January 17, 2025 is the official date the DORA regulation goes into effect, meaning your compliance and risk management teams are probably busy with a lot of last-minute tasks. While the enforcement of DORA is supposed to help ensure that financial service organizations in the EU remain resilient in the face of IT disruptions, you also need your organization and internal teams to be resilient and achieve compliance without it stressing out your team.
With the deadline for compliance less than 100 days away, here are a few tips on how to keep things in perspective as we march towards that deadline.
Why Should You Care About DORA?
As financial services increasingly outsource critical services such as cloud computing and data management, the financial service supply chain has become harder to defend in the event of a cybersecurity attack or IT disruption. In addition, new technologies such as digital payments and cryptocurrency have introduced new vulnerabilities into the financial supply chain. By requiring financial service organizations and their critical third-party ICT services to adhere to stricter third-party risk management practices, DORA helps to strengthen operational resilience in the financial industry as a whole.
Organizations that fail to comply with DORA face sanctions, penalties, and a ban on the use of their operations or certain third-party services or until compliance is met. They may also face increased audits and supervision. Since the regulations help minimize IT disruption, failure to comply can increase the risk of operational disruptions and a loss in revenue. If a cybersecurity or other IT disruption occurs, it also destroys trust in your organization, risking a loss in future business.
One Does Not Simply Comply with DORA!
Since it explicitly deals with third-party services, DORA is one of the most comprehensive cybersecurity regulations to date. That means it requires not only financial service organizations to internally comply with DORA, but ensure that their third-party ICT providers also comply.
Key requirements include:
- ICT Risk Management and Governance. ICT systems must be mapped and their relationship with the financial service, assets, and other third-parties. Each ICT provider must then adopt a risk management framework that includes various technological and operational requirements.
- ICT Incident Reporting and Response. ICT-related incidents must be reported, classified, managed and logged in a timely fashion. The initial report should be within 24 hours of the incident and related to the proper authorities.
- Continuous Digital Operational Resilience Testing. ICTs should be tested on a regular basis. Tests should include vulnerability assessment testing, threat-led penetration testing (TLPT), ICT-risk assessments, and scenario-based testing.
- ICT Third-party Risk Management. Organizations must ensure their third-party ICT providers adhere to the six pillars of DORA’s third-party risk management.
- Information and Intelligence Sharing. Although not required, intelligence sharing strengthens cybersecurity resilience across the entire supply chain.
IT Security Managers Need to Look Out for DORA
While DORA’s regulations may look like Greek to many of us, for others of us – like IT security managers – it’s all in a day’s work.
After thoroughly understanding DORA’s requirements, IT security managers can help your organization achieve DORA by implementing an ICT risk management framework and developing an incident response plan. Then they’ll need to arrange for different types of testing on a regular basis and start to identify, map and manage all third-party ICT service providers and conduct third-party risk assessments for each.
Achieving DORA compliance will give you and your third parties the best security posture possible in a cyber landscape of ever-evolving threats.
TPCRM for DORA Compliance?
One of the biggest challenges for organizations who want to achieve DORA compliance is the expanding supply chain. Sometimes, it can seem endless (n-th party, anyone?).
Adding to the frustration, many organizations aren’t even fully aware of which third-parties they use and how they use them, much less their place in the supply chain. To make matters even more complicated, organizations may have different risk management standards for different vendors, creating security gaps. By applying a consistent TPCRM framework that includes clear policies and procedures for due diligence, ongoing monitoring, a standardized risk assessment and incident response, however, organizations can start to successfully eliminate these security gaps. Depending on your organization’s resources, this may also include using third-party cyber risk management services and platforms and third-party security training awareness for employees, or even hiring an employee with extensive experience in TPCRM.
DORA: The Light at the End of the Tunnel
You did it! Congratulations, you’ve followed the guidelines for both your own organization and your third-party ICT providers and achieved DORA compliance! You’re on your way to a more resilient and secure future for not just your organization, but in creating one of the cornerstones for a stronger and more secure financial services industry as a whole. Although DORA compliance seems daunting at first, it’s manageable, especially if you approach it with both practicality (e.g., help from a third-party cyber risk management platform) and a bit of humor.