The Five Pillars of Regulatory Compliance: Essential Frameworks Under the Digital Operational Resiliency Act (DORA)

Businesses increasingly rely on digital technologies to streamline operations, enhance efficiency, and stay competitive. However, with the advantages of digitization come inherent risks and challenges that can disrupt business operations. Recognizing the need for a comprehensive framework to address digital operational resilience, governments worldwide have introduced legislative measures to safeguard businesses and consumers. One such noteworthy development is the Digital Operational Resiliency Act (DORA).

The Digital Operational Resilience Act (DORA) is an EU regulation introduced by the European Council. It impacts financial entities, including banks, insurance companies, investment firms, and information and communication technology (ICT) vendors doing business in the European Union.

DORA Regulation Summary

The new DORA regulation aims to replace multiple ICT risk management frameworks with a unified approach for mitigating all ICT-related incidents in Europe’s financial industry. DORA also aims to support operational resilience within the EU financial industry so that business continuity can be guaranteed even while an organization’s ICT suffers disruptions, such as during a cyberattack.

DORA is also forcing critical ICT Third-Party service providers (CTPPs) to comply with regulatory standards that will be supervised by one of the three European Supervisory Authorities (ESAs).

• The European Banking Authority (EBA)
• The European Insurance and Occupational Pensions Authority (EIOPA)
• The European Securities and Markets Authority (ESMA)

DORA Compliance will be assessed through off-site and on-site inspections and requests for specific information, such as ICT service details, incident reporting logs, and details of implemented cyber risk defenses.

Objectives of DORA and the Impacted Businesses

DORA’s objectives focus on bolstering the IT security of financial entities within the EU, ensuring their resilience in severe operational disruptions, and mitigating the risks of ICT-related incidents. This initiative aims to fortify the overall stability and reliability of the financial sector in the European Union, promoting a secure environment for businesses and consumers alike.

DORA’s scope extends to a wide array of financial service entities, encompassing traditional institutions like banks, investment firms, and credit institutions, as well as non-traditional players such as crypto-asset service providers and crowdfunding platforms. Additionally, the proposal includes critical ICT third-party providers whose services have a systemic impact on providing financial services across Europe. By encompassing these diverse entities, DORA aims to establish a comprehensive framework for enhancing cybersecurity and resilience within the European financial sector, ensuring the stability and security of the broader financial ecosystem.

Key Events/Dates
Non-compliance with DORA regulations carries significant implications for businesses. Failure to achieve compliance by the deadline may lead to substantial fines, with leading overseers empowered to impose penalties of up to 1% of an ICT provider’s average daily turnover from the previous business year. These fines can accrue daily until compliance is achieved, underscoring the urgency for entities to adhere to DORA standards and mitigate the risk of financial penalties.

The Key Regulatory Requirements are Grouped into Five Pillars

1. Information and Communication Technology (ICT) risk management

The DORA regulation requires respective management to take responsibility for ICT risk management. It identifies critical functions and puts them in a risk management framework based on international standards. It is to be reviewed annually.

This framework must include a digital resilience strategy, cybersecurity training for the management team, and regular audits.

In accordance with Article 13, point 6 of DORA regulations, all company employees (including members of management) must complete cybersecurity training appropriate to their positions.

It encourages the use of advanced technologies, detection of irregular activities, and transparency in the event of any ICT-related incidents.

2. Reporting ICT incidents

DORA Regulation does recognize how difficult it can be for financial entities to meet all mandatory incident reporting requirements, stemming from all the rules and regulations that could apply when tackling a single ICT-related incident.

The DORA proposal foresees a harmonization of reporting content and templates. DORA Regulators also envisage centralizing the reporting of major ICT-related incidents. They will investigate the feasibility of setting up a single EU hub for major ICT-related incident reporting by financial entities.

3. Digital Operational Resilience Testing

Financial entities should conduct a comprehensive digital operational resilience testing program at least once a year.

The DORA proposal also includes a specific provision requiring financial entities to ensure the involvement of ICT third-party providers in their digital operational resilience testing whenever applicable.

Financial entities should undertake threat-led penetration testing at least every three years, with the direct participation of the relevant ICT third-party service providers.

These tests are intended to assess the financial entities’ ability to manage ICT incidents and identify system weaknesses.

Vulnerability assessments are necessary to guarantee the operational resilience of IT systems before deploying new services or upgrading existing ones linked to critical functions.

4. ICT third-party risk

Financial entities should manage ICT third-party risk as an integral component of their ICT risk management framework.

They must assess contractual risks, terminate contracts with suppliers presenting cybersecurity risks, and produce an annual report on ICT agreements.

DORA will bring critical ICT third-party providers under the direct supervision of one of the three European supervisory authorities that oversee the financial industry.

5. Sharing Information and Intelligence

The DORA proposal encourages financial entities to share cyber threat information and intelligence to enhance the industry’s digital operational resilience.

Voluntary information sharing should take place through well-structured information-sharing arrangements within trusted communities.

Financial entities will also be asked to notify their competent authorities of their participation in such information-sharing arrangements so that the supervisory authorities can ensure a proper balance between cybersecurity and privacy protection.

DORA encourages financial institutions to share information on cyber threats to strengthen digital resilience and reduce ICT-related risks. It authorizes financial entities to establish information-sharing arrangements while guaranteeing personal data protection and requiring notification to the relevant authorities. These measures are designed to improve defensive capabilities and detection techniques against cyber threats.

Conclusion

Cigniti stands out as one of the leading forces in BFSI sector service providers  (especially Compliance and Risk Management), boasting a dedicated pool of Subject Matter Experts (SMEs) with hands-on experience. In addition to cybersecurity services, Cigniti aligns seamlessly with the DORA standard requirements. Cigniti offers various solutions encompassing quality assurance, migrations, validations, and more.

Cigniti provides future-proof testing capabilities, ranging from integration, API, and component-level testing to functional and non-functional security, compliance, and performance testing. Focusing on comprehensive and specialized features, Cigniti ensures its clients are well-equipped to navigate the evolving software testing landscape.

Need help? Contact our BFSI testing experts to learn more about the five pillars of regulatory compliance and the essential frameworks under the DORA.