Digital Operational Resilience Act defines criticality thresholds for services provided to financial institutions. If an organization is a direct service provider to a financial institution and its services meet these thresholds, then the company is subject to DORA. This means that the organization will be directly supervised by the relevant financial regulator.

For organizations whose services do not meet the DORA thresholds, the regulation still applies, but direct supervision is not required. Instead, the organization’s customers will be required to demand certain contractual terms to achieve compliance with DORA’s requirements.

For example, the Digital Operational Resilience Act (DORA) requires financial institutions to report data breaches to regulators within a certain window of discovery. Financial institutions will be required to impose the same breach reporting requirements on their suppliers and service providers as well as part of their contractual obligations. If an organization is not willing to accept these terms, then DORA prohibits the financial institution from doing business with them.

Digital Operational Resilience Act dictates the terms that financial institutions will require of their suppliers and the security controls that these suppliers must have in place. Since DORA is geared toward improving the resiliency of the entire financial industry, these obligations and requirements are likely to be passed on through the entire supply chain.

The Primary Requirements of Digital Operational Resilience Act (DORA)

The primary goal of DORA is to ensure the operational resilience of the financial sector. As part of this, organizations covered by the Digital Operational Resilience Act need to implement risk management processes that help identify potential vulnerabilities to plausible cyber threats and put policies and security controls in place to protect against these risks.

DORA creates a framework of rules that financial institutions and their suppliers need to follow for operational resilience. Some of the key goals and requirements include:

• Risk Management and Governance: DORA lays out frameworks and guidelines for risk management in the financial sector. These guidelines are intended to help organizations to build more mature risk management programs and improve operational resiliency.
• Resiliency Testing: DORA suggests that covered organizations implement resiliency testing programs based on their risk assessments. This helps to identify and correct any issues before they pose a threat to operations.
• Intelligence Sharing: Many cyber threats actors working in the financial industry will target multiple organizations at once. By encouraging the sharing of threat intelligence, DORA helps the entire industry become more aware of and prepared to face ongoing cyber threats.
• Supply Chain Management: DORA imposes requirements on financial institutions’ contractual relationships with their suppliers. Additionally, financial institutions are required to have strategies for managing the risks that these suppliers create, including the potential for exiting relationships and moving to substitutes.
• Incident Reporting: DORA expands the scope of incident reporting and attempts to streamline the reporting process. By requiring faster reporting, DORA also encourages rapid incident investigation and response, which helps to mitigate the impact of a breach. Also, breach reports can be used to help detect unknown intrusions in other networks.
• Audit Access: The DORA regulation enables regulators (and financial institutions in the case of suppliers) to perform audits throughout the supply chain in the financial industry. This helps to drive compliance but means that organizations must have the ability to generate reports on demand.
• Retrospective Analysis: Most organizations try to learn from their own internal incidents, but DORA encourages studying and revising policies based on external incidents as well. This is intended to prevent multiple organizations from falling victim to the same types of attacks.

The exact requirements of Digital Operational Resilience Act are unknown as it is still in draft status. However, starting the process to meet these requirements today will simplify compliance once the law is approved.

How Network Gate Solutions Help with DORA Compliance

DORA has not yet been passed, but it is expected to become law in 2022. This means that organizations that may be impacted by DORA should start working towards compliance today.

To prepare for the Digital Operational Resilience Act, one of the most important steps that an organization can take is to simplify and streamline its security architecture. DORA requires rapid reporting of cybersecurity incidents, visibility into an organization’s third-party dependencies, and the ability to respond to audit requests from regulators or customers.

Network Gate provides consolidated protection across all of an organization’s IT infrastructure, including support for endpoints, mobile, cloud, and email. By simplifying and streamlining an organization’s security infrastructure, Network Gate makes it easier to protect against cyber threats and meet the reporting requirements of DORA. To learn more about how Network Gate solutions can help with compliance and other regulations, contact us.

Tomas Manas