What is the Digital Operational Resilience Act (DORA)?
Explore the Digital Operational Resilience Act (DORA) and its significance for EU financial institutions. Dive into the five compliance pillars and learn how Weaveworks can assist in meeting DORA's requirements.
In the rapidly evolving digital finance landscape, the European Union has taken a proactive step to ensure the robustness and reliability of information and communication technology (ICT) systems. The Digital Operational Resilience Act (DORA) was officially enacted on 16 January 2023 and will become applicable starting 17 January 2025, giving organizations a two-year window to align their practices. This legislation mandates EU organizations, financial entities, and third-party collaborators to enhance their ICT risk management frameworks.
This article will shed light on the DORA Act, its significance to the financial sector, the five pillars for compliance, and more. Let’s jump in.
What is DORA?
The Digital Operational Resilience Act, commonly referred to as DORA (Regulation (EU) 2022/2554), is a European Union regulation designed to enhance the resilience of the financial sector against information and communication technology (ICT) risks. Instituted as part of the EU Commission's digital financial package in January 2023, its primary objective is to fortify the EU's financial institutions against potential ICT disruptions, ensuring continuous and reliable operations even in challenging scenarios.
Before DORA, financial institutions managed operational risks predominantly through capital allocation. This approach, however, did not encompass all aspects of operational resilience, particularly those related to ICT. DORA fills this void by introducing stringent rules that institutions must follow. These include protocols for protecting, detecting, containing, recovering, and repairing ICT-related incidents. The regulation emphasizes five key pillars: ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk monitoring.
Which Organizations are Affected by DORA?
The DORA ACT casts a wide net, impacting various financial entities and ICT service providers operating within the European Union. With over 22,000 such entities within the EU, and even more outside of it, understanding the breadth of its application is crucial.
Financial Institutions Affected by DORA:
- Banks and Credit Institutions: Traditional banking institutions and credit agencies.
- Payment and E-money Institutions: Entities that handle electronic money transfers and digital payment services.
- Investment-Related Entities: This category includes investment firms, managers of alternative investment funds, and UCITS management companies.
- Crypto-Related Entities: Crypto firms and crypto-asset service providers.
- Insurance and Pension Related: Insurers, pension funds, and intermediaries.
- Other Financial Services: This includes account information service providers, crowdfunding providers, and administrators of critical benchmarks.
ICT Service Providers Impacted by DORA:
The scope of DORA extends beyond traditional financial institutions, encompassing ICT third-party providers that offer both cloud and non-cloud digital services to businesses and consumers within the EU. This covers:
- Digital Service Providers and Operators: Those who supply digital tools as services to both B2B and B2C consumers.
- Domain Name System Providers: Entities managing and distributing domain names.
- Content Delivery Network Providers: Organizations responsible for the distribution of internet content.
- Critical ICT Suppliers: Such as companies managing the networks of financial entities
Revolutionize Your Platform Engineering Practice with Weave GitOps
An internal developer platform (IDP) enables self-service developer experience to deliver software faster and with better quality and hybrid cloud management, built-in compliance, and zero-trust security.Learn More
The 5 Pillars of DORA
DORA outlines specific criteria for both financial bodies and ICT suppliers in five key areas: governance and ICT risk-management, procedures for incident reporting and response, resilience testing, and management of risks from third parties, and information sharing. While there's an emphasis on information sharing, it's not mandatory. The enforcement of these requirements will be scaled based on the entity's size, ensuring that smaller organizations aren't subjected to the same stringent criteria as their larger counterparts.
The DORA Act has five primary pillars, which are:
#1 ICT Risk-Management
The DORA Act positions ICT risk management at the forefront, holding an organization’s leadership—board members, executives, and senior managers—accountable for its implementation. They are mandated to craft comprehensive ICT risk management strategies, continuously assess risks, and stay updated on the ICT threat landscape. Entities must map out their ICT systems, identify critical assets and functions, and understand the interdependencies.
Additionally, they should conduct regular business impact analyses and set risk tolerance levels to shape their ICT infrastructure. The Act also necessitates the formulation of business continuity and disaster recovery plans for varied cyber risk scenarios, including service disruptions and cyberattacks.
#2: Incident Reporting
The DORA Act emphasizes the importance of a structured approach to incident reporting. Entities covered by the Act are mandated to have robust systems for monitoring, management, documentation, classification, and reporting of ICT-related incidents.
Depending on an incident's gravity, entities might be obligated to communicate details to regulatory authorities and affected clients and partners. For critical incidents, a three-tiered reporting approach is outlined:
- Initial notification of the incident
- An intermediate update on the resolution progress
- A conclusive analysis pinpointing the root causes
The specifics—how incidents will be classified, which ones necessitate reporting, and the associated timelines—are still in the pipeline. Key details to be included in reports encompass metrics like the number of users impacted, data volume lost, the severity of ICT system effects, geographical spread, affected service criticality, and economic repercussions.
#3 Operational Resilience Testing
Operational resilience testing is another crucial pillar in the DORA Act, highlighting the imperative for entities to consistently evaluate the robustness of their ICT systems. Through regular testing, organizations can gauge the efficacy of their security measures and pinpoint vulnerabilities that might otherwise go unnoticed. Such evaluations are not merely for internal consumption; the results, along with actionable plans addressing any identified weak points, are to be submitted to the relevant competent authorities for validation.
The Act mandates entities to annually undertake foundational tests, including vulnerability assessments and scenario-based evaluations. However, the rigor intensifies for financial entities recognized as critical to the overall stability of the financial ecosystem. Such entities are compelled to undergo threat-led penetration testing (TLPT) once every three years, a procedure in which their critical ICT providers are also involved.
According to DORA, these tests should not be performed in-house. Organizations should engage independent testers to perform these tests. Securing such testers requires foresight and meticulous planning, given that their deployment necessitates prior approval from a DORA regulator. With the process potentially spanning close to two years, organizations are advised to initiate preparations without delay, especially with the 2024 deadline looming.
#4 Managing Third-Party Risk
Given the interconnected nature of today’s financial ecosystem, managing third-party risks is vital. Under the DORA Act, organizations must proactively manage ICT third-party risk. This includes negotiating stringent contractual terms related to exit strategies, audits, performance targets, and more when outsourcing critical functions. Organizations cannot contract with ICT providers who cannot meet those requirements. The European Commission is considering standardizing these contractual clauses for easier compliance.
In addition, financial entities must diversify their third-party dependencies to prevent over-reliance on a single or few providers.
This pillar stresses the importance of comprehensive third-party risk management within the financial sector's ICT risk framework, including maintaining a detailed register of all ICT providers and undergoing annual regulatory assessments. Non-compliance could lead to legal repercussions and financial penalties.
#5 Information Sharing on External ICT-Related Incidents
DORA promotes collective learning by encouraging financial entities to share intelligence on ICT-related incidents. While voluntary, this sharing initiative is safeguarded, ensuring that data like personally identifiable information remains protected under GDPR. Recognizing the value of shared insights, DORA aims to fortify Europe's financial sector against operational threats. To facilitate this, DORA provides guidelines for information exchange, ensuring compliance with confidentiality, data protection, and other regulations.
A significant step by DORA is the push for standardized reporting of major ICT incidents across European finance, enhancing collective response capabilities. This has led to the introduction of uniform protocols for monitoring, classifying, and notifying relevant authorities about ICT incidents.
How Weaveworks Can Help?
At Weaveworks, we take compliance and security very seriously. We recently opened-sourced our Weave Policy Agent, a powerful policy-as-code engine based on Open Policy Agent. It plays a crucial role in enhancing Kubernetes applications' security, compliance, and best practices and seamlessly integrates with GitOps workflows.
Weave GitOps Assured is a continuous delivery platform powered by open-source projects Flux CD, Flagger, Weave Policy Agent, and more. Built on the principles of GitOps, Weave GitOps provides visibility and audit logs for continuous reporting. Weave GitOps Assured delivers assured builds of open-source Flux CD through Weaveworks’ release binaries, complete with bitstream assurance (CVEs, hotfixes, etc.) and an SLA. Our solution allows you to customize and innovate using open-source software while ensuring compliance with regulations such as the DORA Act.
Contact us today to learn how Weave GitOps Assured can help you ensure robust isolation and compliance throughout Kubernetes deployments.