A Deep Dive into the Digital Operational Resilience Act

João Faria | June 23, 2021 | tag: Regulation & Compliance

The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will also apply to the critical Information and Communication Technology (ICT) service providers they are working with. 

The timeframe for meeting compliance standards will be relatively short despite the complexity expected with the new framework. Understanding the Digital Operational Resilience Act (DORA), as well as acknowledging DORA’s roadmap and timeline, is important for all eligible firms so that CIOs, CISOs, and compliance managers can start planning immediately.

The need for unified cybersecurity standards

Although the financial resilience of organizations has recovered across the EU since 2008, ICT risk has been addressed differently by the various member states' financial supervisors. This has caused an inconsistent approach resulting in a proliferation of individual national regulatory initiatives.

In February 2020, the European Systemic Risk Board (ESRB) expressed deep concerns about the need to consolidate third-party risk management requirements in financial entities across Europe. This recommendation was sent out following a report published on cyber incidents, which identified cyber risk as being one of the sources of systemic risk to the financial system that could have serious negative consequences.

The report recognized one single event could trigger a systemic crisis threatening financial stability. As stated in a Cybersecurity Ventures report, global cybercrime costs are expected to grow by 15% per year over the next five years — reaching $10.5 trillion USD annually by 2025. Furthermore, we have been seeing an increase in the number and severity of cyber threats associated with ICT risks such as phishing, identity theft, and ransomware, which is further highlighted by vendor concentration that promotes the spread and effectiveness of cyber threats.

What does DORA mean for your organization?

DORA will specifically focus on 20 types of regulated EU financial entities. These include not only banks, credit, payment, and electronic money institutions, but also investment firms, crypto-asset service providers and many other entities working as security depositories, central counter-parties, trading venues, trade repositories, alternative investment funds and management, data reporting, insurance and reinsurance, occupational retirement pensions, credit rating, statutory auditing, or crowdfunding, among others.

Both large and small financial firms and ICT vendors will be included within DORA’s guidelines, and while some firms will face less complex guidance from the legislation, others are sure to find it more burdensome than the current requirements in place. It is also expected that future Digital Operational Resilience Act regulation will establish further levels and timeframes of application, depending on the size and/or scope of activity of each eligible firm.

Regardless of future scope and criteria, DORA will require all organizations to implement secure technologies and processes to raise overall supply chain resilience. Cyber risk management strategies and  third-party risk management programs in particular need to evolve to address DORA’s five key pillars:

  • ICT Risk Management
  • ICT Incident Reporting
  • Digital Operational Resilience Testing
  • Information and Intelligence Sharing
  • ICT Third-Party Risk Management

Despite Brexit, DORA will also align with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements. This means that the UK-specific framework will exist in parallel with the guidelines provided by the European Supervisory Authorities (ESAs) – which are the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

How can BitSight help your organization comply with DORA?

Depending on how quickly potential third-party risk management requirements are addressed and agreed on by the EU regulatory body, it is expected that DORA should gain most of its form by the end of 2021. Firms should then have 12 (to possibly 18) months to comply with most of the requirements that will be announced in the first phase of the rollout.

The following subset of compliance standards is expected to give organizations another 1.5 years to get into compliance, including further secondary legislation and technical standards mapping the specific application of the rules being developed by the ESAs. The whole process should be running at full steam by the end of 2024.

This roadmap may seem to give generous time, but organizations and cybersecurity professionals should realize that the DORA timeline is aggressive, and needs to be urgently addressed – and one thing that will help your organization stay on the right track from the very beginning is to take immediate action on assessing your ICT third-party providers by keeping all data registered and up to date.

BitSight can help your organization find the best path for this journey. With a suite of solutions based on its industry-leading Security Ratings service, BitSight helps firms identify risk in their digital ecosystems, enabling security teams to prioritize resources to remediate the riskiest issues.

By trusting BitSight to help you get on track with DORA, you will have access to:

  • Data-driven insights on how to meet industry standards and regulatory requirements
  • Continuous monitoring of your attack surface so that you can regularly assess your security program and remediate any gaps in controls
  • Sound security program governance over your organization’s evolving first-, third-, and fourth-party footprint that takes into account your risk appetite
  • Evidence-based strategies and assurance to drive confidence in your security program 

And most importantly: We will be there with you every step of the way. To learn more about how BitSight can help your organization comply with DORA, please check our Solution Brief, and read the DORA eBook prepared as a comprehensive guide to the upcoming regulatory requirements.

Harmonizing ICT Risk in the EU Financial Sector: The Digital Operational Resilience Act (DORA)

 

Suggested Posts

What Is Cybersecurity Compliance? An Industry Guide

If you operate in specific sectors, cybersecurity maturity is more than a best practice, it’s a regulatory requirement. These regulations are complex and constantly changing. To help you better understand your organization's regulatory...

READ MORE »

Taking Data Privacy Further: Prioritizing Privacy and Continuous Improvement

BitSight, the Standard in Security Ratings, has established itself as not only a clear leader in security ratings but now also in the burgeoning field of data privacy.

READ MORE »

A Deep Dive into the Digital Operational Resilience Act

The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will...

READ MORE »

Get the Weekly Cybersecurity Newsletter.