Digital Operational Resilience Act (DORA): Comprehensive checklist for companies

04.09.2024

Amy Jaqueline Wittmann

Open Source

Ms. Wittman is a lawyer in Munich and a partner at Bitsea. To enhance digital operational resilience, the European Commission has introduced the Digital Operational Resilience Act (Regulation (EU) 2022/2554 – “DORA”) as part of its Digital Finance Package 2020. Currently, regulations on digital resilience are scattered across various sector-specific EU laws and guidelines (e.g., MiF II, CRD, PSD2, Guidelines of the European Supervisory Authorities or “ESA” and other EU Member State banking regulations), creating regulatory gaps and uncertainties that DORA seeks to resolve.

Set to take effect on January 17, 2025, DORA imposes new obligations on managing information communication technology (ICT) risks and incidents, which financial institutions across nearly all sectors must follow.

 

Area of application

Protective shield with a keyhole and stars

DORA is a significant EU regulation impacting both financial entities and ICT service providers. Critical third-party ICT service providers (CTPPs) will face direct obligations, including compliance with new rules and oversight by financial supervisory authorities. Other ICT service providers, while not directly classified as CTPPs, will still be affected, particularly through their contractual relationships with financial entities, which may require updates to meet DORA’s more extensive standards.This means that Financial Services, Tech, and Fintech sectors both within the EU and non-EU entities are impacted if they provide services in the EU that fall under DORA. This could include, for example, non-EU companies performing data analytics for financial institutions in the EU, such as:

  • Credit institutions (banks).
  • Investment firms managing assets or providing financial advice.
  • Managers of alternative investment funds and UCITS management companies overseeing collective investment schemes.
  • Insurance and reinsurance undertakings along with insurance intermediaries that manage risk and distribute policies.
  • Payment institutions and electronic money institutions facilitating electronic payments and issuing digital currency.
  • Account information service providers handling financial data.
  • Crypto-asset service providers involved in cryptocurrency transactions.
  • Trading venues such as stock exchanges.
  • Central securities depositories and central counterparties that manage securities and clear trades.
  • Trade repositories storing transaction data.
  • Securitisation repositories managing data on securitised assets.
  • Data reporting service providers ensuring compliance with reporting regulations.
  • Institutions for occupational retirement provision managing pension schemes.
  • Crowdfunding service providers facilitating peer-to-peer funding.
  • Credit rating agencies that assess creditworthiness.
  • Administrators of critical benchmarks overseeing the reliability of financial benchmarks.

Key Requirements under DORA

  • ICT Risk Management: Financial entities must establish comprehensive frameworks for identifying, managing, and reporting ICT risks to ensure resilience in the digital environment. This includes conducting vulnerability assessments, open-source analyses, and network security assessments to identify and mitigate potential risks. Article 7 of DORA requires these entities to document and review ICT-related business functions annually. In accordance with the NIS2 Directive and the Digital Operational Resilience Act (DORA), organizations should implement comprehensive risk management practices, which include maintaining a Software Bill of Materials (SBOM) to identify and address vulnerabilities in all software components, ensuring robust cybersecurity and operational resilience.
  • Know your systems: According to RTS Article 5, ICT asset management procedures must detail the criteria for performing criticality assessments of information assets and ICT assets supporting business functions. This includes considering the ICT risks related to these business functions and their dependencies on information or ICT assets, as well as the impact of losing confidentiality, integrity, or availability of these assets on business processes and activities.
  • Operational Resilience Testing: Entities are required to conduct regular digital operational resilience testing, including advanced threat-led penetration testing for larger organizations.
  • Incident Reporting: Entities must comply with stringent requirements for reporting ICT-related incidents to regulatory authorities promptly and accurately.
  • Incident Reporting Requirements: Any entity covered by DORA must ensure that notification processes are in place to report major ICT-related incidents to the relevant competent authority and, in certain cases, to clients. The reporting framework includes:
  • Initial notification within 4 hours of an incident being classified as “serious”, but no later than 24 hours after the incident becomes known.
  • Interim report within 72 hours of the initial notification and an updated report without undue delay when regular activities have recovered.
  • Final report within one month of the latest updated intermediate report.
  • Third-Party Risk Management: Financial institutions need to ensure that their ICT service providers, especially critical third-party providers, comply with new contractual obligations and standards.
  • Vulnerability and patch management: RTS Article 10 requires financial entities to carry out vulnerability and patch management for all system components. This includes performing automated vulnerability scanning, particularly for critical or important functions, at least on a weekly basis. Additionally, entities must ensure that ICT third-party service providers handle any vulnerabilities related to the ICT services provided and report them to the financial entity. Tracking the usage of third-party libraries, including open- source, is crucial, along with monitoring their versions and potential updates.
  • Management of open source software (OSS): Financial entities are responsible for assessing the security practices of their open-source software suppliers, evaluating the origin and maintenance of open-source projects, and ensuring that these do not introduce vulnerabilities into critical systems. Regular testing of all open-source packages used for vulnerabilities is mandated, given the frequency of newly discovered vulnerabilities. This includes assessing all transitively dependent open-source packages, which may not be immediately obvious, even to developers.
  • Supervision and compliance: Critical third-party ICT providers will be directly supervised by financial authorities, while other providers must ensure indirect compliance through their contractual relationships.

Final Draft RTS on Subcontracting

On July 26, 2024, the European Supervisory Authorities (ESAs) released the final draft of the Regulatory Technical Standards (RTS) related to subcontracting under DORA. Companies subject to DORA must ensure that their contracts are updated before the enforcement date of January 17, 2025.

  • Key provisions on subcontracting: Article 30 of DORA contains a catalog of minimum content that must be included in outsourcing contracts with ICT service providers. These requirements extend beyond existing BCM outsourcing legislation, ensuring that third-party ICT service providers implement and test contingency plans and have measures, tools, and guidelines for ICT security.
  • ICT services for critical functions: ICT subcontractors supporting critical and important functions must implement incident response and business continuity plans that meet the requirements of Article 11 of DORA. These plans, along with service level agreements (SLAs), must be clearly defined and bindingly agreed upon in contracts.

Technical requirements under DORA

The European Central Bank’s (ECB) cyber resilience stress test results are currently under discussion and are expected to influence the finalization of the DORA requirements, particularly concerning AI-driven security measures. Regulatory authorities have highlighted the need to assess how existing legislation, such as the AI Act, GDPR, and DORA, addresses potential security risks posed by AI. The technical requirements under DORA place significant demands on IT departments, particularly within the financial services sector. These requirements include stringent vulnerability management, necessitating weekly vulnerability scans for critical functions, and the implementation of threat-led penetration testing (TLPT) with red teaming exercises every three years, as per TIBER-EU guidelines. IT departments must also enforce two-factor authentication and conduct thorough risk assessments of legacy ICT systems, especially those nearing the end of their support lifecycle.

Conclusion

As the enforcement date of January 17, 2025, draws near, DORA is poised to reshape the landscape of ICT risk management and operational resilience within the financial, Tech, and Fintech sectors. By consolidating and standardizing regulations across the EU, DORA addresses critical gaps, ensuring a unified approach to managing digital risks. Financial entities and ICT service providers, both within and outside the EU, must proactively align their operations with DORA’s stringent requirements to avoid potential non-compliance penalties and ensure uninterrupted business continuity. The provided checklist serves as a comprehensive guide for companies to navigate DORA’s complex regulatory environment. By following this checklist, businesses can systematically assess and enhance their ICT risk management frameworks, ensure robust incident reporting protocols, and maintain resilient relationships with third-party service providers. These proactive measures are crucial for achieving compliance and safeguarding against the growing threat of cyber disruptions in today’s digital economy.

Company Checklist for DORA Compliance

  1. Scope of application and availability:
  • Determine applicability: Confirm whether your company is within DORA’s scope (e.g., financial institutions, ICT service providers, non-EU entities providing services in the EU like data analytics).
  • Identify Impacted Services: Determine which of your company’s business functions or services are affected by DORA.
  1. ICT Risk Management:
  • Establish an ICT risk framework: Implement a comprehensive ICT risk management framework that complies with DORA standards.
  • Document ICT functions: Maintain a software inventory list (SBOM) for all ICT systems and ensure regular updates and reviews.
  • Conduct assessments: Perform regular vulnerability assessments, open- source software analyses, and network security evaluations.
  1. Operational Resilience Testing:
  • Digital resilience testing: Schedule and conduct regular digital operational resilience tests, including advanced threat-led penetration testing (TLPT) for larger organizations.
  • Critical function testing: Ensure that critical business functions undergo frequent testing to meet DORA standards.
  1. Incident Reporting:
  • Set up a reporting framework: Implement processes for reporting major ICT-related incidents according to DORA guidelines:
  • Initial report: Submit within 4 hours of incident classification as “major” or within 24 hours of awareness.
  • Interim report: Provide updates within 72 hours of the initial notification, with further updates as necessary.
  • Final report: Submit a conclusive report within 1 month after the last intermediate report.
  1. Third-Party Risk Management:
  • Updating contracts: Ensure all contracts with third-party ICT service providers are updated to reflect DORA’s requirements.
  • Implementation of contingency plans: Confirm that critical third-party providers regularly implement and test contingency plans.
  • Subcontractor compliance: Verify that all subcontractors adhere to DORA’s incident response and business continuity requirements.
  1. Supervision and compliance:
  • Prepare for supervision: Critical third-party ICT providers should prepare for direct supervision by financial authorities.
  • Ensure contractual compliance: Non-critical service providers must ensure compliance through updated contractual obligations.
  1. Business Continuity Management (BCM):
  • Review BCM processes: Strengthen existing BCM processes to meet DORA’s expanded requirements.
  • Testing and documentation: Regularly test and document BCM processes, focusing on recovery and restoration post-ICT incidents.
  1. Technical Requirements:
  • Implement AI-driven security: Regularly update AI-driven security measures to align with DORA, AI Act, and GDPR.
  • Conduct regular scans: Perform weekly vulnerability scans for critical functions and schedule periodic red teaming exercises.
  • Maintain cryptography standards: Implement strict cryptography policies, focusing on key management and updating technologies.
  • Inventory management: Maintain an up-to-date asset inventory, specifically tracking open-source components.
  • Enforce authentication: Implement two-factor authentication and conduct risk assessments for legacy ICT systems.
  1. Contractual Obligations:
  • Detailed SLAs: Ensure contracts include comprehensive SLAs covering all DORA requirements.
  • Incident response plans: Clearly define and agree upon incident response and business continuity plans in contracts.
  • Regular testing: Include provisions for regular testing and updates of these plans.
  1. Training and Awareness:
  • Conduct training: Regularly train staff and management on DORA compliance, ensuring awareness of requirements and best practices.
  • Continuous learning: Update training programs as DORA guidelines evolve.
  1. Data Backup and Recovery:
  • Separation of systems: Implement physical and logical separation of backup systems across various environments.
  • Regular testing: Ensure backup systems are regularly tested and compliant with DORA’s resilience standards.
  1. Documentation and Reporting:
  • Maintain documentation: Keep thorough records of all ICT processes, tests, incidents, and compliance efforts.
  • Update regularly: Regularly update documentation to meet DORA’s stringent reporting requirements.

DORA FAQ:

  1. What is DORA, and to whom does it apply?
  • DORA, or the Digital Operational Resilience Act, is an EU regulation designed to enhance the digital resilience of financial institutions. It applies to a broad range of financial entities, including banks, investment firms, insurance companies, and payment institutions. It also applies to non-EU companies that provide ICT services to EU-based financial institutions, imposing strict requirements on managing ICT risks, incident reporting, and third-party risk management.
  1. What are the key ICT risk management requirements under DORA?

Under DORA, financial entities must establish comprehensive ICT risk management frameworks. This includes:

  • Regular assessment and documentation of ICT-related business functions and assets.
  • Development and maintenance of a software bill of materials (SBOM).
  • Conducting regular vulnerability assessments and network security evaluations.
  • Implementing robust ICT risk management practices to ensure continuous operational resilience.
  1. How should companies handle incident reporting under DORA?
  • DORA mandates a structured incident reporting process for major ICT-related incidents, requiring:
  • Initial report: Submission within 4 hours of classifying an incident as “major,” or no later than 24 hours after becoming aware of it.
  • Interim report: Submission within 72 hours of the initial notification, with updates as needed.
  • Final report: Submission within 1 month of the last intermediate report, summarizing the incident and corrective actions taken.
  1. What are the responsibilities of third-party ICT service providers under DORA?

Third-party ICT service providers, particularly those deemed critical, must:

  • Update contracts: to include detailed Service Level Agreements (SLAs) that align with DORA requirements.
  • Implement and regularly test contingency plans. Ensure that subcontractors adhere to DORA’s incident response and business continuity plans.
  • Be prepared for direct supervision by financial authorities if classified as critical providers.
  1. What technical requirements must it departments meet under DORA?

IT departments must meet several technical requirements under DORA, including:

  • Weekly vulnerability scans for critical functions.
  • Regular threat-led penetration testing (TLPT) with red teaming exercises.
  • Strict cryptography policies, including key management and updates to cryptographic technologies.
  • Comprehensive asset inventories, particularly for tracking open-source components.
  • Enforcement of two-factor authentication and thorough risk assessments for legacy systems.

You can find more blogs by Ms. Wittmann here.