DORA REGULATION 2025: How to prepare for the EU's new financial security requirements

DORA: behind this ultra-easy-to-remember acronym lies a new regulatory framework, the Digital Operational Resilience Act. Adopted at the end of 2022 by the Council of the European Union and applicable from January 2025, its provisions aim to strengthen the financial sector's resilience to cybersecurity risks and ensure greater industry control over the outsourcing of IT services. Digital resilience can be defined as an organization's ability to resist, adapt and recover in the best possible conditions from malfunctions and/or cyberattacks affecting its information systems.

Introduction to the Digital Operational Resilience Act

Origins and background of the legislation

There are at least three reasons for this new regulatory framework: firstly, the increasing digitization of the sector and, in particular, of financial transactions, including day-to-day payments. Secondly, the growing interconnection between financial systems worldwide. And finally, an exponential rise in cyber attacks, which rank as the most feared risk for businesses, according to a barometer by insurer Allianz 2024! And, of course, the financial impact is becoming ever greater, with catastrophic consequences for the reputation of financial institutions.

DORA's key objectives

The key objectives of the Digital Operational Resilience Act (DORA) are :

• Strengthen the financial sector's ability to prevent, absorb and recover from all forms of IT disruption.
• Harmonize digital security rules for financial entities in the European Union.
• Establish strict requirements for the management of information and communication technology (ICT) risks within financial institutions.
• Impose resilience tests to assess the ability of financial entities to withstand digital security incidents.
• Facilitate the sharing of information and intelligence on digital threats between financial players.
• Manage contractual relationships with third-party ICT service providers, including cloud service providers.
• Strengthen reporting obligations for cybersecurity incidents, ensuring rapid and effective notification of major incidents.
• Ensure effective supervision and coordination between national supervisory authorities and law enforcement bodies across the EU for a better integrated response to digital crises.

What is the impact of DORA on EU financial institutions?

The impact of the Digital Operational Resilience Regulation (DORA) on EU financial institutions is significant and multidimensional. Firstly, it will require the entities concerned to strengthen their cybersecurity and ICT risk management processes, thereby increasing their resilience in the face of cyber-attacks and IT malfunctions. In addition, DORA's resilience testing requirements will enable vulnerabilities to be identified and corrected before they can be exploited. The establishment of a threat information-sharing framework will improve the financial sector's collective ability to respond to incidents and emerging threats. In addition, risk management regulations for third-party ICT service providers will ensure improved control and oversight of digital supply chains. Finally, DORA compliance will provide assurance to consumers and investors of the robustness and reliability of financial infrastructures in the face of digital risks.

Deadlines for application of the DORA regulation

Application deadlines and key dates for the Digital Operational Resilience Act (DORA) are as follows:

• Adoption of the DORA law: The regulation was proposed to strengthen digital operational resilience within the European financial sector.
• Official entry into force: DORA must be implemented from January 17, 2025.

Here are some important steps that financial institutions should anticipate to prepare for DORA implementation:

• Preparation period: Between the publication of the law and January 17, 2025, financial institutions are expected to analyze and adapt their procedures to meet DORA requirements. This is also an opportune time for them to simplify and strengthen their digital security architectures accordingly.
• Compliance: Financial entities must be fully compliant with DORA requirements by the date of implementation. This will involve policy updates, internal audit procedures, resilience testing, and a review of contracts with third-party ICT service providers.

These deadlines are crucial for financial institutions to prepare and implement the required practices, thus ensuring compliance with the directives of the European Digital Operational Resilience Regulation (DORA), essential for strengthening their ability to cope with contemporary IT and cyber challenges.

ICT risk management according to DORA

Risk identification and assessment

One thing is certain: whatever the level of maturity of financial institutions in terms of cybersecurity, they will have to invest! After all, even in this sector, the basic assumptions of cybercrime apply:

1. Every digital system has at least one flaw (technical, human, organizational, procedural, etc.).
2. Each vulnerability is likely to be discovered internally or externally (by a hacker, a customer, an employee or a partner).
3. If a flaw is likely to be discovered, it will be sooner or later. Unfortunately, you never know when!
4. Anyone who has access to this loophole will be tempted to use it to their advantage, especially if the potential financial gains are high! Even internally, because ethics and honesty sometimes have their limits...
5. If the risks are nil or low, this flaw will be exploited, all the faster if the financial stakes are high.

DORA prevention strategies and protective measures

Under the Digital Operational Resilience Act (DORA), prevention strategies and protection measures for financial institutions in the European Union must include:

• Comprehensive ICT risk assessment: Conduct regular risk analyses to identify and assess potential vulnerabilities within the organization.
• Robust ICT security policy: Develop and implement IT security policies that cover all aspects of technology, including data access, device use and network security.
• ICT governance: Establish governance that clearly defines roles and responsibilities for ICT management and operational resilience.
• Training and awareness: Ensure ongoing training of staff in cybersecurity best practices and reinforce the security culture within the organization.
• Cybersecurity measures: Implement advanced technological solutions for intrusion detection, prevention and incident management.
• Incident response plans: Establish response and recovery procedures to react effectively to ICT security incidents.
• Resilience testing: Perform resilience tests such as penetration tests and incident simulation exercises to assess the organization's ability to withstand and recover from various attacks or failures.
• Audit and regular review: Conduct security audits to ensure that protection measures are effective and comply with the latest standards and regulations.
• Supplier and third-party management: Assess and manage the risks associated with ICT service providers and other external partners.

These measures should be seen as part of a comprehensive and integrated operational resilience program, aligned with DORA requirements to ensure adequate preparedness against ICT risks in the European financial sector.

Collaboration and information sharing on threats

Under the Digital Operational Resilience Act (DORA), collaboration and information sharing on threats in the financial sector have become a priority for strengthening the security of the European Union's financial infrastructures. Here are some key points relating to this collaboration:

Sharing mechanisms within the financial sector :

• Information Sharing and Reporting Platforms (ISACs): These structures enable financial institutions to exchange information on cyber threats and vulnerabilities in real time.
• Regulatory collaboration frameworks: DORA could encourage the creation of formal frameworks to facilitate information sharing between regulated entities and national supervisory authorities.
• Public-private partnerships: These partnerships aim to unite efforts between the financial sector and governments or regulatory bodies.

The importance of inter-company cooperation :

• Coordinated incident response: Cooperation enables a faster, more effective response to major incidents, by sharing knowledge and resources.
• Continuous improvement of cybersecurity practices: Companies can learn from each other and adopt industry best practices, raising the level of security across the sector.
• Systemic risk reduction: By sharing information on threats and vulnerabilities, companies help to reduce the likelihood of events that could affect the financial system as a whole.

Relations and management of third-party ICT service providers

The Digital Operational Resilience Act (DORA) lays down precise requirements for the relationship and management of third-party providers of information and communication technology (ICT) services, particularly in terms of due diligence and contractual framework, as well as supervision and performance assessment. Here are a few key points:

Due diligence and contractual framework :

• In-depth due diligence assessments: Before establishing relationships with third-party ICT service providers, financial institutions must carry out due diligence checks to ensure the reliability and soundness of these providers.
• Operational resilience clauses: Contracts must include specific terms guaranteeing that the service provider meets the security and operational resilience standards required by DORA.
• Business continuity and exit plans: Ensure that contingency plans and exit strategies are in place to reduce dependency on third-party providers.

Supervision and performance evaluation :

• Constant monitoring and assessment of associated risks: Institutions must continually monitor the risks associated with ICT services provided by third parties to detect any developments that could affect resilience.
• Regular audits and reviews of third-party service providers: Conduct regular audits and reviews to assess risks

Preparing for DORA's entry into force

To prepare for the entry into force of the Digital Operational Resilience Act (DORA), financial entities in the European Union need to adopt a series of measures to ensure their compliance with the new regulations. We propose an indicative checklist of the steps these entities could take:

Compliance checklist for financial entities :

• DORA impact analysis: Understand the implications of DORA for the company and thealignment of current practices with the requirements of the regulation.
• Audit of existing ICT systems: Assess current infrastructure to identify areas requiring improvement or upgrades to meet operational resilience criteria.
• Training and awareness: Organize sessions to train staff on new regulatory requirements and best practices in operational resilience.
• Review risk management policies: Update risk management policies to include digital risks and establish clear incident response protocols.
• Strengthen cyber security measures: Install or increase defenses against cyber threats, including encryption, real-time monitoring, and intrusion detection systems.
• Resilience tests and simulation exercises: Conduct regular tests to assess the company's ability to withstand and recover from cyber incidents.
• Control and review of third-party ICT suppliers: Conduct due diligence assessments and regular reviews of third-party suppliers to ensure their compliance with DORA requirements.
• Business continuity planning: Develop robust business continuity plans to ensure an effective response in the event of a significant disruption.
• Reporting and reporting obligations: Ensure you have the right systems and processes in place to meet DORA reporting requirements.

Available resources and support :

• European Banking Authority (EBA ) guidelines: Consult EBA guidelines and documents for advice on the practical application of DORA.
• Cybersecurity consultants: Engage specialists to advise on the best strategies for compliance and operational resilience.
• Compliance tools and risk management software: Invest in technology tools like those from Ap Solutions that can help track compliance and ICT risk management controls.
• Workshops and training: Participate in workshops, webinars and seminars to better understand DORA and its impact.

The designers of the DORA regulation have understood this: it is essential to detect and alert as quickly as possible. At the scale of financial organizations, it is not (any longer) reasonable to work in an artisanal way, but urgent to identify abnormal events and sensitive transactions in an automated way, while limiting false positives. Fortunately, software solutions (e.g. AP Filter or AP Scan) make this detection instantaneous (and configurable), automating the entire process and alerts, while facilitating regulatory reporting.

Eventually, the least prepared companies will associate the acronym DORA with " Difficulty in Organizing Responseto Attacks". But the most optimistic, equipped with the right software solutions, will see it as a way of " Multiplyingthe Opportunitiesof Advanced Resilience"!