Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital. Leaving the ICT Security Risk Management reside on general guidelines and principles rather than specific technical standards.
DORA regulation sets a universal framework for managing and mitigating risk and defines rules for the protection, detection, containment, recovery and repair capabilities, incident reporting and operational resilience testing against ICT-related incidents, harmonizing ICT Risk Management rules across EU.
DORA applies to all financial institutions in the EU. That includes traditional financial entities, such as banks, investment firms and credit institutions, and non-traditional entities, including crypto-asset service providers and crowdfunding platforms.
Notably, DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centers—must follow DORA requirements. DORA also covers firms that provide critical third-party information services, such as credit rating services and data analytics providers.
DORA canonizes technical requirements for financial entities and ICT providers across five domains described below:
1. ICT risk management
Affected entities are expected to develop ICT Risk Management frameworks. This includes but is not limited to, map, identify and classify critical assets. Document dependencies between these assets and conduct risk assessments on their systems. Identification and classification of cyberthreats and documented processes to mitigate them should also be in place.
2. Incident response and reporting
Affected entities are required to canonize ICT systems monitoring, logging and incident reporting. Severe and critical incidents should be reported to both regulators and affected clients and partners. Reports should be formed during all stages of the incident mitigation; an initial report for notification to concerned authorities, an intermediate report describing action towards resolving and a final report analyzing root cause and resolution of the incident.
3. Digital operational resilience testing
Entities must set their own ICT systems testing on a regular basis to identify new or existing vulnerabilities and reevaluate their systems resiliency against common or new threats.
Vulnerability assessments should be executed once a year from covered entities, whereas financial entities are also enforced to undergo Penetration Testings, with the participation of all critical ICT providers, every three years. Technical standards and procedures describing Penetration testing are yet to be announced.
4. Third-party risk management
DORA regulation also applies to ICT providers of the financial sector. It establishes a framework for critical ICT third-party risks
DORA aims to provide to the financial companies the ability to effectively monitor risks posed by ICT third party providers in detail, such as a full service level description and indication of locations where critical data is held.
5. Information Sharing
As the cyberthreats in the financial sector affects multiple financial companies, DORA empowers entities to participate on threat intelligence sharing arrangements according to specific guidelines. This participation enhances the ICT risk awareness, minimizes ICT threats ability to spread and prepares entities to develop detection and defensive mechanisms and recovery strategies.