that can help your organization protect your data, secure it and prove compliance. Additionally, Veritas offers our customers  cyber resiliency assessment and recovery services, that can help set up your systems, protocols and teams in accordance with the requirements. To learn more about our Cyber Resilience solutions, read our white paper, DORA: Deep Dive into the Cyber Resilience Aspects of the New Legislation. Additionally, for the risk management strategy side of the DORA legislation read the DORA Risk Management white paper.

Lastly, watch our recent interview, Demystifying DORA with Veritas experts, Alain Pelegrin and Magnus Martensson. Remember DORA will take effect on January 17, 2025, so kick off your preparations today.