nss Cybersecurity As a Service
nss Privileged Access Management
nss IT & Security Management
nss MSP & ITSP Integrated Solutions
nss Data Security Management
nss Password Management for MSPs
nss Vulnerability Assessment & Management
nss Application Security Testing for Enterprise
nss Link Load Balancing, Wifi & SDWAN
nss Optical Networking
nss Next-gen threat resilience
nss Document Security
nss Server Load Balancing, Secure GW, WAN Optimization
nss Email Archiving
nss PKI Solutions & Identity Services
nss Tiered Backup Storage
nss Physical / Virtual Backup & Disaster Recovery
nss Secure Critical Communications
nss SIEM & Log Management
nss Threat & Vulnerability Management Platform
PRODUCTS
PRODUCTS
Facebook Twitter Linkedin Youtube Rss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss

Keeper Security. What Is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a regulation that strengthens digital security among financial institutions in the European Union (EU). Although DORA came into effect in 2023, it will be fully adopted by all EU financial entities and third-party service providers of Information Communication Technologies (ICT) beginning in January 2025 to improve their defenses against potential cyber threats.

Continue reading to learn DORA’s objectives, its main pillars of compliance and how your organization can prepare for DORA.

The purpose of DORA

DORA’s two main goals are to improve how financial services manage ICT risks and to unify existing ICT-risk management regulations across individual EU member states.

Address ICT-risk management in the financial sector

In EU financial institutions, risk management regulations focus on ensuring that organizations have enough money to handle risks to their operations. The issue with this, however, is that some organizations have ICT guidelines while others do not. Without a unified set of security standards or rules for ICT-risk management, each EU member state has been left to develop its own requirements. DORA will make the financial sector more secure and better able to handle risks related to its online systems and technological vulnerabilities by standardizing these requirements.

Harmonize risk management regulations into one framework

With DORA, the EU can rely on a consistent security framework to manage ICT risks, primarily in the financial services sector. This will eliminate inconsistencies between different EU countries regarding their standards and make the compliance process easier for financial institutions to follow. DORA will help organizations better understand what to do in the event of a security risk.

The 5 pillars of DORA compliance

EU organizations impacted by DORA will need to follow its five pillars of compliance by January 17, 2025.

1. ICT-risk management

ICT-risk management is the foundation of DORA because it detects and analyzes risks associated with an organization’s use of technology. Financial institutions must follow an ICT-risk management framework with the help of crucial stakeholders and senior management members to establish strong communication about potential security risks. ICT-risk management should detail the appropriate tools, documents and processes to defend an organization from operational risks and cyber threats. Without proper ICT-risk management, organizations will have a higher chance of suffering data breaches and other security issues that could damage their businesses and reputations.

2. ICT incident reporting

Once an ICT-risk management framework is established, an organization needs to know how to report incidents if they occur. With DORA, ICT-incident reporting will become a simpler process by consolidating these reports into a more streamlined channel. Financial organizations must submit a root cause report to a unified EU hub within one month of a serious ICT-related incident based on the new EU reporting rules. Once an organization has submitted a root cause report, the EU hub will review all major ICT-related reports and gather any data to determine if there are common security vulnerabilities among financial institutions.

3. Digital operational resilience testing

Some financial entities currently enlist independent parties to regularly conduct digital operational resilience testing, which tests their methodologies, procedures, tools and recovery systems in preparation for any ICT-related risks. Although there are existing frameworks in place that cover digital operational resilience testing for certain financial organizations, DORA will make testing requirements widespread across the financial services sector. This will increase the number of organizations required to conduct digital operational resilience testing, which will minimize the cost of hiring independent parties and reduce the chances of organizations suffering cyber attacks.

4. Information and intelligence sharing

After DORA is in full effect, organizations will be required to share cyber threat information within trustworthy financial communities. The main goal is to help other organizations become aware of potential cyber threats so they can develop their own solutions to protect private information. Organizations will outline and share strategies they use to combat cyber threats to improve the overall security of the financial services community.

5. ICT third-party risk management

Financial entities must have contracts in place with any ‘critical’ ICT-service providers, highlighting topics such as data protection and incident management. What distinguishes certain ICT-service providers as ‘critical’ includes the services that are crucial to an organization’s daily operations. Contracts with critical third-party providers ensure that they must support their affiliated financial organizations in the event of a data breach or other cyber attack. For example, when a contract is signed, the third-party provider will be required to share appropriate information and uphold the highest level of security standards for services provided to a DORA-compliant financial organization due to their ‘critical’ status.

How to prepare for DORA compliance

Your organization can prepare to meet DORA’s requirements in a variety of ways, including conducting a DORA gap analysis, identifying critical third-party providers and assessing your current incident response plan.

Conduct a DORA gap analysis

To determine all gaps across ICT systems, your organization should perform a DORA gap analysis. You can assess your current practices by comparing them to what DORA will require, which will help you better identify any areas that your organization needs to improve to comply with the new requirements. Based on the results of your DORA gap analysis, you may need to create a remediation roadmap to address any gaps within your organization. For example, if your gap analysis shows that your organization doesn’t participate in information sharing, you will need to identify actions and establish a timeline to ensure your organization becomes DORA-compliant.

Identify critical third-party ICT providers

Your organization must determine if you are working with any ‘critical’ third-party ICT providers by identifying all the characteristics that define this categorization. If you use any third-party Cloud Service Providers (CSPs), your security team needs to make sure these vendors are also DORA-compliant and have contracts in place. It’s important to identify which of your third-party service providers fall into the ‘critical’ category because you may need to establish teams and alter software to ensure DORA compliance.

Assess your current incident response plan

An incident response plan assigns responsibilities and provides procedures for an organization’s employees to follow if a data breach or cyber attack occurs. With an established incident response plan, your organization will not need to panic if something goes wrong but instead will be prepared to identify, evaluate, remediate and prevent attacks from occurring again. Assuming that your organization already has an incident response plan in place, you will need to reevaluate whether your current plan is DORA-compliant. Measure your current plan against DORA’s requirements to assess whether your organization will be following specific mandates. If you test your incident response plan by simulating a data breach and discover vulnerabilities, you will also need to modify your internal reporting to meet DORA’s standards.

What happens if firms fail to comply with DORA?

If a financial entity does not comply with DORA, authorities can impose fines up to 2% of the organization’s annual global revenue. While the organization as a whole will suffer as a result of not complying with DORA, individual managers can also receive a financial penalty of up to one million euros. For any ‘critical’ third-party ICT providers who fail to comply with DORA, the penalty could be as high as five million euros.

How KeeperPAM® can help you meet DORA compliance

Your organization can strengthen its security and meet certain DORA compliance requirements by investing in a Privileged Access Management (PAM) solution like KeeperPAM. When you use KeeperPAM, your organization will be able to closely monitor and manage employees and systems that handle sensitive data and critical accounts, significantly reducing any errors or vulnerabilities that could lead to data breaches or cyber attacks. KeeperPAM can help organizations in the financial sector meet DORA compliance by reducing their attack surface, ensuring secure access for authorized users and achieving complete reporting for every privileged account.

Request a demo of KeeperPAM today to ensure that your organization is prepared for DORA compliance requirements and secured with the highest levels of protection for your sensitive data.

Source: Keeper Security

Are you ready to move on to the next level?
Contact us
Facebook Twitter Linkedin Youtube Rss

NSS

Visitor Info

Operating System: -
IP Address: 3.135.194.138

Contact us

Emergency Disinfection
Copyright © NSS. All Rights Reserved.
website by 9AM