How quickly can you interpret the five pillars of the Digital Operational Resilience Act (DORA)?
With this guide to DORA pillars (the central chapters in the DORA legislation documentation), you could have a good idea about DORA requirements in around five minutes - yes, we timed how long this takes to read.
We give you an overview of each pillar and tell you who’s responsible for implementation. We also discuss other vital details and include frequently asked questions about each pillar.
ICT risk management
Overview: You need to have an ICT risk management framework with strategies, policies, procedures, ICT protocols and tools for the protection of information and software as well as physical assets.
Who’s responsible: Your Chief Information Officer (CIO), Chief Technology Officer (CTO), IT security team and risk management team.
What else: This is the biggest DORA pillar. It says you need to:
- Make a crisis communication plan.
- Do a business impact analysis (BIA).
- Create response and recovery plans and test them yearly.
- Conduct security awareness programs for all staff and management.
- Test to see if you can detect incidents and be able to report an estimate of costs and losses resulting from security incidents.
DORA ICT risk management FAQs
- Does DORA require specific technologies for risk management?
No. DORA does not mention specific technologies, but adequate security controls are mandatory for compliance. Your security stack may or may not need to be upgraded.
ICT-related incident management, classification and reporting
Overview: You need to be able to classify data breaches and other incidents and report them very quickly after they happen.
Who's responsible: Your IT, security, incident response and operations teams.
What else: You need to be able to record, classify, and address all ICT-related incidents and cyber threats and their root causes within one week. You also need a process for reporting major incidents to senior management, relevant authorities, and clients if their financial interests are impacted.
DORA ICT-related incident management, classification and reporting FAQs
- What constitutes an ICT-related incident under DORA?
Any event that has a “significant impact” on your ICT systems. This could be a data breach or an attempted insider attack.
- How quickly do I need to report incidents under DORA?
Less than 4 hours since you became aware of the incident. You also need to provide a more detailed report within a week.
Digital operational resilience testing
Overview: You have to test for vulnerabilities and attack pathways regularly and thoroughly. This means standard tests you might already do, like vulnerability assessments, network security testing, and penetration testing.
However, this DORA pillar also brings in something called threat-led penetration tests (TLPT). These advanced tests, conducted every three years, are like red teaming exercises. TLPTs must be delivered by an independent party, whether you use an internal or external team to do the actual testing and adhere to a risk-based approach. You also need procedures to fix anything that comes up during a test.
Who’s responsible: Your internal IT and security teams and any external consultants you contract.
What else: There are two critical requirements for who you get to do your threat-led penetration testing.
External testers must be reputable, technically capable, accredited, and have professional indemnity insurance.
Internal testers need the approval of competent authority (national or regional regulatory bodies like the European Banking Authority), have dedicated resources to avoid conflicts of interest and use external threat intelligence providers.
DORA digital operational resilience testing FAQs
- How often should standard testing and advanced TLPT be conducted?
Standard testing should be done annually, while TLPTs are required every three years.
Managing of ICT third-party risk
Overview: You need to manage risks associated with ICT third parties and ensure contractual and operational resilience in case of a supply chain attack.
Who’s Responsible: Internal risk management and procurement teams.
What else: You need a holistic third-party risk strategy. This means having a register of all your third-party ICT providers and ratings of their importance to your operations and their security risks.
You must review your third-party risk strategy and register regularly (at least annually). You need to report it to the competent authorities at least yearly.
It’s your job to ensure that these third parties meet security standards through your contracts. Plus, you need to plan for continuity. This means having exit strategies for critical services and ensuring your customers won’t be impacted if your main providers fail.
DORA ICT ICT third-party risk FAQs
- How does DORA affect outsourcing decisions?
You need to choose ICT services partners that are DORA compliant. You will also need to divide your ICT providers into two categories - providers supporting critical or important functions and those supporting non-critical functions.
DORA has specific requirements for both of these types of service providers. You can read more about them here.
- How does DORA impact my existing third-party service providers?
You need to vet them and make sure they comply with DORA's security and reporting standards.
Information-sharing arrangements
Overview: You can share cyber threat intelligence within trusted, small communities to enhance awareness and protect sensitive data.
Who’s Responsible: Your crisis communication team, public relations (PR) team, and senior management.
What else: Any information you share needs to protect any sensitive information involved. You must avoid sharing customers’ personally identifiable information or doing anything that might violate the GDPR.
DORA information-sharing arrangements FAQs
- What kind of information should be shared under DORA?
Any threat signatures, behaviours or tactics that could prevent future attacks on other financial firms.
...
4:58
4:59
... aaand five minutes! Mission accomplished.
:-)