The DORA Regulation: Europe’s New Cybersecurity Measures
Over the last two years, the European Commission has been working on regulations that they refer to as the Digital Operational Resilience Act (DORA). In November 2022, this act was adopted by the European Council. DORA aims to promote resilience to Information, Communication and Technology (ICT)-related risk for companies doing business within the financial sector in Europe, including banks, insurance companies and investment and asset management firms. Even third-party providers that handle crucial financial data, records and information will be subject to this regulatory statute. This act follows the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) who, in 2020, created and proposed guidelines to which European financial institutions were highly encouraged to adhere, focusing on cybersecurity measures and the implementation of independent and objective controls of data and resources within these companies.
As stated in the Council of the EU press release of May 11, 2022, “Once the DORA proposal is formally adopted, it will be passed into law by each EU member state”. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.” According to most accounts, it may take up to two years to implement the requirements associated with DORA, but companies can start early by tightening their compliance and security policies through investing in new technologies and processes.
But what does operational resilience mean with regards to DORA? Operational resilience is the result of the effective management of operational risks which means that internal and external policies and rules are in place to prevent catastrophic incidents such as data breaches and cyber-theft. Identifying and mitigating risk in addition to continuous monitoring and testing are examples of ways that companies can reduce any disruption to their operations that could lead to serious consequences.
Digital Transformation in the Corporate World
The corporate landscape has dramatically changed over the last few years. A great percentage of employees now work from home at least part of the time. This means that daily digital activities are no longer on premise and significant data exchange is happening through cloud-based frameworks. This new environment inherently brings with it a higher level of cyber-risk that must be addressed in a more aggressive manner than in the past, and more specifically, within the financial sector. This is because this area has the highest potential gain for hackers and cyber criminals.
The regulations included in DORA will oblige that financial institutions within the European Union adhere to the act by reducing, whenever and wherever possible, the weakness of their internal systems and processes that could potentially increase the chance of cyber-attacks. The only way to do this is to have the proper tools, processes and directives in place, including extra vigilance of third-party organizations that have access to sensitive resources. Detailed reporting, audits and testing will become essential in monitoring the companies for whom DORA will become an obligatory practice.
DORA Regulations: The Five Targets
The focus of the Digital Operational Resilience Act will be on five main areas within ICT and information security, including:
- Digital operational resilience
- Risk management
- ICT incident reporting and management
- Information sharing
- Third-party risk management.
Now that the act has been signed, what does this mean? It means that entities and institutions cannot and should not wait to begin ramping up for these regulations which will be enforced in approximately two years from the date of signing. Strategies must be put into place as soon as possible to be prepared for DORA’s official roll-out.
Brainwave GRC Supports DORA Directives
“DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them,” according to a press release published by the European Council on November 28, 2022. The first step in securing a company’s network and information systems is by knowing, first and foremost, who has access to them, how they got the access granted to them, and is this access legitimate.
Thankfully, there are competent companies like Brainwave GRC who provide software solutions that can be implemented today for a smooth transition tomorrow. One of our key platforms is Identity Analytics which has been designed to help with the detection, measurement and reduction of risks related to identity and access data quality issues, providing a full understanding of access rights and the knowledge of who has access to what and to what extent.
By far, the Identity Analytics component which delivers the most immediate benefit to the business teams is the automated user access review. In addition to supporting audit requirements, performing regular access review campaigns promotes:
- the security and protection of resources,
- the compliance of access rights granted to employees, and
- conformity with the current internal and external security policies and rules, including segregation of duties.
There is no better way to begin complying with the Digital Operational Resilience Act.
Why wait? Take your first step towards compliance with the Digital Operational Resilience Act by contacting Brainwave GRC, the expert in the field of identity analytics.