How to Prepare For DORA: What You Need to Know
Banking and financial services organizations are a critical part of local and global infrastructure – nearly everyone relies on the financial industry’s operations in some way each day. And with the rapid digital transformation of the past few years, financial services and their customers are becoming heavily dependent on ICT (information and communications technology) and digital information. This makes them a prime target for threat actors looking to steal customer data, halt banking operations, and cause widespread disruption.
Financial entities must be able to withstand, respond, and recover from the impact of ICT incidents, with no impact to critical and important functions and minimal disruption for customers and the financial system.
The EU’s Digital Operations and Resilience Act (DORA) mandate aims to strengthen the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that are homogenous across EU member states.
Illumio enables banking and financial services organizations operating in the EU to achieve DORA compliance through risk-based visibility and Zero Trust Segmentation.
What is DORA, and why is it important?
The banking sector supports the global economy, and without strong cybersecurity measures, breaches can quickly become catastrophic.
DORA requires banks operating in the EU to strengthen their cyber resilience so that they can withstand, respond to, and recover from breaches. This ensures that they can protect customer data, maintain operations despite inevitable breaches, and keep the impact of breaches minimal to preserve the global economy.
While DORA will enforce specific compliance and technical specifications for financial institutions, it’s broad goal is to help build cyber resilience in the industry. Organizations working towards better cyber resilience now will be ahead of the curve when specific requirements are available.
Learn how DORA differs from NIS2.
Facts about the EU’s DORA directive
The new mandate entered into force on January 16, 2023 and is enforceable 24 months after entry. This means financial entities must be compliant with DORA by January 17, 2025.
Throughout 2024, European Supervisory Authorities (ESAs) will define and issue multiple regulatory and implementation technical standards, providing financial organizations with specifications and guidance on how to implement specific DORA requirements.
Firms based in the UK and other international territories may be subject to DORA if they operate in EU markets (for example, through locally incorporated group entities). ICT third-party service providers are also subject to the DORA requirements once they enter into contractual arrangements with firms covered by DORA.
While DORA doesn’t foresee the size or form of sanctions, EU member states are free to provide for sanctions and breaches of DORA in their national law.
Read the DORA directive here.
DORA’S 5 core pillars: Building operational resilience
The directive is divided across 5 core pillars to give financial services organizations a comprehensive cyber resilience framework. Though DORA’s specific technical mandates are not yet available, they will map directly to these core pillars, offering organizations a way to start preparing for compliance now.
- ICT risk management: Establish resilient ICT systems, continuously identify and protect against ICT risks, detect anomalous activities, implement comprehensive business continuity plans, and facilitate ongoing learning and improvement from external events and internal ICT incidents.
- ICT-related incident response: Establish a comprehensive management process for monitoring, classifying, reporting, and sharing reports of ICT-related incidents in compliance with regulatory and supervisory requirements.
- Digital operational resilience testing: The ICT risk management framework should undergo periodic testing to ensure preparedness, addressing weaknesses and gaps with counteractive measures, and the testing requirements should be proportionate to the entity's characteristics; including conducting Threat Led Penetration Testing (TLTP) for higher-risk scenarios.
- ICT third-party risk: Get robust monitoring of risks associated with ICT third-party providers, achieved through harmonizing relationships, comprehensive contracts, and the implementation of a Union Oversight Framework to promote supervisory convergence.
- Information sharing: Promote collaborative efforts among financial entities to improve digital operational resilience, increase awareness of ICT risks, reduce the spread of ICT threats, and support various defensive and mitigation strategies through the secure exchange of cyber threat information.
What can you do now to prepare for DORA?
Now is the time to start considering projects, budget requirements, and organization-wide initiatives in preparation for DORA’s full enforcement in January 2025. Security teams can take proactive steps to be ready to hit the ground running on building resilience and achieving DORA compliance.
1. Identify risk via network mapping
The mandate’s first pillar focuses on identifying risk which is fundamental to success with the other pillars. If you haven’t already, your organization’s security team should map application dependencies for the entire infrastructure. Some security solutions like Illumio even include this kind of mapping as part of their broader platform offerings.
Use the map to find your critical and non-critical processes and identify your third-party dependencies. You will likely find previously unknown risks that can immediately get addressed by your security team.
2. Boost detection capabilities
With a better understanding of the environment, you can lean into improving your detection capabilities. Solutions like Illumio can feed information into your Security Information Management System (SIM), helping your security team get data to speed up detection of threats.
3. Proactively prepare to contain breaches
DORA specifically calls out breach containment as key to resilience. Breach containment technologies like microsegmentation, also called Zero Trust Segmentation, help security teams separate the network into zones to control communication between workloads and devices to only allow what is necessary and wanted.
For example, you can use microsegmentation to restrict server-to-app communications, dev to prod, or IT to OT. This allows you to proactively isolate high-value assets or reactively contain compromised systems during an active attack to stop the spread of a breach.
Get more information about how Illumio protects the banking sector.
Contact us today for a free demo and consultation.