Q&A with Giles Inkson: A Guide to Digital Operational Resilience Act (DORA)
Digital Operational Resilience Act (DORA) is a regulation in the European Union (EU) that’s significantly reshaping organisational approaches to cybersecurity. DORA introduces a standardized framework for improving digital operational resilience throughout the EU’s financial sector. It’s similarly impactful globally like GDPR, and comes with broad reaching non-compliance penalties for financial organisations globally. This legislative package encompasses both regulation and directive components, fostering consistency in approach and implementation.
At its essence, DORA introduces a comprehensive testing framework centered around TIBER-EU testing, complemented by disclosure and intelligence sharing policies that aim to instill resilience and robustness in digital operations among financial entities. Its impact extends beyond traditional financial institutions, encompassing a broader scope of businesses that were not previously held to such stringent standards. As the compliance deadline of 17 January 2025 approaches, larger organisations are poised to lead the charge in adopting these standards.
While many companies are already proactively engaging in preparatory measures, expert guidance can streamline the compliance journey, offering clarity on regulatory requirements and expediting initiatives such as threat-led penetration testing and red teaming. By partnering with NetSPI to leverage our specialized assistance, entities can navigate the complexities of DORA with ease, ensuring timely and effective adherence to these new regulatory mandates.
Timeline of Digital Operational Resilience Act (DORA)
- 28 November 2022: The European Parliament approved The Digital Operational Resilience Act
- 17 January 2024: European Supervisory Authorities published the first set of final draft technical standards under DORA
- 17 January 2025: DORA goes into effect with flexibility for companies to meet the compliance standards
- Early 2025: Compliance with DORA will be mandatory for all companies affected
We tapped into NetSPI’s Director, Services – EMEA, Giles Inkson, to better understand DORA and its implications for the financial services industry.
1. What is DORA? What does it cover and what does it aim to achieve?
DORA is a framework enabling enterprise-wide resiliency, built on behaviours, processes, policies, and governance necessary for enabling that, both for monetary authorities within European nation states and organisations that enforce fiscal policy. It aims to establish frameworks and processes on how to conduct Information and Communications Technology (ICT) risk management across technology assets and key business services underpinning financial sector organisations, subject to audit.
Aspects of this include:
- Reporting of ICT-related incidents voluntarily, including service interruptions related to cybersecurity incidents and beyond such as general resiliency or failures of technology. It encourages reporting on operational failures and the company’s response to return to services.
- It ensures sound measures for managing ICT third-party risks, including supply chain attacks. These encompass various suppliers such as managed ICT providers, IT hardware suppliers, consultancy services, and others that contribute to the organization’s ICT capability or service provision. The framework establishes processes to control and mitigate the impact of these risks wherever feasible.
- It also covers major incidents in payment processing and cybersecurity, critical in safeguarding nations against hybrid warfare threats. Maintaining these components is a significant step toward safety across the European Union and globally.
The DORA framework aims to delegate significant responsibility to the nation state or its respective monetary authorities, aiming for consistent application across Europe and globally to enhance resilience and maturity in the financial sector. The goal is to ensure a consistent approach across the entire financial sector, benefitting both the sector itself and nations that engage with it.
Read the article:
3 Software Supply Chain Risks in 2023
2. Why is DORA needed? Do other regulatory frameworks address similar issues, and how does DORA complement or enhance these frameworks?
DORA is needed because it mandates TIBER-EU as part of its operational resiliency testing. TIBER-EU testing is also known as a threat-led red team, or a threat-led penetration test, to identify realistic threats across the system and focus on critical services that keep businesses running.
TIBER-EU has a number of standards in place for how to conduct this type of testing. It involves using realistic threats to build scenarios to test against that organisation, drill down as though they were real-world threats, and follow through a defined process end to end. This involves collaboration between threat intelligence, penetration testing providers, regulatory authorities, and the organisation itself.
While these tests have been around for a while, they are being updated as part of DORA. Legislature that’s being folded into the existing TIBER-EU frameworks will mandate this type of testing at least once every three years with the regulator involved. On the remaining two of those three years, a more self-guided version may be implemented, requiring less involvement from regulatory or monetary authorities. This allows for a more autonomous approach, although tighter controls can still be maintained during those years if necessary. Threat-led penetration testing and intelligence are central to the advancement of business resilience in the financial sector worldwide.
These standards are similar to others that have existed before, with more nations and regions adopting similar frameworks because they are proven to enhance business resilience. One of the first types of these testing standards was CBEST, which is from the Bank of England and the Prudential Regulation Authority (PRA). CBEST follows a similar standard with a slightly different set of accreditation processes. Additional examples include Cyber Operational Resilience Intelligence-led Exercises (CORIE) in Australia, and intelligence-led Cyber Attack Simulation Testing (iCAST) in Hong Kong. Other nations are following suit rapidly.
3. Who does DORA impact? Do all financial services businesses fall under the remit of DORA?
These standards primarily apply to the finance sector due to its critical role in maintaining economic and governmental stability for nation states. Therefore, they are highly significant, given the high stakes involved.
Twenty key types of businesses fall under the financial services umbrella. These include:
- Financial services and insurance lenders
- FinTech
- Trading venues
- Trading platforms
- Financial system providers
- Crowdfunding providers
- Cryptocurrency providers in varying forms
- Financial sector supply chains or ICT providers
- Investment firms
- Payment providers
- Credit rating agencies
See Article 2, Scope for a complete list.
4. What are the key requirements for compliance with DORA?
Compliance with DORA is all about showcasing the evidence, the audit trail, and demonstrating its consistency, validity, and authenticity during testing. Areas of validation include:
- Evidence of your efforts for effective ICT risk management and operational resiliency, including documenting ICT-related incidents, particularly major ones pertaining to payments or cybersecurity.
- Reporting process, its execution, and the location of any incidents. Ensure the presence of policies and processes, along with their rigorous testing prior to any incident. This validation should extend to your adherence to regulations set forth by your monetary authority or national regulator.
- Demonstrate proficiency in digital operations resiliency testing, such as red teaming or threat-led pentesting akin to TIBER-EU.
- Intelligence sharing is also a must. Being aware of threats and preventing breaches through regular sharing with the monetary authority is indicative of effective operations.
- Demonstrate that you’ve got measures for managing IT third-party risks and downstream supply chain.
- Define reporting notification requirements so after reasonable processes have been conducted to identify, contain, or eradicate threats, then you should notify your relevant monetary authority.
5. What are the reporting and notification requirements under DORA? What are the consequences if a business doesn’t comply with DORA by 17th January 2025?
Some tests are conducted annually, requiring evidence of regular compliance within that timeframe. Ideally, teams will prepare for this in advance to ensure that testing is completed before the deadline, thus enabling them to address any inquiries promptly. It’s advisable to have robust platforms, protocols, and processes established beforehand to mitigate potential issues. Failure to meet these standards may result in being subjected to special measures where monetary authorities monitor closely. Penalties for noncompliance can be severe, amounting to 1% of daily global turnover, collected over a six-month period, with the possibility of an annual penalty of up to 2% of global turnover. Continued noncompliance, may result in special measures and oversight of the organisation, and could even lead to the revocation of operating privileges in that region, representing a worst-case scenario.
6. How does DORA contribute to enhancing the stability and security of the digital economy?
Essentially, it safeguards everyone involved, from individuals with bank accounts to businesses issuing wages. It ensures the monetary stability of the nation and secures government transactions, including payments to suppliers or employees and international transactions. Essentially, it serves as the lifeblood of the European economy, ensuring its vitality and resilience.
The goal is to develop the capacity to identify, respond to, and effectively counter threats to operational resilience. These threats may stem from various sources, including threat actors, technological glitches, process failures, or environmental disasters like earthquakes. The aim is to ensure preparedness for potential challenges, thereby preserving the functionality of our economies for as long as possible or facilitating a swift return to normalcy in the event of disruption.
7. What are some potential challenges or criticisms associated with DORA’s implementation?
Because the scope of DORA is so broad, businesses may struggle to prepare adequately and might rely on poor advice or organisational structures or misinterpret DORA’s values or guidance. This could result in a patchy implementation with numerous organisations believing they are compliant when they are not ready.
One of the significant challenges lies in collaborating with trusted parties, vendors, and organisations to ensure alignment with existing efforts rather than embarking on entirely new initiatives. Many organisations, including those not accustomed to such tests, requirements, policies, or frameworks, may find themselves unprepared for DORA’s operational methods, leading to initial difficulties in adaptation. Moreover, the shift from traditional approaches like red teaming or penetration testing to threat-led methodologies can be quite stark, requiring a pragmatic and realistic approach that may come as a shock to some.
8. Why should businesses partner with NetSPI to ensure they comply with DORA?
NetSPI’s intelligence-led proactive security team is experienced across regulatory frameworks and has delivered upon the TIBER framework and CBEST-level standards since its inception. We have contributed to the development of the standards and the working groups that have gone in to create the frameworks themselves and have the unique ability to draw on operational experience across domains that other proactive security companies cannot. We use best-in-class operators that exceed the requirements others may only meet, and our genuine, multiple-person operative capabilities drive testing that is second to none.
We exist to secure the most trusted brands on Earth, bringing more clarity, speed, and scale to your compliance with DORA and other frameworks. Reach out to start a conversation today.
Explore more blog posts
Part 1: Ready for Red Teaming? Intelligence-Driven Planning for Effective Scenarios
Take time for dedicated planning and evaluation ahead of red team testing to prepare your organisation for effective red team exercises.
The Strategic Value of Platformization for Proactive Security
Read about NetSPI’s latest Platform milestone, enabling continuous threat exposure management (CTEM) with consolidated proactive security solutions.
Backdooring Azure Automation Account Packages and Runtime Environments
Azure Automation Accounts can allow an attacker to persist in the associated packages that support runbooks. Learn how attackers can maintain access to an Automation Account.