Giles Inkson, Director of Services EMEA, NetSPI
In my previous article, I provided an introductory guide to understanding DORA, what it is, what it means for financial institutions and how to comply with the new act. In a world inundated with various frameworks, adding DORA to the list can be overwhelming and knowing where to begin can be a daunting process.
What’s more, conversations around DORA are mounting, but it’s important to remember that the act is already in force as of December 14th, 2022. The key date financial institutions have been working towards since then, is January 17th, 2025, when its operational mandates will become effective. With only a few months to go, businesses may be feeling the heat, or concerned for what it means. Despite what the headlines might say, the moment 17th January kicks in, not all organisations will be expected to have everything in place. However, they should be making significant progress, and able to evidence their approach and knowledge of gaps, with a plan to close them.
But what does ‘making progress’ mean in real terms? Let’s delve deeper into the realities of how DORA will impact businesses and some practical strategies for managing the legislative framework more effectively from today.
Don’t panic
Firstly, don’t panic. By the ‘DORA deadline’, organisations will be expected to prove they are making strides in their operational capabilities and processes. For example, they should be able to demonstrate yearly resiliency testing and red teaming in place. They may also be asked to perform a red team exercise aligned with the TIBER framework by their monetary authorities or TCTs. This may give them up to three years to be ready, or you may be facing the challenge in the first year – the best approach is always to gear towards doing this as soon as possible internally and with 3rd parties and be ready for when the time comes. What is important is that businesses get prepared now, talk to trusted testing partners, and gather threat intelligence as soon as they can.
To put DORA’s impact into perspective, consider the sweeping changes to data privacy brought by GDPR. While DORA’s immediate impact may not be as profound (possibly around half of the impact GDPR has had at a financial penalties level), its focus on ICT processes to support enterprise operational resilience is critical in today’s digital landscape.
Build a best practice framework and share knowledge
Businesses need to make sure they have evidence on a rolling basis that they are testing. These tests must encompass both enabling ICT systems and the entire organisation as an entity, as well as its supply chain and the market it serves. This approach not only enhances resilience, but also aligns with DORA’s emphasis on industry-wide knowledge sharing and cooperation between peers. DORA will create standardised processes and a centralised EU reporting hub to improve the flow of information around significant incidents. That means if a business, one of its partners, or competitors detects suspicious activity, the industry can offer insight around how to respond. Individual companies contributing to this shared knowledge base will bolster EU-wide situational awareness and harmonisation around real and perceived threats and mitigation activities.
In addition, DORA combines long-standing initiatives by the ECB, such as TIBER testing and red teaming, into a legal framework that enforces good practices. These are being administered by three monetary authorities (ESA’s): EBA, EIOPA and ESMA. It mandates that all financial institutions, including those new to such requirements like crypto exchanges and small wealth management firms, comply with its standards as well as the big banks and insurers or payment providers. By implementing a robust testing framework and actively participating in knowledge sharing, financial institutions can meet DORA’s requirements effectively and contribute to a more resilient industry overall.
Don’t admit defeat with DORA
The prospect of DORA can seem daunting but the reality is ‘though well-structured, it is less complex than previous compliance frameworks. To support DORA-readiness, organisations should engage with suppliers offering DORA-compliant testing schemes when the expertise and resources to carry out the tests are not available within an organisation.
A positive sign is that many businesses are already conducting dry runs and preparatory tests. This is helping organisations get comfortable with the process of these tests, and also puts them in a position where they may be viewed favourably by some of the TCTs and ESAs when they are asked to perform the bigger, regulated TIBER tests. This has been a big initiative to encourage organisations to prepare themselves ahead of the compliance deadline. The clock is ticking, but proactive steps now will ensure readiness by January 2025 – think of it not quite as a snooze button for said clock, but waking up naturally before the alarm.
While DORA is mandatory and presents new compliance challenges, it is not a burden; it is structured to be manageable and regulated resiliency testing has proven to be some of the most valuable testing undertaken by organisations who do it. Through building a robust testing framework, sharing knowledge, and leveraging existing compliance schemes, financial institutions can navigate these requirements effectively. Remember, preparation from today and continuous improvement are key to successfully managing DORA compliance.
