Recommendations for Business Leaders to Follow DORA Compliance
June 14, 2024
The commencement of DORA compliance for European financial and insurance institutions is scheduled for January 2025. DORA must be adhered to by associated businesses and partners.
In the beginning of 2025, financial and insurance entities within Europe, along with their associates, are mandated to abide by the Digital Operation Resilience Act, alias DORA. This directive originating from the European Union (EU) seeks to fortify IT security and bolster digital resilience within the European financial sphere. Similar to GDPR, this legislation is poised to have a significant impact on global organizational operations. The specified rollout date of January 17, 2025, imposes strict deadlines.
Is this achievable? Will organizations be adequately prepared? These inquiries were raised during a recent podcast featuring guest Romain Deslorieux, Strategic Partners Director, Global System Integrators at Thales. He hinted that conforming to and meeting the compliance deadline could be a challenging task for any entity. Nevertheless, he highlighted the ongoing efforts of the European Supervisory Authority (ESA) in defining the requisite regulatory technical standards, which will furnish organizations with precise and technical directives. He also noted that most financial bodies have initiated exploration of DORA, encompassing the delineation of a strategic roadmap, although it may now be imperative for them to expedite these activities.
Organizations operating within the finance and insurance sectors are well-versed in navigating broad regulations, both local and global. However, DORA serves as a reminder of their need to stay agile, given the rapid pace at which technological advancements are adopted by end users, penetrated into workplaces universally. The challenge is compounded when accounting for the incessant ingenuity and resolve of malicious actors, perpetually seeking to exploit nascent technologies prior to the implementation of adequate safeguards.
One of the noteworthy aspects of DORA revolves around its emphasis on managing the risks posed by third-party entities, constituting a primary foundation of the act. Mark Hughes, Global Managing Partner, Cybersecurity Services at IBM Consulting, highlighted how incidents like the Colonial Pipeline breach vividly demonstrated the potential repercussions of a lone link within a supply chain affecting all other components. This substantiates the reason DORA places significant emphasis on third-party risk management, not solely in conducting risk evaluations, but also in their continual monitoring.
Essentially, the essence of the DORA initiative lies in its dedication to resilience. The “R” in DORA signifies resilience, portraying a modernized endeavor to fortify a stronghold while facilitating the unhindered flow of critical data that underpins economic activities.
Expanding on the context of resilience concerning supply chains, Romain recommends drawing insights from cloud technology. He asserts that cloud systems and services are pivotal components of operational resilience, serving as central repositories of an organization’s data that must retain continuous availability. Nonetheless, they are also susceptible to challenges surrounding jurisdictional limitations dictating data storage, the origin of predominant cloud entities, and the preservation of sovereignty.
Time is of the essence for organizations to align their various facets in preparation. Hence, European-based financial institutions taking the lead in compliance readiness should conduct comprehensive evaluations of their existing digital infrastructures and processes to identify vulnerabilities and resilience gaps. They should fortify cybersecurity measures encompassing encryption, firewalls, and regular security assessments, while formulating incident response strategies. Analogous prerequisites should apply to operational risk management and business continuity planning, both of which are instrumental in sustaining crucial operations amidst disruptions or cyber assault.
The compressed timeline warrants strategic endeavors such as continual monitoring of DORA within a dynamic regulatory milieu, enhanced collaboration and information exchange, investments in technology and talent, and bolstered board oversight and governance.
Organizations situated beyond regions directly impacted by DORA (predominantly Europe, Iceland, and Norway) should also ascertain a comprehension of DORA directives and establish open lines of communication with their European counterparts. In addition to remaining informed, they might contemplate adopting other globally recognized cybersecurity and operational resilience standards and frameworks such as ISO 27001 for information security management and ISO 22301 for business continuity management.
It is highly probable that analogous sets of regulations will be enforced by other economic blocs worldwide, thereby posing challenges for firms in the financial sector or affiliated fields. This prospect is poised to give rise to economic clusters concurrently with opening fresh avenues of trade. Nonetheless, these transitions are best perceived as opportunities to refine an organization’s information security structures and reinforce partnerships with suppliers and authorities to uphold continual security and compliance.
About the author: Steve Prentice
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Europe financial industry)
About Author
