With a massive 55 percent increase in overall threat detections in 2022, the need for a more proactive and harmonized EU-regulation becomes urgent. In that respect, DORA is a key component for a continuous digital innovation of all financial services.
Security resilience in focus
With the vast number of attacks, protection alone is simply not enough. Instead, security resilience with the ability to be prepared for an event, knowing what and where to report an incident and get your services back up and running again after an event occurs, is crucial. And also to document these routines and processes.
For most actors within the financial sector, most things needed are already in place. The challenge now is to allocate and make all functions work together. For many actors, it’s about avoiding the risk of not being compliant, by going from a best practice to a more systematic, documented cybersecurity management.
In order to be DORA compliant, financial actors need to have the operational routines for five core pillars in place:
- ICT Risk Management
DORA require resilient ICT systems and tools, along with the ability to identify, classify and document protection, detection, and prevention measures. Actors also need to be able to respond and recover, learn, and evolve, with communication plans in place.
- ICT Incident Management
By following the information security lifecycle actors need to have an incident management process in place. With routines for classification of incidents and threats, with high attention on post-incident review and analysis of root causes, and also with a required reporting of major ICT-related incidents to the right authorities.
- Operational resilience testing
Actors need to test capabilities and functions, with a risk-based approach. They also need to execute a full range of appropriate tests, including advanced threat-led penetration testing and requirements on third party testers.
- Third party risk management
Monitoring ICT third-party risks, by registering information of the use of third-party providers, become mandatory. Always with an assessment before contractual arrangement and with content requirements for contracts.
- Monitoring and reporting
All actors need routines for reporting incidents, both internal and in exchange with other financial entities, and also for external reporting of major ICT-related incidents.
In order for these pillars to function properly, a good cybersecurity governance model need to be in place, securing roles and responsibilities, safeguarding the digital operational strategy and policies, and oversee and review risk control and monitoring.
Start planning the work now
January 2025 might seem far away but the key in being DORA-compliant is to start planning the work now. Make use of operations already in place, prioritize the work, and ask for assistance when needed.
Through our NanoLearning platform, Junglemap offers awareness as a service, which can be helpful when learning and awareness programs become mandatory, alongside with management participation in security.
With our standard courses in information security for all employees, for managers, and role-based courses targeting product and development teams, we hope to contribute with an important tool for any organization working to become digitally resilient.