Preparing for DORA Amid Technical Controls Ambiguity

COMMENTARY 

January 2025 is a big month for the finance industry – and the clock is ticking. The Digital Operational Resilience Act (DORA) is set to shape how financial entities, such as banks, insurance companies, and investment firms, approach their IT infrastructure and data security. According to Article 3 (1), this regulation will enhance "the ability of a financial entity to build, assure and review its operational integrity and reliability."

Although IT security and digital resilience form a part of the reforms that followed the 2008 financial crisis, they've taken a back seat over the years. DORA aims to address the rising cyber threat.  

Member states across the European Union have until January to comply with this new regulation or risk severe fallout. A breach could result in fines of up to 2% of an organization's total annual worldwide revenue or up to 1% of the company's average daily worldwide revenue.  

Despite the urgent call to action, delays are making it difficult for institutions to prepare. While the scoping and harmonization templates were due to the commission in July, public release is uncertain. There are currently no sets of controls or technical standards, so how are those being impacted meant to prepare? 

But with time running out, financial entities do not have the luxury of watching and waiting. Without any real guidance, it's in their best interest to take matters into their own hands and do what they can with the information they have.

Size Equals Complexity 

As with many new regulations, one of the key challenges is complexity – and DORA takes that to a whole new level, with six chapters and over 280 articles. It introduces a series of new standards and controls that companies must meet and for which a complete restructure of processes may be required.

Remember, DORA is a regulation, not a framework, so comprehending the many requirements is job No. 1 for organizations. To ensure compliance, organizations need full visibility over all company assets. This allows organizations to continuously monitor all systems and identify and address any potential gaps in security. 

You Can't Protect What You Can't See 

Technology is a borderless entity; DORA calls for complete visibility, despite the vast array of interconnected devices used by firms. The new regulation focuses heavily on data and providing clear and actionable evidence. DORA places a particular emphasis on third-party risk, resilience, and testing – areas currently without an existing framework and becoming more vulnerable every year. 

PCI security standards, for example, focus solely on protecting credit card information. NIST's Cybersecurity Framework covers certain elements of recovery and fills the gap left by PCI, but it still doesn't cover reporting. DORA, on the other hand, doesn't focus so much on penetration testing but more on threat-based testing, requiring organizations to emulate a threat rather than conduct a vulnerability scan.  

So instead of monitoring for any existing cybersecurity vulnerabilities, the new regulations require organizations to monitor for any potential weaknesses – identifying and rectifying them before they can trigger unnecessary risk. This approach minimizes the risks of vulnerabilities developing and ensures organizations have real-time updates on the state of their security. 

What Can Business Do at This Stage? 

One thing DORA is very clear on is an emphasis on results and the need to continually monitor for threats. This regulation should not to be taken lightly. Under DORA, authorities have the power to request data and execute powers to assess a company's compliance with these regulations.  

As a first step, organizations should conduct a thorough gap-analysis exercise to identify areas in need of improvement – within their own business as well as across their supply chains. Ahead of January, organizations must ensure that their risk management strategies are up to date. Right or wrong, DORA assumes firms have a sufficient risk management framework in place. The same is expected of parties in the supply chain, although how far down the chain is yet to be determined.  

All parties involved need to obtain and maintain detailed knowledge of all critical assets at any given time. Tools that continuously monitor all assets provide real-time critical information on processes across the company. Only through continuous monitoring can organizations understand where the gaps in their security are and ensure they are properly addressed. 

Regardless of delays, DORA is coming and businesses must be prepared. Organizations that view this incoming regulation as more than just another push for compliance – and instead a platform from which to truly enhance their security posture – will gain that all-important competitive edge. Through continuous monitoring and effective threat management, organizations will achieve a new level of protection across their entire network.