To learn more about the regulation’s details, you can refer to this article: What does DORA mean for Resilience of financial organisations?

The key deadline of January 17, 2025, marks the theoretical compliance date for financial entities. It also signals the beginning of supervisory operations by regulatory authorities.

In this context, Damien LACHIVER and Etienne BOUET, Senior Managers at Wavestone and experts in DORA compliance, with extensive experience supporting CAC40 entities, share their insights into the practical challenges and opportunities brought by this regulation, as well as the regulators’ expectations and essential actions for effective preparation.

How does DORA go beyond mere regulatory compliance?

E.BOUET: DORA should not be seen merely as a compliance exercise. Yes, there are regulatory requirements to meet, but the real challenge lies in building resilience. The question to ask is: how can compliance with DORA effectively enhance operational resilience? This connection is not always straightforward. For instance, gap analyses or cybersecurity audits often reveal vulnerabilities, and compliance alone is insufficient if it doesn’t come with genuine improvements in resilience.

D.LACHIVER: Many entities are still focused on compliance since DORA addresses areas already well established, such as cybersecurity, business continuity, and IT risk management. Large organizations, in particular, already benefit from high compliance levels due to decades of experience.

However, beyond this compliance phase, it is crucial to shift towards remediation and anticipation, implementing initiatives that will not be fundamentally different from the historical programs already initiated. The real focus should be on identifying new scenarios or solutions that can strengthen resilience.

What are the critical scenarios to consider for improving resilience?

D.LACHIVER: Two major scenarios require significant attention and investment:

• Total loss of internal IT systems: how can information systems be restored and fully rebuilt after a large scale cyberattack?
• The sudden loss of a critical third party: what happens if I lose a partner or service provider whose operational disruption has a significant structural impact on my business?

E.BOUET: The growing dependence on third parties has noy yet been fully recognized as a major risk. The associated scenarios are not sufficiently integrated into strategic priorities, leading to a lack of investment in preparedness.

Will financial entities be ready by January 17, 2025?

E.BOUET: It is unlikely that all companies will be fully ready by January. The market as a whole faces delays, although significant progress has been made. For instance, most of the normative documents required for compliance have been finalized, and priorities have been aligned with risk management needs.

D.LACHIVER: Indeed, January 17, 2025, will mark more of a milestone than a conclusion. Most operational projects, such as third-party management, remain to be addressed and will require ongoing effort.

What are the main challenges in implementing DORA?

E.BOUET: Initially, the main challenge was mobilizing a wide range of stakeholders: cybersecurity, risk management, procurement, legal, business, IT… While the topics addressed by DORA were already familiar to these teams, the regulation raises expectations and introduces additional requirements to roles thar are already well-defined.

D.LACHIVER: Historically, these areas have often been handled in a fragmented, siloed manner. However, DORA demands significant and measurable progress in resilience, which requires a more coherent and integrated approach. Today, two key priorities stand out:

• Third-party management, which represents a massive challenge.
• Threat-Led Penetration Testing (TLPT), an ambitious but complex novelty.

Why is third-party management such a significant challenge?

E.BOUET: Third-party management (TPRM) is one of the key challenges posed by DORA. Third parties are everywhere, but they are often poorly managed. It’s not always clear whether they are critical or not, and relationships often lack proper structure. Managing reliance on critical third parties is common sense, but it goes far beyond contractualization: organizations need to identify their third parties, assess their criticality, and manage this dependency operationally, a challenge for many.

D.LACHIVER: Historically, this has been a neglected area, often handled in silos by procurement, cybersecurity, business continuity, and other functions. There is a lack of a comprehensive view of third-party risks. DORA’s aims is precisely to move beyond this fragmented approach and build a cohesive end-to-end management framework throughout the contract lifecycle.

What does “testing exit strategies” with critical third parties mean?

D.LACHIVER: Testing exit strategies means anticipating how an organization would respond if a third party’s services were interrupted, whether voluntarily or involuntarily. For example, in the case of a cyberattack on a service provider, it may be necessary to sever the relationship to protect the organization’s own information systems.

E.BOUET: Tabletop exercises help assess reliance on third parties and theoretically simulate the procedures to follow in different scenarios. They also encourage organizations to rethink their relationships with certain providers, particularly those unable to align with DORA’s requirements.

What makes TLPT (Threat-Led Penetration Testing) a specific challenge?

D.LACHIVER: TLPT is one of the key innovations introduced by DORA. It involves threat-led penetration tests guided by the DORA regulation, the theoretical TIBER framework and adapted by national authorities. While the theoretical framework is well-defined, practical implementation remains challenging, as these tests are not yet common in the financial sector. Their limited frequency (one test every three years) and the regulator’s resources reduce the immediate urgency, but they are crucial for strengthening resilience.

E.BOUET: These tests still raise many questions, as they require a new approach for some players, especially those less experienced with this type of exercise. Currently, we are in a waiting phase, with a few dry-run initiatives underway. The actual implementation will depend on the regulator’s planning and the lessons learned from the first fully executed TLPTs in the coming months.

How can DORA transform IT risk governance?

D.LACHIVER: DORA promotes a unified approach to IT risk management by breaking down silos between various functions, such as cybersecurity, business continuity, and procurement. This involves:

• Harmonizing key terminologies and concepts (for example, ensuring that the concept of criticality is understood consistently across all functions) to streamline and improve interactions with business units.
• Implementing structural changes (such as adopting a CSO model – Chief Security Officer) to establish unified governance across functions, enabling more effective and coherent decision-making.

What are the concrete requirements to comply with DORA by January 17, 2025, and beyond?

E.BOUET: The first major expectation for January 17 is the ability to identify a major incident according to DORA’s criteria and notify the regulator. This requires well-defined operational processes to ensure rapid detection and reporting. This requirement is justified, given the history of IT and security teams in a sector accustomed to managing critical incidents.

D.LACHIVER: Then, by April 30, 2025, financial entities will need to produce a register of information on their third parties. I believe organizations will be able to provide such a register by this date. However, additional work will likely be needed to improve its quality and completeness.

E.BOUET: Finally, throughout 2025, what matters is demonstrating that entities are making progress. Regulators expect projects to be initiated, identified gaps to be gradually addressed, and tangible advancements to be made. The key is to have a clear and structured roadmap to meet DORA’s expectations.

What are the long-term benefits expected from DORA?

D.LACHIVER: DORA has the potential to create a virtuous cycle by strengthening risk management, business alignment, and operational resilience within the sector. It encourages entities to go beyond compliance and integrate these priorities into their overall strategy.

E.BOUET: One key aspect is the reaffirmed responsibility of executive leadership. Their involvement, particularly through regular risk validation, enhances overall awareness and drives the investments necessary to improve resilience.

D.LACHIVER: This connection between operational teams and leadership aligns strategic and operational priorities, fostering a culture of continuous improvement. It also empowers IT risk teams and supports the transformation of organizations toward greater digital resilience.

For any support in achieving DORA compliance, you can contact:

• damien.lachiver@wavestone.com
• etienne.bouet@wavestone.com

Cet article DORA – The Challenges of Digital Resilience in the Financial Sector by 2025 est apparu en premier sur RiskInsight.

A denser and more complex cybersecurity regulatory landscape

The first attempts to regulate personal data protection and cybersecurity remained partial until the early 2000s, being driven mainly by the United States and the European Union.  Initially, they focused on the protection of personal data, in France with the Loi Informatique et Libertés (1978) and in the United States with sector-specific regulations: the Privacy Act (1974) for the public sector, the Health Insurance Portability and Accountability Act for the healthcare sector (1996) and the Gramm-Leach-Bliley Act (1999) for the financial sector.

The first cybersecurity regulations were introduced in the financial sector in the early 2000s, with the aim of improving the security of the services provided. Notable regulations include the Sarbanes-Oxley Act (2002), in the USA, reinforcing corporate transparency in terms of internal control, and the Payment Services Directive (2007) in the European Union, regulating the security of online payments and transactions.

Since the early 2010s, more structuring regulations have emerged to form an initial cyber regulatory base in the same regions. These regulations are mainly focused on critical infrastructure protection, with France’s Loi de Programmation Militaire de 2013-2018 (2013), the USA’s National Cyber Security and Critical Infrastructure Protection Act (2014), but also the Network and Information Security 1 Directive (2016) enacted by the European Union.

It wasn’t until the late 2010s that the desire to regulate the cyber space became more global. As many countries followed in the footsteps of the United States and the European Union, stricter cyber regulations began to emerge, with far-reaching impacts on information systems. This can be seen in the arrival of major personal data protection regulations around the world: the General Data Protection Regulation (GDPR, 2018) in Europe, the California Consumer Privacy Act (CCPA, 2020) in California, the Personal Data Protection Law (PDPL, 2020) in Brazil, the Personal Information Protection Law (PIPL, 2021) in China, or the Personal Data Law (2022) in Russia.

Other regulations aimed at protecting information systems are multiplying, with the Cybersecurity Law in China (2017), the NYCRR 500 Cybersecurity Regulations for the State of New York (2017), or the new iteration of the NIS Directive (2023) and DORA in Europe.

Evolution of cybersecurity regulatory landscape[2]

Added to this complex cybersecurity regulatory landscape is a vast ecosystem of cybersecurity requirements and standards, with different levels of constraint: regulatory requirements stemming from cyber or other regulations, mandatory requirements, recommendations or even requirements with contractual value. In this context, it is essential to identify all applicable requirements and the level of constraint they impose.

Types of cybersecurity requirements and standards, beyond cyber regulations

A cybersecurity regulatory compliance strategy adapted to the new paradigm

With the global cybersecurity regulatory landscape becoming increasingly complex, compliance cannot be thought of solely as total compliance with all applicable regulatory requirements. Faced with detailed, costly and sometimes contradictory requirements, it is becoming necessary to implement risk-based cyber compliance strategies. The definition of these strategies will be based on a study of the existing level of regulatory compliance, an assessment of the effort and complexity of the measures required to comply with each regulation, and a consideration of the risks associated with potential non-compliance, both in terms of sanctions and IS protection. This analysis, far from seeking to escape the law, aims to identify the benefit/risk of activities, and may lead to redirecting activities, limiting their scope, or acting in concert with the ecosystem to evolve requirements.

To implement such a strategy, it is first essential to identify all applicable regulations, and to set up a regulatory watch to keep alongside regulatory developments and related news. A two-tiered organisation must then be set up to manage cyber regulatory compliance.

A first level of overall management aimed at providing a high-level overview: a global analysis of the level of cyber compliance must be carried out. This can be based on a recognised cybersecurity standard such as NIST or ISO 27001 for security requirements. For requirements relating to the protection of personal data, GDPR is a good foundation, since most international regulations on this topic are derived from it. The NIST privacy and ISO privacy standards are also solid references in this field. These benchmarks can be mapped onto the main applicable regulations, and advantage can be taken of existing synergies between regulations, as illustrated by the two examples below.

To complete this analysis, an audit plan should be drawn up to assess compliance with key local regulations in greater detail.

A second level of “local” management, on a geographical or business line scale, aimed at ensuring local regulatory compliance in each of the regions where the Group is present. This requires first of all the implementation of a local watch to identify and know precisely the regulations and associated news. This is followed by a detailed analysis of the level of compliance with local regulations, the identification of specifics needed to ensure the right level of compliance, and the feedback of these elements to the Group to ensure the overall management of compliance actions.

Protection regulations call into question the need to separate information systems

Complying with a multitude of cybersecurity regulations is becoming a real challenge for companies with an international presence and centralised information systems. This is due to the stacking up of these regulations, sometimes with incompatible or contradictory provisions, but also to the emergence of requirements with far-reaching impacts on information systems.

This is the case, for example, with China’s PIPL regulations, and in particular Article 40, which stipulates that the transfer of data outside China will only be authorized if processing complies with the security assessment established by the Chinese authorities. This regulation will apply above a certain volume of personal data (not yet specified by the Chinese authorities).

Incompatibilities between regulations have also arisen between the United States and the European Union. This is illustrated by the invalidation of the U.S. Privacy Shield[3] by the European Court of Justice, its Schrems rulings calling into question the ability of U.S. Cloud hosts to process the personal data of their European customers in line with European requirements.

Against this backdrop of heightened cybersecurity and personal data protection requirements, emphasised by the protection intentions of certain countries, it may become necessary to study the need to separate globalised and centralised information systems by considering separation into several geographical zones, which could be:

• A zone comprising the USA and the UK
• A second zone centered on China
• A third zone made up of the European Union and GDPR-relevant[4]

Depending on their regulatory reality and potential developments, other countries or regions could be attached to one or other of these three zones.

In the future, the information systems of these different zones could rely more heavily on the sovereign clouds that are currently being developed.

Constraints that can even lead to the closure of a region’s operations

We’re even seeing a number of companies halting or postponing the launch of activities in certain countries where the regulatory constraints and associated risks of sanctions are too great in relation to the business challenges and strategy of the company. This is particularly the case in certain US states, and in Europe, where some major players are putting the brakes on their development because of the RGPD (e.g. Google’s open AI/ Bard, or Meta’s launch of Thread).

What’s next for 2023 and beyond?

The complex regulatory landscape will continue to expand in the months and years ahead. Both in new areas (AI, product security) and in existing areas, such as critical infrastructure.

On the “critical infrastructure” front, after the first phases of regulations focused on personal data protection, the authorities have been looking at critical infrastructure protection, which continues with the NIS2 directive in particular. Adopted on November 10, 2022 and soon to be implemented into French law, it aims to reduce disparities between member states, strengthen cybersecurity in a context of increasing digitalisation, and establish security measures to improve the level of security of critical infrastructures within EU member states.

A new phase is now taking shape, during which regulations will focus on the safety of digital products, with in particular:

• The AI Act, a European regulation aimed at defining a common frame of reference for the development and use of Artificial Intelligence (AI). Against a backdrop of lightning acceleration in the uses of AI, new regulations are also set to emerge around the world, and particularly in China, where measures have already been taken and led to the closure of 55 applications and 4,200 sites between January and March 2023[5].
• The Cyber Resilience Act (C.R.A), another European regulation, which aims to strengthen the security of digital products by imposing measures to be respected by manufacturers right from the product design stage. Not to mention the recent announcement by the White House of the “Cyber trust mark” initiative, which targets the same objective but with a different approach[6].

The regulatory stakes are not about to diminish, and cyber teams need to be prepared. At the very least, it will be necessary to strengthen links with the business lines concerned, as well as with legal teams. The most mature companies in this field have set up legal departments within their cyber teams, to exchange information with the various legal departments. This may not necessarily be necessary, depending on the organization of each structure, but it can also be a guarantee of strong mobilization.

In all cases, the challenge for companies will be to transform these often mandatory regulatory requirements into a competitive advantage for their business, not by punitive, minimal compliance, but rather by taking ownership of the subject and transforming these practices in a way that can be leveraged externally.

[1] https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/

[2] Non-exhaustive list of cybersecurity regulations

[3] https://www.cnil.fr/fr/invalidation-du-privacy-shield-les-suites-de-larret-de-la-cjue

[4] Countries complying with the level of protection required by the EU https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde

[5] https://www.01net.com/actualites/comment-les-lois-chinoises-tres-strictes-risquent-de-nuire-a-lia-made-in-china.html  

[6] https://arstechnica.com/information-technology/2023/07/the-cyber-trust-mark-is-a-voluntary-iot-label-coming-in-2024-what-does-it-mean/

Cet article Cyber regulatory landscape: challenges and prospects est apparu en premier sur RiskInsight.

To sum up, the Operational Resilience Maturity Assessment Framework is a tool that measures the level of operational resilience of an organization.

What is Operational Resilience?

We believe that Operational Resilience (OpRes) is a young but increasingly unavoidable issue for our clients, especially for those in the financial sector. The United Kingdom has been a pioneer in this field, with an Operational Resilience Framework coming into force in March 2022, imposed by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). Similarly, the European Union is set to follow suit, with its Digital Operational Resilience Act (DORA). The underlying principle for both legal frameworks is the acknowledgement that many events, both internal and external, can disrupt the activities of banks and other organizations.

Operational resilience therefore involves different sources of threats: from third parties (partners, suppliers, or service providers), pandemics, power failures, fire, to name but a few. From an organisational point of view, resilience is very often a program driven by the Head of Operational Resilience, the IT department or the risk division, and less often by a CISO.

Why did you create this tool? What problem does it solve for clients?

Under pressure from regulators, our clients have launched programs to increase their level of resilience, and therefore have had to measure their maturity level, both before and after these programs. Compliance is a good starting point, but it doesn’t go far enough! The idea of our Operational Resilience Maturity Assessment Framework is to provide a tool that encompasses both these new guidelines, and the best practices observed in the field. The tool is useful because it:

• Measures the maturity of an organization, in terms of the methodologies and processes in place to address Operational Resilience.
• Reports on the actual resilience capabilities at a given moment by analysing the tools and capabilities in place.
• Facilitates the formalisation of a risk reduction plan and the management of resilience by highlighting the main areas that require more investment.
• Integrates all Wavestone’s field experience in resilience from all our offices! Especially in the UK, where Operational Resilience is more advanced than the European Union countries, we have been working on resilience projects for over 3 years.

It assesses the organisation’s processes and operational implementation with a form consisting of ninety questions spanning twelve major topics. For each question, a resilience score between 0 and 5 is assigned, and a list of evidence is provided to support this score.

Customers are always keen to benchmark, and this has been incorporated into the assessment. Everything has been thought out to standardise the evaluations and thus allow clients to position themselves in the market; it’s a real value-add!

As the regulatory landscape matures, we’ve identified a need to maintain a global view; firms must implement Horizon Scanning functions to stay ahead of regulators and the competition. Therefore, working in conjunction with our maturity assessment tool, we have an Operational Resilience Regulatory Radar which maps regulations across the globe according to the same themes. It is a live document, updated every quarter that provides a holistic view of OpRes regulation and allows the user to compare by both geography and topic.

Can you tell us about the last time you used it?

The trigger for the creation of the Operational Resilience Maturity Assessment was a UK project supporting a major bank. Initially, we provided a 360° analysis of their resilience during which we developed our first assessment framework. With it, we were able to establish four maturity levels of resilience: 1) “Insufficient”, 2) “Compliant”, 3) “Good Level” and 4) “Leader”. We were then able to position them on these 4 levels and provide relevant advice and feedback accordingly.

Recently, we received a second assignment from another banking company, providing an opportunity to modify the assessment and make it more precise and extensive. We also modified our list of proofs that are used to position an organization against the correct maturity level, and added a 5th level of maturity, “The Pioneer”.

Currently, we use this framework in the financial sector, which has a high level of maturity given the regulatory constraints and the sensitivity of the data it processes. For clients in other sectors, we would adapt the levels to align with the overall maturity of the market.

Any final thoughts?

We think we can go even further in assessing resilience in a few years. The more feedback we get from the field, the more precise we will be on the required conditions to reach a level. For example, a player will be considered mature if it has the capacity to rebuild its AD in 3 hours. Just like on the CyberBenchmark. The next step would therefore be to define quantitative and/or qualitative indicators… And the only way to do this is to continue to confront the framework with reality!

Although everything can be improved, we are still very proud of this tool which was built in collaboration with our customers and experts, and has already proved its worth.

Cet article [INTERVIEW] Operational resilience, how to recover after an attack! est apparu en premier sur RiskInsight.

The European Union published the Digital Operational Resilience Act, or “DORA”, on December 27^th, 2022, and it entered into force on January 16^th, 2023. It sets new rules for financial entities and their ICT third-party service providers in terms of ICT resilience. Compliance to the text will be mandatory starting January 17^th, 2025.

The Digital Operational Resilience Act aims at simplifying and improving the resilience of financial service organisations by establishing a robust regulatory framework and oversight body. As previously shared in details, in our article Decrypting DORA: what does it mean for resilience of financial organisations?, it introduces requirements across five pillars: 

• ICT risk management
• ICT-related incident management, classification and reporting​
• Digital Operational resilience testing
• Managing of ICT third-party risk​
• Information and intelligence sharing (optional)

Main DORA topics and articles applying to financial entities
(article references between brackets)​

When analysing the content of the regulation and while taking into account the current maturity of the financial sector, the complexity largely differs depending on the topic addressed. As ICT frameworks are already a best practice widely adopted within the financial services sector, the effort will mainly focus on bringing more consistency across the organization. Similarly, ICT-related incident management has already integrated within its processes and tools numerous regulatory constraints in terms of classification and notification. Consequently, integrating the DORA requirements should not present major difficulties.

Nevertheless, meeting the requirements to be compliant will still have its challenges… And opportunities!

An ambitious regulation that puts the finger on known fragilities

The first challenge for many organisations will be to onboard the top management in the initiative. As DORA appoints them as accountable for monitoring, approving, reviewing, and setting the direction in terms of operational resilience, their involvement is key to the success of a potential program. Early onboarding will allow to gain precious time in identifying and validating critical functions in the scope, prioritizing the main threat scenarios, and set the pace on the topic. However, this will imply for the teams to carefully think about the proper and comprehensible KPIs and KRIs to report on the operational resilience level of the organization. As much as possible, give them quickly an overview of the regulation content and their expected role in this context!

The second challenge will be to raise the bar in terms of third-party risk management. Large organisations often have hundreds, if not thousands of third-party providers implying a fastidious sorting to focus on the most critical. Third-party operational resilience risk management mainly relies today on integrating steps within the purchasing processes and, in the end, including specific clauses within the contracts. DORA asks for more with responsibility falling on financial services to make sure third-party compliance to these requirements are met. It also requires working on potential exit strategies and joint testing where relevant. This step up may define a shift in how business is done with suppliers in the future and should be anticipated by the concerned third parties to be able to provide proofs of their operational resilience risk management.

Finally, testing is a crucial point and a challenge within DORA. Organisations will need to structure and regularly test their resilience to continually assess risks and the suitability of their resilience strategies. It requires to gain a strategic vision on the topic, which rarely pre-exists as the tests are often managed in silos (vulnerability tests, penetration tests, business continuity tests…). In this context, they will also need to ensure the proper coverage of their critical functions over the years within the testing approach. Organizations are also expected to conduct threat-led penetration tests in live production every three years at least and potentially including ICT third-party providers.

Overcoming these challenges will not be an easy journey. It is key to start working on these topics quickly as they will ask for true changes for the concerned organizations. Obviously, a detailed gap analysis with the regulation requirements is a good starting point.

Resilience first, compliance second?

Clearly, a regulation such as DORA brings along opportunities for those who will try to see beyond the compliance constraints.

First, the regulation introduces a holistic approach to ICT risk management that could bring more consistency across the organizations. It could constitute a first step in putting together a unified framework, allowing a better assessment of the organization’s ICT risks and simplifying overall reporting to the top management. It could also initiate the idea of a converged governance on ICT risk management gathering cybersecurity, business continuity and IT service continuity. 

Second and foremost, it is a unique opportunity to work on your real resilience level by asking yourself complex questions. If you were to face a no-IT situation tomorrow, would your organization survive? Would your existing capabilities fully cover the needs that such situation asks for? And are you confident that your resilience solution would work on D-day?

Cet article <strong><u>DORA: challenges and opportunities</u></strong> est apparu en premier sur RiskInsight.

Why Digital Operational Resilience Act (DORA)?

DORA is part of an EU-wide “Digital Finance Package”, aimed at making sure the financial sector can leverage opportunities brought by technology and innovation whilst mitigating the new risks associated. This package involves regulation on crypto assets, blockchain technology, and digital operational resilience.  

With the Digital Operational Resilience Act, the EU aims to make sure financial organisations mitigate the risks arising from increasing reliance on ICT systems and third parties for critical operations. Organisations need to be able to “withstand, respond and recover” from the impacts of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and for the financial system. This means establishing robust measures and controls on systems, tools and third parties, having the right continuity plans in place, and testing their effectiveness.  

This global, large scope regulation is coming in to rationalise an increasingly fragmented regulatory landscape on the topic, with a number of local regulatory initiatives in member states and smaller scope EU guidelines on related topics (e.g. testing requirements, management of ICT third party dependencies, cyber resilience). Setting up a global regulatory framework will ensure there are no overlaps or gaps in regulation and maintain good conditions for competition in the single market.  

DORA also fits into a worldwide trend in regulation on resilience for the financial sector, pioneered by the Bank of England’s (FCA and PRA) consultation papers on operational resilience and impact tolerances, and followed by principle-based papers on operational resilience from the Bank of International Settlements (BIS) and the Federal Reserve.  

DORA in a nutshell: what does it change?

Contrary to the FCA/PRA, the Federal Reserve and the BIS, DORA focuses on solely resilience to ICT-related incidents and introduces very specific and prescriptive requirements. It is not just a set of guidelines but rather criteria, templates and instructions that will shape how financial organisations manage ICT risk. It demonstrates that EU regulators want to be very hands-on on the topic, with a lot of reporting, communication and assessments that need to happen frequently, enabled by standardised MI and reporting.  

DORA introduces requirements across five pillars:  

• ICT risk management 
• ICT incident reporting 
• Digital Operational resilience testing 
• ICT third-party risk management  
• Information and intelligence sharing 

Some of the requirements are straight-forward and largely built on what is already being done in organisations (for example, the risk management framework that needs to be developed is similar to industry standards like NIST); but some are also challenging and will mean organisations need to launch some work to be compliant. We have summarised the requirements and these key challenges to start addressing now for each of the 5 pillars.  

1. ICT risk management

Why? Ensure specific measures and controls are in place to limit the disruption to the market and to consumers caused by incidents, and ensure accountability of the management body on ICT risk management.   

Key requirements: Firms will need to follow governance principles around ICT risk, with a focus on accountability of the management body. They will need to identify their risk tolerance for ICT risk, based on the risk appetite of the organisation and the impact tolerance of ICT disruptions. They will also need to have a risk management framework in place that includes identification of critical and important functions, risks associated and a mapping of the ICT assets that underpin them; as well as specific protection, prevention, detection, response and recovery plans and capabilities, continuous improvement processes and metrics, and a crisis communication strategy with clear roles and responsibilities.  

Biggest challenge: As part of the continuous improvement processes, DORA introduces compulsory training on digital operational resilience for the management body but also for the whole staff, as part of their general training package.  

2. ICT incident reporting

Why? Harmonise and centralise reporting of incidents to enable the regulator to react fast to avoid spreading of the impact, and to promote collective improvement and firms’ knowledge of current threats to the market. 

Key requirements: DORA introduces a standard incident classification methodology with a set of specific criteria (number of users affected, duration, geographical spread, data loss, severity of impact on ICT systems, criticality of services affected, economic impact) with thresholds that are yet to be published. Following this methodology, incidents classified as major will have to be reported to the regulator within the same business day, following a certain template. Follow-up reporting will also be required after a week, and after a month. These reports will all be anonymised, compiled, and released regularly to the whole community.  

Biggest challenge: Firms will need to change their incident classification methodology to fit with the requirements. They will also need to set up the right processes and channels to be able to notify the regulator fast in case a major incident occurs. Based on what gets classified as “major”, this might happen frequently. To help organisations prepare, we anticipate that the incident classification methodology will align with the ENISA Reference Incident Classification Taxonomy.  

3. Digital Operational Resilience testing

Why? Ensure that financial entities test the efficiency of the risk management framework and measures in place to respond to and recover from a wide range of ICT incident scenarios, with minimal disruption to critical and important functions, in a way that is proportionate to their size and criticality for the market. 

Key requirements: With DORA, all firms must put in place a comprehensive testing programme, including a range of assessments, tests, methodologies, practices and tools, with a focus on technical testing. The most critical firms will also have to organise a large-scale threat-led live penetration test every 3 years (red team type exercise), performed by independent testers, covering critical functions and services and involving EU-based ICT third parties. The scenario will have to be agreed by the regulator in advance and firms will receive a compliance certificate upon completion of the test. More guidance for these tests, as well as the criteria which defines a critical firm, will be published in 2021. 

Biggest challenge: It is likely that critical firms will need to organise this threat-led penetration test by the end of 2024 and this type of test requires a lot of preparation. The fact that it needs to involve critical ICT third parties will also mean they need to be involved in the preparation. Firms that believe they will be in scope (might be firms already in the scope of NIS regulation) should start thinking about the scenario as soon as possible to enable validation with the regulator at least 2 years before the deadline.  

4. ICT third party risk management

Why? Ensure that financial organisations have an appropriate level of controls and monitoring of their ICT third parties, especially the ones that underpin critical functions; and set up specific oversight on providers that are critical to the market as a whole.  

Key requirements: With this regulation, the EU introduces requirements on both financial organisations and critical ICT providers.  

• Financial organisations will need to have a defined multi-vendor ICT third-party risk strategy and policy owned by a member of the management body. They will need to compile a standard register of information that contains the full view of all their ICT third-party providers, the services they provide and the functions they underpin; and report on changes to this register to the regulator once a year. They will need to assess ICT service providers according to certain criteria before entering a contract (e.g. security level, concentration risk, sub-outsourcing risks), and they will need to plan for an exit strategy in case of failure of a provider. DORA also contains guidelines for contract contents and reasons for termination of contract, which has to be linked to a risk or evidence of non-compliance at the provider level.  
• Under a new Oversight Framework, critical providers will be the subject of annual assessments against resilience requirements such as availability, continuity, data integrity, physical security, risk management processes, governance, reporting, portability, testing… These assessments will be performed directly by the regulator and will result in penalties for non-compliance.  

Biggest challenge: Collating information on all ICT vendors (not only the most critical), with the services provided and functions they underpin for the register of information will be a very big task for large financial organisations that typically rely on thousands of big and small providers and legacy contract management systems that make it difficult to mine data from.  

5. Information and intelligence sharing

Why? Promote sharing of information and intelligence on cyber threats between financial organisations to enable them to be better prepared.  

Key requirements: DORA introduces guidelines on setting up information sharing arrangements between firms for cyber threats, including confidentiality requirements and the need to notify the regulator.  

Biggest challenge: We do not see any particular challenge in this space as many organisations already have such agreements in place. It will be an opportunity to make local initiatives, networks or associations visible and encourage more companies to become part of them.  

What happens next?

DORA is currently going through the EU legislative process and it is expected to take 6-12 months before it becomes law. A few questionable topics might lead to some debates and slow down the process, especially on third-party management: restrictive criteria for organisations to terminate contracts, banned non-EU based critical third parties, penalty system and financing of the Oversight framework by the critical providers. There are also details that still need to be published to clarify some of the requirements (e.g. templates, criticality criteria and thresholds…), which might also create some debates.  

Once DORA is passed, firms should have one year to get into compliance with most of the requirements (i.e. probably by the end of 2022 – but this one-year deadline is short and we anticipate it may shift to 18 months following market feedback) and 3 years to organise a large-scale penetration test if required (i.e. probably by the end of 2024).  

In order to be ready, we recommend organisations take the following steps in 2021:  

• Perform a maturity assessment against the DORA requirements, with associated gap analysis and mitigation plan to reach compliance by the end of 2022 
• Begin thinking about a scenario for the large-scale penetration test, aiming to get it validated by the regulator by mid-2022 
• Start work on consolidation of the register of information for all ICT third party providers 

Cet article Decrypting DORA: what does it mean for Resilience of financial organisations? est apparu en premier sur RiskInsight.