DORA Compliance: What the Digital Operational Resilience Act Means for IT Security

Financial entities must have a sound, comprehensive and well-documented risk-management framework.

The framework must be reviewed at least once a year, as well as following major incidents.

Entities must conduct internal audits of the framework and remediate critical findings.

Entities must ensure the independence of risk management, control and audit functions through appropriate segregation of duties.

The framework must contain an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of IT resources.

Covered organizations must identify and classify all business functions and information assets.

Organizations must conduct risk assessments once a year, as well as following major changes to their IT infrastructure.

Organizations must identify all processes that depend on third-party service providers.

The inventories of IT assets, identified risks and third-party processes must be updated yearly.

Organizations must ensure that all changes to IT systems are tested, approved and implemented in a controlled manner.

Organizations must follow a comprehensive policy for patches and updates.

Entities must use strong authentication mechanisms.

Entities must prevent unauthorized access to data and assign access rights based on the principles of need-to-know and least privilege.

Entities must implement policies that limit access to IT resources to those necessary for a person’s role only.

Entities must conduct access reviews at least once a year and remove access once no longer needed, such as termination of employment.

Entities must follow the segregation of duties to prevent staff from circumventing controls.

Financial entities must continuously monitor the security of their IT systems.

Entities must have mechanisms in place to detect anomalous activities, with clear alert thresholds and criteria.

Based on these alert-criteria, the detection mechanism must automatically alert relevant staff to enable effective incident response.

Financial entities must establish a comprehensive business continuity policy, which includes an incident response plan and recovery plan.

The response and recovery plan must include a backup policy specifying which data to back up and at which frequency.

The response and recovery plan must be tested once a year as well as following substantive changes to the IT infrastructure.

Entities must include security awareness as a mandatory part of their staff training.

Entities must monitor technological developments and keep up to date with evolving cyber risks and attack methods.

Following major IT incidents, entities must conduct incident reviews to assess the effectiveness of their security policy and identify potential improvements.

Financial entities must establish an IT incident management process allowing them to detect and mitigate incidents in a timely manner.

Incidents must be documented and their root causes identified to prevent them from occurring again.

Entities must create an emergency communication plan allowing them to notify staff, external stakeholders and the media.

Financial entities must report major IT incidents to their governing authority.

Entities must produce an initial notification within 24 hours of detecting the event, an intermediate report within 72 hours and a final report within one month.

Entities may voluntarily notify authorities of cyber threats they consider significant to the financial system.

If a major IT incident impacts the financial interests of their clients, entities must inform them about the incident and which measures have been taken to mitigate it.

Where applicable, entities must also inform potentially affected clients of safety measures they may consider taking in response.

Entities must follow a digital operational resilience testing program as part of their risk management framework.

Entities must follow a risk-based approach to choosing appropriate tests, which may include vulnerability assessments, open source analyses, gap analyses, network security assessments, physical security reviews, penetration testing and others.

Appropriate tests must be performed at least once a year on all IT systems supporting important business functions and findings must be addressed.

Tests must be undertaken by independent parties, whether internal or external.

Entities must conduct advanced, threat-led penetration testing on live production systems supporting important business functions at least every 3 years.

For their TLPT, entities must contract qualified and reputable testers with the necessary expertise in threat intelligence, penetration testing and red team testing.

Internal testers may only be used if the relevant authority verifies that conflicts of interest have been avoided and approves their use.

Entities must adopt and regularly review a third-party risk strategy, which includes a policy on third-party services supporting important or critical functions.

Entities must maintain a register of all third-party IT service providers and distinguish those that support important or critical functions. This register must be made available to authorities upon request.

Entities must report yearly to relevant authorities on new contractual arrangements. For providers supporting important/critical functions, entities must notify authorities of planned contractual arrangements.

Before contracting third-party service providers, entities must assess relevant risks, perform due diligence research and identify potential conflicts of interest.

Entities may only contract service providers that follow appropriate IT security standards.

Entities must set a frequence for audits and inspections of third-party service providers.

For providers supporting important/critical functions, entities must take into account potential issues arising from risk concentration or providers relying on subcontractors.

Entities must ensure that contracts with service providers can be terminated under specific conditions, including breach of laws/regulations, altered performance of services and IT security weaknesses.

For providers supporting important/critical functions, entities must create exit strategies that allow them to leave contractual arragements with no negative impact on compliance, business functions and quality of service.

Exit strategies must be documented, tested and periodically reviewed.

Entities must identify alternative solutions, develop transition plans to transfer services to other providers/in-house and have contingency measures in place for the event of provider outages or service disruptions.

Contracts with service providers must include:
– a full description of the services a provider covers
– the regions and countries where services are provided and data is processed/stored
-provisions on the availability, authenticity, integrity and confidentiality of data
-conditions for the provider to participate in awareness training and resilience testing
-obligations for the service provider to render assistance for IT incidents related to their service and fully cooperate with authorities

For critical/important functions, contracts must include:
-service level descriptions and performance targets to allow for effective monitoring and corrective actions
-obligations for the service provider to notify the entity of anything affecting their ability to provide service
-requirements for the provider to implement business continuity plans and an appropriate level of security
-the right to monitor the providers performance, including through inspections and audits

European Supervisory Authorities (ESAs) will publish and update a yearly list of critical third-party service providers within the EU. Providers that are newly classified as critical will be notified by authorities within six weeks of this decision.

ESAs will assess whether each critical service provider has in place effective rules, procedures and mechanisms to manage IT risk affecting financial entities.

Assessments will cover risk management processes, governance structures, compliance with national and international standards, the physical security of facilities, incident management as well as IT audits and testing.

ESAs will create an individual oversight plan for each critical service provider describing oversight actions and objectives. This plan will be communicated to service providers yearly.

Providers may respond to oversight plans within 15 days if it negatively affects customers not covered by DORA.

To complete their oversight objectives, authorities can request information from critical service providers, obtain records and relevant material, carry out interviews, summon representatives for comment or conduct inspections on the premises of the service provider.

Authorities must give reasonable notice ahead of on-site inspections, unless it would make the audit ineffective.

Critical service providers must cooperate in good faith with authorities and assist them in fulfilling their oversight objectives.

Following investigations or inspections, authorities may issue recommendations to service providers for how to address detected risks or shortcomings.

Within 60 days of receiving recommendations, providers must notify authorities of their intention to follow them or provide a reasoned explanation for not doing so.

If a provider does not follow recommendations, ESAs may issue warnings to financial entities or, as a last resort, order them to stop using this service.

If critical service providers do not comply with DORA requirements or cooperate with authorities, ESAs may impose a daily penalty payment for a period of up to six months.

The daily penalty payment can up to 1% of the average daily turnover of the service provider in the previous business year.

When determining the penalty amount, authorities will take into account the gravity and duration of the provider’s non-compliance, whether it was committed intentionally and the degree of cooperation with authorities.