What is DORA?
Today we are going to talk about DORA, no not the TV show, but the Digital Operational Resilience Act that is coming into effect on the 17th January 2025 within the European Union (EU). This new act is based around companies that deal within the financial services.
So, what is DORA? DORA is an act that is enabling European financial companies to further protect themselves from risk, it will build upon the existing requirements for security and these changes will also apply to companies that provide supply chain and third-party services to these financial companies, for example cloud, managed services, analytics and so forth.
The DORA act will mandate that everyone who falls under this act has the necessary safeguards in place to safeguard themselves from not only cyber based threats but also around disaster recovery and business continuity. So, making sure that businesses can continue to run should service go offline, such as cloud services of their internet, or a supplier goes out of business.
How will DORA affect you as a business? Even if you are a UK based business, or a business outside of the. European Union, you may still be impacted by DORA requirements. This is due to the requirements of the act, being that if you supply services to a financial services company, you will become under the scope of the DORA act.
So, if you have any clients which are based within the financial services sector and are based within the EU, now is the time to read up on DORA and ensure you are compliant with everything.
There are many different financial services which are affected, some of the main ones being:
- Financial and insurance services
- Lenders
- Investment forms
- Payments
- Credit rating agencies
- Financial system providers
The six steps to DORA compliance
When it comes to knowing how to comply with the act, there are six steps to look at which, for most companies will already be in place. These six steps are:
- ICT Risk management: Making sure that you as a business have the necessary risk management and risk register based controls in place and you understand what risks there are to the business. This should be reviewed frequently.
- ICT third-party risk management: Monitoring of your third-party providers and ensuring that any risk is reduced. Checking on contractual and SLA obligations and making sure that service will not be impacted.
- Digital operational resilience testing: Ensuring that services work as expected, making sure that you test your systems.
- ICT-related incidents: Making sure you have appropriate incident management plans in place and that people within the business know how to deal with a incident. What communication plans are there, have processes been documented and tested?
- Information Sharing: Ensuring that information is shared throughout the business and possibly the third-parties to ensure that information about cyber based threats are known and documented, and if required, protected against.
- Oversight of critical third-party providers: Making sure that you have controls in place for any critical third-party providers so there is minimal to no impact to services, should the worst happen. Do you have multiple providers, have the providers got resilience and availability controls in place?
How do you work toward compliance?
For the most part, if you are adhering to best practices to information security, such as Cyber Essentials, IASME Cyber Assurance of ISO 27001, then you will likely be covering most if not all the areas of compliance.
However, you should look at the following areas:
- Determine whether you are in scope of DORA or not. Do you work or deal with financial services within the EU?
- Perform a risk assessment of your business and look at all areas of possible risk, not just business related, but also supply chain and cyber related risks.
- Educate people within the business and ensure there are enough resources within the business to understand the requirements of the compliance.
- Ensure all the necessary procedures and policies are in place, business continuity, disaster recover, incident management, change control etc.
- Review regularly not just your own business but third-parties and supply chain to ensure anyone who deals with financial services in the EU are covered and ensure that nothing has changed since the last checks and if there are changed, update and communicate the changes within the business.
If you would like to learn a bit more about DORA, you can find the official page from the EIOPA here: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en