Quickstart: DORA (Digital Operational Resilience Act)

09.02.2024

Roman Yankin

Open Source

What is DORA?

Protective shield with a keyhole and stars
DORA stands for Digital Operational Resilience Act. DORA is EU regulation aiming at financial institutions which defines EU-wide uniform requirements to guarantee a consistent level of maturity in cybersecurity and operational resilience for all their operations within the EU.

DORA is structured around four fundamental principles:

  • IT and Cybersecurity Risk Management: Financial institutions would be required to identify, evaluate, and oversee their IT and cybersecurity risks. The regulation would mandate these institutions to formulate policies and procedures aimed at protecting their systems and data against cyber threats.
  • Business Continuity Management: Financial institutions would be required to create thorough business continuity plans, ensuring their capability to deliver services to clients during operational disruptions. This involves implementing backup systems, alternative communication channels, and disaster recovery plans.
  • Supervision and Oversight: The regulation aims to establish a framework for supervisory and oversight authorities to assess and monitor the operational resilience of financial institutions. This entails providing supervisory authorities with the power to conduct inspections, request information, and impose sanctions as needed.
  • Monitoring third-party ICT risks: Financial institutions must monitor and manage risks associated with third-party providers, such as cloud providers, and ensure that their digital resilience measures are also in line with DORA requirements.

Because DORA is a Regulation, not a Directive it is binding in its entirety and directly applicable in all EU Member States. DORA entered into force on 16th January 2023 and will apply as of 17th January 2025.

Responsibility of the management around maintenance of the up-to-date SBOM

The management body, such as the Management Board in banks, is accountable for ICT risk management. DORA Article 5 mandates the management body to define, approve, and oversee the ICT risk management framework. This includes ultimate responsibility for managing ICT risk and approving the digital operational resilience strategy. Members of the management body of the financial entity must stay informed through regular, ICT-specific training to understand and assess risks and their impact on the financial entity’s operations which is impossible without comprehensive SBOM documenting composition products in use by financial bodies.

Who is affected by DORA?

DORA generally applies to all regulated financial entities within the EU, including ICT third-party service providers, with only a few exceptions. It encompasses various entities in the financial sector, including payment institutions, asset management companies, rating agencies, as well as ICT and crypto-related service providers. While there is room for individual exceptions, such as in the case of development banks, these may be defined at the national level.

Additionally, critical third-party ICT providers are also regulated under the regulation. Each critical ICT service provider will be designated a Lead Overseer. Below table summaries affected bodies:

  • Financial Entities
    Credit institutions, Payment institutions, Account information service providers, Electronic money institutions, Central securities depositories, Central counterparties, Investment firms, Cryptoasset service providers, Trading venues, Trade repositories, Alternative Investment Fund Managers, Management companies, Data reporting service providers,
    Insurance and reinsurance undertakings, Institutions for occupational retirement provision, Credit rating agencies, Administrators of critical benchmarks, Crowdfunding service providers, Securitisation repositories
  • ICT Third Party Service Providers
    An ICT third-party service provider refers to a business that offers ICT services. ICT services encompass digital and data services delivered through ICT systems to internal or external users continuously. This includes hardware as a service and hardware services involving technical support through software or firmware updates by the hardware provider. Notably, traditional analogue telephone services are excluded from the scope of ICT services.

Who is exempt from DORA?

According to the provisional agreement, auditors will not be immediately subjected to DORA but will be included in a subsequent review of the regulation. This review may potentially lead to a reconsideration and revision of the rules pertaining to auditors.

What is the impact of DORA on financial institutions?

DORA is expected to have a profound effect on financial institutions operating within the European Union. Below are some examples of such influence:

  • Increased compliance costs: Additional resources, processes, and systems will need to be put in place to comply with the new requirements outlined in the regulation.
  • Increased regulatory oversight: The regulation grants supervisory authorities heightened powers to monitor and assess the operational resilience of financial institutions, resulting in increased regulatory oversight and potentially more frequent and rigorous regulatory examinations.
  • Changes in business practices: For instance, some institutions may need to review and update their outsourcing arrangements, enhance their cybersecurity measures, and improve their business continuity plans.
  • Emphasis on risk management: The regulation mandates financial institutions to establish a robust risk management framework, requiring the development and implementation of more rigorous risk management processes and procedures.

How is DORA enforced when non-compliance is discovered?

  • Administrative fines: Financial institutions can be fined up to 10 million euros or 5% of their total annual turnover, whichever is higher.
  • Corrective actions: Supervisory authorities have the authority to mandate financial institutions to implement remedial measures, addressing any deficiencies or shortcomings in their operational resilience.
  • Public reprimands: Supervisory authorities may publicly reprimand financial institutions that fail to comply with the requirements of the regulation.
  • Suspension: Supervisory authorities may suspend or withdraw authorisation of financial institutions that repeatedly fail to comply with the requirements of the regulation.
  • Restitutions: Financial institutions may be required to compensate customers or third parties for any damages resulting from a failure to comply with the requirements of the regulation.

How long do financial institutions have to implement the DORA regulations?

DORA gives financial institutions a two-year preparation period (2023 and 2024) to align their governance and practices with the regulation’s resilience pillars and develop a roadmap for implementation. The regulation is expected to come into force in early 2025, with mandatory reporting, assessment and testing to be completed by then.

How is the use of Open Source affected by DORA?

When it comes to use of FOSS libraries it is the responsibility of the financial entity to track and monitor the risk associated with such libraries.
Below are some extracts from DORA regulation with respect to the above:

In order to achieve robust digital operational resilience…, financial entities should regularly test their ICT systems … with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. …testing should include a wide variety of tools and actions, ranging from an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing)…

Article 7, Identification, requests:

1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. Financial entities shall review as needed, and at least yearly, the adequacy of the classification of the information assets and of any relevant documentation.

DORA requirements around up-to-date Software Bill of Materials

Under Article 15 DORA tasks European Supervisory Authorities (ESAs) to develop Regulatory Technical Standards (RTS). The ESAs have prepared Consultation Paper where under Article 10 the following actions are proposed:

  • a) identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities;
  • b) ensure the performance of automated vulnerability scanning and assessments on ICT assets commensurate to their classification and overall risk profile of the ICT asset. For those supporting critical or important functions it shall be performed at least on a weekly basis.
  • c) ensure that ICT third-party service providers handle any vulnerabilities related to the ICT services provided to the financial entity and report them to the financial entity. In particular, financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root cause and implement appropriate solutions;
  • d) track the usage of third-party libraries, including open source, monitoring the version and possible updates;
  • e) establish procedures for responsible disclosure of vulnerabilities to clients and counterparts as well as to the public, as appropriate;

These requirements underscore the heightened importance of automated vulnerability scans and the mitigation of vulnerabilities. Weekly scans are now mandatory. There is an increased focus on supply chain risk, with patching taking precedence in vulnerability elimination efforts.

How can Bitsea Help?

DORA establishes a new set of requirements enforced on financial entities in the area of cybersecurity. From now on, financial institutions are not only responsible for their own ITC but also need to manage risks for the third party providers used by financial entities.

One of the key areas which every financial institution should have clear visibility is the software supply chain. This includes usage of open source: financial entities must Identify components, manage components, track security vulnerabilities and install patches.
In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials (SBOM).

Bitsea supports you in all aspects of Open-Source-Management so that you as a company are protected against a lack of compliance and cyber attacks on the software supply chain. Bitsea has over a decade of experience in helping businesses understand their code and building highly detailed and customised to their needs SBOM.

In addition we:

  • Identify security vulnerabilities in SBOM.
  • Manage SBOM: notify you whenever a new security vulnerability is detected.
  • Setup tool chains to automatically analyse new software for open source components.
  • Manage FOSS data: Which components are used in a software system.
  • Support with ISO 5230 & ISO 18974, preparation for certification.