Dora: the regulatory response to the technological context

The new resilience of the financial sector

 

 

The European Commission, aware of new challenges, has proposed the "Digital Operational Resilience Act" (DORA), a new legislative framework dedicated to the financial sector aimed at greater digital operational resilience.

DORA will take effect starting in January 2025, and is currently one of the main pillars of the new European innovation strategy for the financial landscape to accompany financial institutions towards digitalisation.

Richiedi informazioni

Digital transformation has brought significant changes and benefits in terms of efficiency and innovation in the delivery of services in the market.

Financial institutions have found benefits in information and communication technologies (ICT), but at the same time, they are exposed to unique new IT risks.

The European Commission, aware of the new challenges, approved the "Digital Operational Resilience Act" (DORA) regulation in January 2023, a new legislative framework dedicated to the financial sector with the primary objective of improving its digital operational resilience.

The DORA regulation will take effect starting in January 2025, and is currently one of the main pillars of the new European innovation strategy for the financial landscape to accompany financial institutions towards digitalisation. This is an important paradigm shift compared to previous models, idealised to strengthen ICT security requirements and standards.

The objectives for financial institutions

The key requirements are mainly divided into the following 5 areas:

  1. ICT Risk Management
    • Identify the landscape of ICT risks by preparing a complete framework for their management.
    • Implement a well-structured and internationally recognised information security management system.
  2. Classification and reporting of ICT incidents
    • Improve the management and classification processes of ICT incidents, further developing monitoring, management and follow-up capabilities
    • Report more serious incidents to the competent authority in line with what is defined in the proposed regulation.
  3. Third-party ICT risk management
    • Consider third-party ICT risk as an integral component of the organisation's overall ICT risk management framework
    • Adopt, review and regularly monitor third-party ICT risk strategy
    • Maintain a record of information outlining all contractual arrangements with third party ICT service providers, including all specific contractual provisions
  4. Digital operational resilience testing
    • Implement a risk-based digital and operational resilience testing program, requiring all systems deemed critical by the organisation to carry out appropriate tests, such as vulnerability assessments and scans, open-source analysis, and network security assessments on an annual basis
    • Some financial entities are required to perform advanced threat-led penetration testing (TLPT) every three years
  5. Sharing information between financial entities
    • Share IT threat information and intelligence with each other to improve the digital operational resilience of financial entities

DORA assessment framework

Exprivia, as a provider of ICT services, thanks to its expertise in the CyberSecurity field, has already begun specific consultancy activities to support financial institutions towards a path of compliance with the DORA regulation, and is able to cover all areas regarding the latter with specific initiatives.

Dora: the regulatory response to the technological context 

Figure 1: Exprivia's Program Management is structured to coordinate and follow the areas outlined by the DORA regulation, which will take effect in January 2025.

Exprivia's CyberSecurity team will coordinate all DORA initiatives, supporting financial institutions through three main phases:

A CyberSecurity Assessment service, which will make it possible, thanks to a specific tool, to carry out a rapid analysis of compliance with the DORA regulation and to identify any gaps that need to be filled with respect to the areas of the regulation.

A Gap Analysis service, which, based on the Assessment carried out in the first phase, will allow the vulnerabilities and risks present within the organisation to be identified in depth. A thorough study will be conducted during this phase, and the organisation will be provided with a complete report containing the recommendations and best practices needed to plug the gaps that are identified.

A Remediation service, which will support financial institutions in filling any gaps identified in the previous phases with specific CyberSecurity technologies and services.