What is DORA Compliance?
DORA encourages organizations to create flexible operational resilience capabilities within a regulatory framework provided by the legislation, including:
Developing strong risk management practices
Conducting internal audits and self-assessments
Implementing controls to minimize ICT risks
DORA is notable in that it aims to promote strong governance while allowing each company to adapt in their own individual context. In light of DORA, businesses in the financial industry must be ready to effectively respond to various forms of digital disruptions — everything from system failures to cyberattacks — all while maintaining their business operations.
Why is DORA Needed?
The financial sector operates in a highly interconnected digital environment.
This accelerating reliance upon ICT and third-party service providers for mission-critical systems and infrastructure has increased the digital attack surface, and thus financial organizations have far greater exposure to cybersecurity threats. Cyber attacks that compromise or disrupt systems, alter or exfiltrate sensitive data, and destroy institutional reputations threaten the stability of the entire financial system.
Taking the DORA compliance requirements into account, it’s important for organizations operating in the financial sphere to strengthen IT risk management and operational resilience capabilities. An effective approach includes all aspects of ICT-related risk, including:
By implementing DORA’s requirements, financial institutions take strides toward protecting themselves against cyber threats, maintaining business continuity, and strengthening trust with their customers.
What Does the DORA Cover?
Its primary focus is on operational resilience to ensure continued operations in a potentially hostile digital environment. To swiftly respond to ICT threats, businesses operating in the financial services sector must prioritize their resilience plans along these six core principles:
Risk Management: Establishment of an ICT risk management framework, including comprehensive internal governance, self-assessments, and controls to identify and minimize risk.
Information and Intelligence Sharing: Financial entities are encouraged to have processes in place to report on and share information on cyber threats within the security community.
Third-Party Risk Management: DORA requires that organizations implement security measures that cover the supply chain.
Business Continuity Planning: Financial services must have a thorough and well-tested continuity plan in place to maintain operations through security incidents.
Incident Response and Crisis Management: A key component of digital resilience, DORA mandates the the presence of a well-developed incident response plan to categorize, manage, and report on ICT incidents.
Continuous Testing and Monitoring: DORA requires organizations to conduct regular testing and monitoring of systems for anomalous activities to ensure they are resilient against cyber threats.
The Primary Requirements of DORA
The following elements represent the core requirements that financial institutions and service providers must adhere to as they work toward full DORA compliance:
Organizations must implement controls to minimize the ICT risk, and must be able to demonstrate resilience through regular testing, showing that they can withstand security incidents without significant disruption to services.
DORA mandates the establishment of sound ICT risk management processes, involving thorough self-assessments to identify the organization’s existing security stance and potential vulnerabilities.
Organizations must allocate resources to enhance resilience to cyber threats. This includes encouraging the presence of skilled staff with expertise in the management of ICT systems.
Organizations must additionally prepare detailed documentation that elaborates on the measures taken to ensure resilience of digital operations. This includes continuity plans, incident response plans to respond to ICT-related incidents, data governance structures, and testing and reporting activities.
The controls that DORA introduces with respect to third party ICT systems (e.g. cloud providers) encourage organizations to categorize and evaluate contracts, require additional compliance assurances from service providers, and update insurance coverage to meet new requirements.
How Can Organizations Start Preparing For DORA?
Financial institutions must begin preparations by completing a gap assessment to identify the areas where improvement is required. The gap assessment should determine DORA compliance with ESA guidelines, NIS, and CROE along with IT risk management standards such as NIST CSF, ISO, ITIL, and COBIT.
Depending on the specifics of your organization, HIPAA compliance may also be a factor.
Ultimately, this analysis will help to identify the key areas which fall out of compliance with DORA, and will inform the creation of a digital resilience strategy.
Upon completing the gap assessment, organizations should create a roadmap that defines implementation timelines and helps prioritize plans for allocating resources and implementing security systems to meet compliance requirements.
Will DORA Impact My Organization?
One key aspect of DORA is the increased supervision of financial entities by European Supervisory Authorities (ESAs). This will lead to stronger controls to ensure digital resilience.
Organizations in the financial sector will require significant investments in IT risk management and cyber threat detection and security capabilities. Additionally, the NIS2 Directive, a cybersecurity standard that parallels DORA, will affect a broad range of business sectors. Together, these regulations may lead to increased costs as organizations retool their systems and staff to comply with their stringent requirements.
Taking all these challenges into account, it’s critical to take a proactive approach to adhere to DORA requirements. DORA will lead to heightened scrutiny and stricter regulations on financial sector businesses, which will result in higher costs for these institutions.
By getting started now, organizations can better navigate this new regulatory landscape so they may be thoroughly prepared for DORA requirements.
Current Status of DORA
DORA became effective in January 2023 and organizations have until January 2025 to become fully compliant with the regulation, so it is essential for organizations to start compliance preparation work immediately.
With a compliance deadline fast approaching, it is increasingly important for security professionals in the financial industry to understand what steps they need to take to ensure DORA compliance.
Two key milestones to be aware of ahead of January 2025 are the certification processes by ESAs, and the start of mandatory Threat Led Penetration Testing (TLPT), which will provide a framework for assessing preparedness for financial institutions.
How Check Point Solutions Help with DORA Compliance
As we navigate the complexities of DORA, with the deadline for full compliance approaching, organizations must take proactive steps to ensure compliance.
To meet the regulations for rapid incident reporting, third-party risk management, and increased audit requirements, it’s essential to take proactive steps to understand current readiness and identify areas of the organization that potentially fall out of compliance.
The Check Point NIS2/DORA Readiness Assessment can help you enhance or achieve compliance by preparing your organization for DORA prior to the January 2025 deadline.
Check Point Software is well-equipped to partner with you to prepare for NIS2 and DORA. Working together, we can foster a culture of operational resilience within your organization to reduce the risk of cyber threats and regulatory non-compliance.
Feedback