The Digital Operational Resilience Act (DORA): GRC considerations for the Financial Sector’s ICT Supply Chain
The European Union’s Digital Operational Resilience Act (DORA), marks a step-change in cybersecurity and ICT risk management in the financial sector. DORA recognises the inherently interconnected, borderless and interdependent nature of modern digital banking systems and their technology providers, and the potential vulnerabilities that this creates.
Underlining the scale and severity of the threat to economic and social stability of a large-scale, disruptive cyberattack, DORA seeks to raise the standard of digital operational resilience across the EU’s digital banking ecosystem. It aims to improve the sector’s ability to identify threats, respond to incidents, report effectively and share intelligence.
Crucially, DORA’s scope includes organisations designated as Critical ICT Third Party Providers, who will become subject to extensive contractual obligations and oversight by regulators. DORA does not apply directly to other financial sector ICT providers, but in reality, any provider serving the sector should start preparing for its impact as customers increase the rigour of their third-party ICT risk management programs in line with its requirements.
DORA’s key provisions
DORA focuses on five key areas, and it is essential that ICT suppliers are familiar with them as they support their customers to comply:
- ICT risk management: Applicable financial entities must devise and implement a robust and effective ICT risk management framework, to be reviewed at least annually or following a major ICT-related incident. The ICT risk management framework must comprise “strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets.”
- ICT incident management and reporting: Financial entities must define, establish and implement a robust ICT-related incident management process to detect, manage and notify ICT-related incident. This must include early warning indicators, incident tracking, logging, categorising and classifying incidents in relation to priority, severity and impact. Reporting structures must be implemented to ensure information about incidents reaches the required people and organisations.
- Digital operational resilience testing: Financial entities must take a risk-based approach to testing critical systems and processes. Tests must include, but are not limited to, vulnerability assessments and scans, open source analyses, network security assessments and scenario testing. External threat-led penetration testing must be carried out on live production environments at least every three years.
- Third-party ICT risk management: The financial entity must have a regularly reviewed strategy for managing ICT risk, with policies on using ICT to support critical and important functions. It must also maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by ICT third-party providers.
- Information sharing: The regulation encourages financial entities to share cyber threat information and intelligence, as a critical aspect of improving resilience, minimising the impact of cyber disruption, and informing incident response.
The above are high-level summaries of the key focus areas. You can read more detailed information about DORA’s requirements in our eBook: The Digital Operational Resilience Act: Building operational resilience in the financial sector and its ICT supply chain.
Governance, risk and compliance considerations for the ICT supply chain
DORA is a risk-based regulation that introduces accountability for third party ICT risk. As such it imposes significant GRC obligations on financial entities and designated critical third-party ICT providers. These are highly likely to have a cascading impact on the entire ICT supply chain and it is prudent for any technology business supplying the financial sector to review its GRC program and identify areas where action is needed:
- Identify exposure: From a strategic perspective, it is important that ICT providers establish the level of exposure they have to in-scope DORA clients. This should be reported to the board and executive management, which should also be working to ensure it has a working knowledge of the regulation and its impacts.
- Allocate resources: Once exposure is established, the level of resources needed for both internal activity and external client support can be determined.
- Review your control environment: Analyse your controls environment through the lens of DORA to address any gaps in controls, documentation, and reporting.
- Review standards: Under the regulation ICT suppliers are also expected to achieve “the most up-to-date and highest quality information security standards”, so this is a good time to review and verify that the organisation holds all applicable standards.
- Avoid duplication: In a similar vein, DORA draws and builds on several existing regulations and standards, such as NIST, NIS2, GDPR and PCI-DSS. Therefore, it is valuable to identify where risk management and policies are already in place, to avoid duplicating effort.
- Assess and mitigate subcontractor risk: The obligation for third-party ICT risk management extends all the way through the supply chain, so providers must ensure that they have robust and compliant contractual agreements in place with any subcontractors they use. If subcontractors are based in third countries, ICT providers need to analyse the risk this poses under the terms of the regulation.
- Establish customer communication channels: Create a positive and proactive communications approach to DORA with in-scope clients. Ensure that both emergency and business-as-usual channels are in place and that individuals in key roles of responsibility know who to contact in the event of incidents.
DORA comes into force from 17 January 2025. Its impact will extend far further than the immediately in-scope organisations in the financial sector and critical ICT third-party providers. Any ICT provider with customers in the financial sector should act now to ensure their GRC environment can support the greater scrutiny that is imminent.
Find out more about DORA and its impacts in our eBook.
Learn how the Diligent One Platform can help you manage regulatory compliance.