Heads Up, Financial Sector, the EU Sends DORA Knocking on Your Door

The DORA regulation will enter into force in the EU towards the end of 2024. All entities providing products and services in the financial sector in the EU, plus their ICT vendors, should pay attention. CybExer Technologies, with its world class cyber range technology, can help organizations conduct the soon-mandatory trainings and testing to make sure they will maintain operational resilience in the cyber space.  

Introduction

With the steady increase in digitalization of financial services, especially banking, cyber security risks have become more and more imminent in the financial sector. As a result, it has been acknowledged at the EU level that ICT incidents and a lack of “operational resilience” have the potential to put the entire financial system at risk, should a major incident occur.

Traditionally, financial institutions have managed their operational risks mainly with securing the adequacy and managing the allocation of capital. Outside of capital, however, many other aspects of securing operational capabilities in the case of an ICT incident have not been formally regulated. Hence, the capabilities of financial institutions to identify, protect, detect, respond, and recover in case of ICT incidents have varied a lot.

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) enters into force on 17th January 2025. After that, banks and financial institutions must adhere to the DORA regulation that sets rules explicitly on ICT risk management, incident reporting, operational resilience testing and ICT third party risk monitoring.

What role can cyber ranges play in helping banks and financial institutions prepare for the DORA regulation and, at the end of the day, safeguard themselves and the entire financial system against severe ICT incidents? We will discuss it in this article.

DORA: Why should you care and what is the timeline?

The ultimate goal of DORA is to set uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector across the EU. Also, DORA applies to critical third parties that provide ICT related services to them, such as cloud platforms or data analytics services.

DORA creates a regulatory framework on “digital operational resilience”. It essentially means that all firms need to make sure they can withstand, respond to and recover from all types of ICT related disruptions and threats.

DORA will officially enter into force on 17th January 2025, yet the regulation will apply starting from late 2024 across all EU member states.

So whom does DORA concern exactly? The entire financial sector including banking, insurance, asset management, credit institutions, e-money institutions, crypto-asset service providers and investment firms will be impacted by DORA. Importantly, DORA also applies to critical third parties, meaning those organizations that provide ICT to the above-mentioned group, across all EU member states.

Hence, if your organization operates in the financial sector or provides ICT services to such organizations in any of the EU members states, you should start paying attention to DORA and considering what it will mean to your organization both at the strategic and operative levels. Now is a good time to start – there’s time to prepare but not more than two years. 

How does DORA relate to the NIS2 regulation?

The NIS2 regulation, discussed in our previous article HERE , sets out cyber security risk management and reporting obligations for relevant organizations (far beyond the financial sector), as well as obligations on cyber security information sharing, so the NIS2 regulation shares some overlaps with the coverage of DORA.

However, the differences between NIS2 and DORA have been addressed during the legislative process to ensure that financial entities will have full clarity on the rules on digital operational resilience that they very specifically will need to comply with when operating within the EU.

NIS2 also points out that any potential overlaps between the two regulatory schemes concerning financial institutions will be addressed by DORA. In other words, DORA as the more specific law will override the more general NIS2 provisions as far as the financial sector is concerned.

How can CybExer Technologies help you with the DORA implementation?

The DORA regulation essentially means that financial institutions and their ICT providers will need to start familiarizing themselves with and preparing for setting up a number of new skills and capabilities. CybExer Technologies with its cyber range exercises can help in the following ways:

  • Regular training for both senior management and technical staff. To ensure competent leadership in managing ICT risks once the DORA regulation is in force, members of the management teams of financial institutions will be required to have and maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the organization’s operations.This will mean that entities need to have a programme in place for regular training, not just for their staff directly engaged in the management of ICT risks and overseeing arrangements with ICT third-party providers, but also for members of the management board. On top of that, financial entities must develop ICT security awareness programmes and digital operational resilience trainings as compulsory modules in their staff training schemes. This rule is applicable to all employees including senior management staff.

CybExer’s core cyber range offering is well suited for regular training purposes for both technical staff and the senior management of financial institutions. Examples of trainings and exercises that we regularly conduct for our clients include live-fire, capture-the-flag, and threat hunting exercises, as well as employee testing.

  • Resilience testing. The requirements for financial entities are divided into several areas of cyber security and operational resilience, one of them being digital operational resilience testing.

As an integral part of the ICT risk management framework, financial entities are required to establish a comprehensive digital operational resilience testing programme. The programme must be proportional to the institutions’ size, business, and risk profile. The financial entities need to ensure that all critical ICT systems and applications are tested at least on an annual basis, undertaken by independent parties, whether internal or external.

Advanced threat-led penetration testing, to cover the critical functions, should be executed at least every three years. Threat led penetration testing, also known as red/purple team assessment, is something that CybExer has been conducting for its clients with successful results. We are available for applying threat led penetration testing approaches and methods for financial institutions as well.

Read more about our services

Read more about NIS2 and what it means from the perspective of cyber security requirements 

Read an interview with Aare Reintam, our COO on cyber security in the financial sector