The Digital Operational Resilience Act (DORA) is a regulatory framework that aims to ensure the operational resilience of financial institutions in the European Union. While DORA came into force on January 16, 2023, organizations were granted two years to implement its security requirements. If your institution is affected by DORA, you are probably wondering what your next steps should be to get ready. To help you get a head start, our expert for information security in the financial sector, Dr. Christian Schwartz, has compiled five tips on what you should consider first while preparing for DORA. While none of these starting points may be the most obvious at first, each one will have a great impact on your organization’s implementation of DORA requirements and, if taken into account early on, can save you a lot of time and effort later.
1. Re-evaluate your method to classify services regarding criticality
Reason:
“Critical or important services” are subject to a number of additional requirements (e.g., regarding BCM, Vulnerability Management, ICS, Resilience Testing).
Chances:
Ensuring the correct classification as "critical or important"
- applies leverage regarding the efforts to ensure compliance with the aforementioned requirements and
- ensures the existing risk for critical or important services is effectively managed.
Estimated effort:
Design: Medium [1]
Implementation: Medium (scales with number of services)
2. Implement changes regarding the information register for ICT third-party risk management
Reason:
Comprehensiveness and timeliness of information register is a prerequisite for compliance with DORA regarding ICT third-party risk management.
Chances:
Provides foundation for
- effective ICT third-party risk management and
- handling of incidents involving ICT-third-party service providers.
Estimated effort:
Design: Large
Implementation: Large (scales with number of ICT third-party service providers and contracts)
3. Consolidate contractual arrangements of ICT-third party service providers regarding operational resilience
Reason:
DORA (especially the consultation paper for the Regulatory Technical Standard "for specifying the detailed content of the policy on the contractual arrangements regarding on the use of ICT services supporting critical or important functions provided by ICT third-party service providers") contains explicit requirements on the contractual arrangements.
Chances:
Updating existing contractual obligations (and defining a default for new contractual arrangements) ensures
- compliance with DORA regarding the use of ICT-third party service providers and
- provides a chance to align contractual arrangements and reduce number of edge cases during ICT third-party risk management.
Estimated effort:
Design: Medium
Implementation: Large (scales with number of ICT third-party service providers and contracts)
4. Update incident response processes to address DORA requirements, especially considering the reporting of incidents
Reason:
In addition to requiring specific approaches during incident management (e.g., including specific properties during incident classification, such as direct and indirect damages, impacted countries, etc.), DORA also requires incident reporting to be fulfilled in a short time frame and include detailed information regarding the incident (both have yet to be determined by an RTS).
Chances:
Early alignment of the incident response process with asset and information registers allows
- to ensure all required information for classification are available from and
- to reuse correlated information, e.g., to determine risk-based prioritization for threat led penetration testing.
Estimated effort:
Design: Medium
Implementation: Large (scales with number of services)
5. Tailor the approach for digital operational resilience testing
Reason:
The scale and selection of resilience testing can be selected regarding the proportionality principle and the risk profile of the financial entity.
Chances:
Implement digital operational resilience testing while
- leveraging the attention due to DORA to put a strong, risk-based focus on ICT-services exposed to actual risk and
- reducing the potential overall effort by focusing the majority of testing on critical or important systems [2].
Estimated effort:
Design: Medium
Implementation: Very large (scales with the number of services and especially critical or important services)
[1] Compared to the total effort it will take your organization to design and implement all DORA requirements.
[2] Note that the relevance cannot only rely on the business impact of individual systems but must also consider the possibility of lateral movement and pivoting by attackers.
Do You Need Help?
While it may seem like there is plenty of time left to prepare for DORA, we recommend you get started early and take it step by step. We are here for you if you need help or have any questions.