In today’s interconnected world, it is essential for businesses across different industries to prioritise maintaining a secure and resilient digital infrastructure. This is particularly important for highly regulated sectors that handle sensitive data and critical infrastructure. To improve cybersecurity and highlight its importance, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA).
DORA represents a significant change in the functioning of financial institutions. The act demands a more proactive approach towards cybersecurity and risk management. Financial institutions must now adhere to stricter requirements such as identifying and managing operational risks, maintaining robust cybersecurity controls, and ensuring the continuity of critical business operations.
Enacted on the 16th of January 2023, DORA applies to more than 22,000 financial entities and ICT service providers within the EU, along with supporting Information and Communication Technology (ICT) infrastructure from outside the EU. UK Organisations that conduct business in the EU must quickly determine if they are subject to DORA and become compliant by early 2025. It’s crucial for those affected to fully comprehend the act’s requirements and implications to avoid falling foul of regulators.
Even organisations that are already well-acquainted with financial market resilience regulations will now have to pay extra attention to their operational resilience testing, ICT threat-led penetration testing, and the sharing of threat intelligence. Therefore, irrespective of the current level of digital and operational resilience maturity, those who are affected should consider DORA as a catalyst for coordinating their various security programmes.
The Five Pillars of DORA
To meet the enhanced resilience criteria, set by DORA, UK companies that are functioning in the EU must review their current security strategy thoroughly. They need to either bring their strategy up to compliance standards or develop a new approach, which, in either case, may require additional security investments. To help you gain a better understanding of the act, here are the five main pillars of DORA:
1. ICT Risk Management
Organisations must establish a robust framework for identifying, assessing, and neutralising potential cyber threats. This includes developing policies, well-defined procedures, and state-of-the-art tools to support internal teams. Organisations must regularly scan their digital landscape to identify vulnerabilities, map potential attack vectors, and design mitigation strategies to reduce their attack surface.
2. Incident Reporting
DORA mandates implementing a rapid incident response system that acts as an early warning mechanism for your digital assets, ensuring that you are promptly notified and that coordinated action is taken in the event of a breach or disruption. As per DORA guidelines, cyber incidents must be reported within four hours of classification or no later than 24 hours after discovery.
3. Digital Operational Resilience Testing
The act requires regular operational resilience testing. This involves simulating cyber-attacks and disruptions to identify vulnerabilities in your infrastructure. UK entities will be obligated to conduct recurring penetration tests, vulnerability assessments, and resilience scenario simulations on defined schedules. These simulations are designed to test systems to their limits and detect weaknesses before they become critical.
4. Third-Party Risk Management
DORA emphasises the importance of rigorous management of third-party risks, requiring thorough vetting and continuous monitoring of the cybersecurity practices of external providers. They are responsible for the resilience and breaches related to outsourced IT services. UK companies engaging with third parties, such as cloud computing or external technology consultancies, must oversee them through strict service contracts, thorough risk assessments, and ongoing monitoring.
5. Threat Intelligence Sharing Arrangements
The act enables entities to establish arrangements to exchange cyber threat information and intelligence. The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and act on the information shared by the authorities.
What Does This Mean for Businesses?
Enhanced cyber risk management: Businesses must prioritise the advancement of their cyber maturity and strengthen their cyber security risk management to withstand existing and emerging threats. This can be achieved by investing in new technologies, processes, and procedures, as well as staff training and the development of comprehensive risk management frameworks.
Rising demand for skilled professionals: DORA requires businesses to have appropriate levels of expertise in place to manage cybersecurity risks effectively. This will impact demand at all levels, from entry-level positions to senior management. Organisations should consider how they will attract, retain, and develop cybersecurity talent.
Greater emphasis on collaboration with regulators: Companies will need to invest in new technologies and processes to enable effective collaboration. A non-compliant business may face penalties, administrative or criminal charges, and limitations on its EU market participation and revenue generation.
Keeping up with DORA: Organisations may require assistance to keep pace with the rapid pace of technological advancements and threats. Engaging with an MSSP provides instant access to expertise, technology and support to accelerate cyber maturity and ensure that systems, policies and processes are DORA compliant.
How can Adarma Assist You in Achieving DORA Compliance?
Navigating DORA’s nuances can be challenging due to the proliferation of cyber threats and complex regulatory requirements. Adarma offers tailored cybersecurity solutions to help businesses achieve DORA compliance. Our approach empowers organisations to reduce cyber risk through effective threat intelligence, exposure management and detection and response capabilities. We provide threat intelligence, technological solutions, and strategic consultations tailored to the financial industry’s needs. Our expertise ensures a balanced approach between security and operational efficiency, protecting critical infrastructure and sensitive data.
Explore our assessment services to assess your cyber maturity and readiness for DORA compliance:
• Cyber Maturity Assessment
• SOC (Security Operations Center) Maturity Assessment
• SIEM (Security risk management) Maturity Assessment
• Crisis Simulation Assessment
Partner with Adarma to navigate towards digital resilience and prepare for tomorrow’s challenges.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
