The Digital Operational Resilience Act (DORA) is an EU regulation aimed at strengthening the resilience of financial entities to information and communication technology (ICT) risks. DORA sets out a range of security controls and requirements that financial entities must implement to comply with the regulation.
This blog post aims to answer frequently asked questions about DORA.
Who does DORA apply to?
DORA applies to financial entities and ICT service providers. Here is a breakdown of some of the organizations in these two categories.
Financial Entities
- Credit Institutions: Banks and institutions that provide credit and manage deposits.
- Investment Firms: Companies that provide investment services and activities.
- Insurance and Reinsurance Companies: Entities that offer insurance and reinsurance services.
- Payment Institutions: Firms that provide payment services and manage payment transactions.
- Electronic Money Institutions: Companies that issue electronic money.
- Central Securities Depositories: Entities providing securities settlement and custody services.
- Central Counterparties: Firms that act as intermediaries in derivatives and securities.
- Trading Venues: Platforms that facilitate the trading of financial instruments.
- Data Reporting Service Providers: Entities that provide transaction reporting services for regulatory purposes.
- Managers of Alternative Investment Funds: Companies that manage hedge funds, private equity funds, and other alternative investment vehicles.
- UCITS Management Companies: Firms that manage undertakings for collective investment in transferable securities.
- Credit Rating Agencies: Organizations that assign credit ratings for issuers of certain types of debt securities.
- Statutory Auditors and Audit Firms: Entities that conduct statutory audits of financial statements.
- Crowdfunding Service Providers: Platforms that facilitate crowdfunding activities.
- Crypto-Asset Service Providers: Firms that provide services related to crypto-assets, including trading, custody, and issuance.
ICT Service Providers
- Third-Party ICT Service Providers: Companies that offer ICT services to financial entities, such as cloud service providers, data centers, and software vendors.
- Critical ICT Third-Party Service Providers: Designated third-party providers that are deemed critical due to the significant impact their services have on the operational resilience of financial entities.
What are the key dates for DORA compliance?
DORA was proposed by the European Commission on September 24, 2020. Two years later, on December 27 of 2022, DORA was published. On January 16, 2023, DORA entered into force.
Looking forward, the important date to know is January 17, 2025. This is the date when all entities within the scope of DORA must be fully compliant with its provisions.
What are some of the recommended ISO and other frameworks which can help with compliance?
Most relevant entities will likely already be aligned with recognized security and risk management standards and frameworks, however if not, they can consider one or more of the following frameworks to help achieve compliance.
- ISO/IEC 27001
- ISO 22301
- The European Union Agency for Cybersecurity (ENISA) Guidelines
- COBIT (Control Objectives for Information and Related Technologies)
- ITIL (Information Technology Infrastructure Library)
- BCM (Business Continuity Management) Standards
- CIS Controls (Center for Internet Security Controls)
- NIST Cybersecurity Framework (NIST CSF)
Are there fines and penalties for DORA violations?
It’s also worth bearing in mind that DORA imposes quite stringent fines and penalties for non-compliance. The specific amounts however can vary based on the severity of the violation, the entity involved, and the discretion of the regulatory authorities.
- Maximum Fines: Fines can be substantial, reaching up to a certain percentage of the annual global turnover of the entity. For severe breaches, fines can be as high as 2% of the annual global turnover.
- Fixed Amount Fines: Alternatively, fines can be set at fixed amounts, which can vary but are significant enough to serve as a deterrent. For example, fines can reach up to several million euros for serious violations.
- Daily Penalties: In some cases, daily penalties can be imposed for continued non-compliance until the violation is rectified. These penalties accumulate daily until the entity becomes compliant.
What are the required security and risk controls for DORA compliance?
There are twelve main security controls for DORA compliance.
- ICT Risk Management Framework
- Comprehensive Framework: Financial entities must establish and maintain a comprehensive ICT risk management framework to ensure operational resilience.
- Governance and Strategy: The framework should include governance structures, strategies, policies, and procedures for managing ICT risks.
- Periodic Reviews: Regular reviews and updates of the framework to address emerging threats and changes in the operational environment.
- ICT Security Policies and Procedures
- Security Measures: Implementation of adequate security measures to protect ICT systems and data, including access controls, encryption, and secure configuration.
- Incident Management: Procedures for detecting, managing, and reporting ICT-related incidents, including roles and responsibilities.
- Incident Reporting and Management
- Reporting Mechanisms: Establishment of mechanisms for reporting significant ICT incidents to relevant authorities within a specified timeframe.
- Response Plans: Development of incident response plans to ensure effective response and recovery from ICT incidents.
- Business Continuity and Disaster Recovery
- Continuity Plans: Creation and maintenance of business continuity plans (BCPs) and disaster recovery plans (DRPs) to ensure operational continuity during and after disruptions.
- Testing: Regular testing and updating of BCPs and DRPs to ensure their effectiveness.
- Third-Party Risk Management
- Due Diligence: Conduct due diligence and risk assessments of third-party ICT service providers.
- Contractual Requirements: Inclusion of specific contractual requirements related to ICT security and resilience in contracts with third-party providers.
- Monitoring and Oversight: Continuous monitoring and oversight of third-party service providers to ensure compliance with security requirements.
- ICT Audits
- Internal Audits: Regular internal audits of ICT systems and processes to ensure compliance with DORA and other regulatory requirements.
- External Audits: Engagement of external auditors to perform independent assessments of ICT risk management and security practices.
- Information Sharing
- Collaboration: Participation in information-sharing arrangements with other financial entities and relevant authorities to share threat intelligence and best practices.
- Reporting Obligations: Compliance with obligations to report significant cyber threats and vulnerabilities.
- Employee Training and Awareness
- Training Programs: Implementation of training programs to ensure employees are aware of their roles and responsibilities in managing ICT risks.
- Awareness Campaigns: Regular awareness campaigns to promote a culture of security within the organization.
- ICT Incident Response Testing
- Simulation Exercises: Conduct regular simulation exercises and drills to test the effectiveness of incident response plans and improve preparedness.
- Post-Incident Reviews: Perform post-incident reviews to identify lessons learned and areas for improvement.
- Resilience Testing
- Penetration Testing: Regular penetration testing to identify and address vulnerabilities in ICT systems.
- Red Team Exercises: Conduct red team exercises to simulate cyber-attacks and test the organization’s detection and response capabilities.
- Monitoring and Logging
- Continuous Monitoring: Implementation of continuous monitoring mechanisms to detect and respond to ICT threats in real time.
- Logging and Analysis: Maintenance of comprehensive logs of ICT activities for analysis and investigation of incidents.
- Governance and Oversight
- Board Involvement: Ensuring that the board of directors or equivalent governing body is involved in overseeing ICT risk management and operational resilience.
- Reporting: Regular reporting to the board on ICT risk management activities and incidents.
Summarizing the key DORA requirements
Entities covered by DORA must ensure they’ve established the following key strategies and capabilities to ensure their ICT systems are secure and resilient.
- ICT Risk Management: Implement and maintain a comprehensive ICT risk management framework.
- Incident Reporting: Establish procedures for reporting significant ICT-related incidents to the relevant authorities.
- Business Continuity: Develop and maintain business continuity and disaster recovery plans.
- Third-Party Risk Management: Conduct due diligence, risk assessment, and continuous monitoring of third-party ICT service providers.
- ICT Security Policies: Implement robust security measures and policies to protect ICT systems and data.
- Governance and Oversight: Ensure appropriate governance and oversight mechanisms are in place, involving senior management and the board of directors.
Compliance with DORA requires financial entities to establish robust ICT risk management practices, enhance their incident response capabilities, and ensure the resilience of their ICT systems. By implementing these security controls, financial entities can better protect themselves against ICT-related risks and ensure their operational continuity.
How can Bugcrowd help with DORA compliance?
Bugcrowd can help you achieve compliance with these regulations in several ways. Firstly, our Vulnerability Disclosure Programs are perfect for third party risk management and monitoring. Our Managed Bug Bounty and Pen-testing-as-a-Service engagements help with resilience testing. Finally, all three products can be used for vulnerability identification and information sharing. For all of these, we generate on-demand reports, attestations, and executive summaries using rich reporting and analytics so organizations can have adequate compliance and risk reporting.
