October 29, 2024 Blogs 13 min read

Exploring DORA for financial services: How to effectively navigate the jungle of regulatory concerns

By KYND

DORA Regulations 2023 KYND Website

In response to the rapidly increasing integration of technology in financial firms, and with cyber-attacks becoming more frequent, targeted, and complex than ever, an important regulation called DORA is now being implemented by the European Union.

Although it came into force on 16 January 2023, it will be fully applicable from 17 January 2025, and will be used to enforce effective cyber risk management and drive operational resilience. It applies to over 220,000 financial entities in the EU, including but not limited to banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers. While sharing similar goals with other regulations affecting the sector such as the FCA operational resilience policy or GDPR, the latest framework particularly focuses on Information and Communication Technology (ICT) risk. As an EU regulation, UK firms conducting business in Europe will need to comply with its requirements. Affected organisations will need to adapt by managing their cyber risk and only interacting with third-party vendors that offer "high, appropriate, and the latest information security standards."

But what exactly does this new regulation mean for financial firms? And, if your organisation is affected, how can you ensure you have the right defences in place to ease your compliance with DORA? We answer all of these questions and more in our latest blog. So read on!

So what is DORA?

This isn’t the explorer you’re looking for…DORA is not the adorable quest-solving heroine sporting her iconic bob, but the Digital Operational Resilience Act, which comes into full effect in January 2025, is a new framework proposed by the EU to help prevent and mitigate cyber threats in the EU financial sector. DORA seeks to address potential risks posed by the sector’s reliance on Information and Communication Technology (ICT) third-party providers (TPPs), and sets uniform requirements for financial organisations on ICT risk-management, incident reporting, operational resilience testing, and third-party risk monitoring. And, as it comes into effect in January 2025, it’s important for financial organisations to prepare for compliance before the deadline. In order to not get lost in the jungles of regulatory changes, KYND helps you explore exactly what DORA compliance involves.

Understanding the five pillars of DORA

DORA separates digital operational resilience into five areas: 1) risk management, 2) incident reporting, 3) digital operational resilience testing, 4) third-party risk management, and 5) information and intelligence sharing. Let’s break down what these mean in a nutshell:

1. Risk Management: This pillar requires an organisation’s management body to have implemented measures to ensure that their ICT risk management framework is well-documented, outlining strategies, policies and procedures to secure ICT assets and the offline infrastructure supporting them, as well as periodically reviewing and auditing them.

2. Incident Reporting: DORA introduces fresh obligations for preparing, responding to, and reporting any ICT-related incidents or threats that have occurred. In July 2024, even further policy mandates were introduced around Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), including the number of users impacted, duration, geographic spread, data loss, impact to ICT systems, and criticality of services affected. Major incidents must be reported within the same business day and follow-up reporting will be due after a week.

3. Digital Operational Resilience Testing: Organisations are required to run comprehensive risk-based tests at least once a year. In all cases external testing is necessary to assess readiness for handling ICT-related incidents and identifying weaknesses or gaps in digital operational resilience. As well as annual testing, financial entities will also be required to organise threat-led, live penetration testing every three years (known as a red-team type exercise) that must be performed by independent testers with approval from a DORA regulator to guarantee reliable test outcomes. The preparation for the process can be time-consuming, and organisations are strongly advised to commence their preparations as early as possible to ensure sufficient time for regulatory approval.

4. Third-Party Risk Management: DORA prevents systemic economic disruption by ensuring that financial entities have a robust, mature third-party risk management process in place; this involves an information register that includes details of all ICT third-party providers, the services they provide, and the functions they support. Additionally, an annual report on any changes made to this register is required. DORA also mandates annual assessments for critical providers to verify their compliance. Failure to demonstrate this through standard checks will lead to legal and financial consequences.

5. Information and Intelligence Sharing: DORA supports a more resilient environment for financial firms across Europe by promoting the sharing of critical information on threats and vulnerabilities across financial entities, regulatory authorities and technology providers. This aims to prevent the spread of cybercrime before a major economic impact occurs, as well as support and protect organisations from operational dangers.

Don't mess with DORA!

Preparations for compliance represent a significant and time-consuming task. But what are the consequences of non-compliance with DORA? The new regulation in the realm of financial services places the ultimate responsibility on board members and directors to implement the right measures to prevent and mitigate cyber threats. If an organisation fails to comply with DORA, these individuals will be held accountable and face significant repercussions such as reputational damage, shareholder litigation, regulatory fines, and even criminal charges – DORA requires Member States to provide for individual civil liability for board members, and it also leaves open the possibility for Member States to establish criminal liability. Despite the challenge, your organisation can leverage this opportunity to strengthen its cybersecurity posture, improve third-party risk management and enhance incident response capabilities, all while solidifying the trust of stakeholders.

What can financial organisations do to prepare?

There are several key steps you and your financial organisation can take to better prepare for the Digital Operational Resilience Act and ensure compliance. These steps include:

1. Establishing an incident reporting method in line with DORA's requirements within your organisation:

  • Implement a clear and structured incident reporting process that outlines the criteria for reporting operational disruptions or cyber incidents.

  • Define roles and responsibilities within your organisation for incident reporting and establish communication channels to promptly notify relevant stakeholders, including regulators if required.

  • Ensure that incident reports are documented, analysed, and used to improve incident response and recovery procedures.

2. Enhancing your corporate governance and compliance:

  • Appoint dedicated teams or individuals responsible for overseeing operational resilience and compliance with DORA requirements.

  • Establish effective communication channels with regulators to stay informed about updates, guidelines, and reporting obligations.

  • Regularly review and update internal policies and procedures to align with evolving regulatory requirements.

  • Engage in regular audits and assessments to ensure ongoing compliance with DORA's provisions.

3. Strengthening your organisation’s technology infrastructure and cybersecurity measures:

  • Invest in robust technology infrastructure to support the organisation's digital operations and ensure scalability, reliability, and resilience.

  • Implement strong cybersecurity measures, including firewalls, encryption, multi-factor authentication, and intrusion detection systems.

  • Regularly update software, operating systems, and security patches to address known vulnerabilities and protect against emerging threats.

  • Conduct regular vulnerability assessments to identify and address potential weaknesses in the digital infrastructure. If you haven’t already heard, KYND can help you understand and manage your organisation’s exposure easily and effectively. We dive into the details below.

4. Developing a risk management framework for your ICTs:

  • Establish a comprehensive risk management framework specifically tailored to your organisation's information and communication technologies (ICTs).

  • Introduce standardised third-party security assessments as a due diligence activity for your organisation to ensure the overall security of your potential ICT third-party provider. Instant and actionable vulnerability reports such as KYND’s can effectively support your organisation in performing pre-contract due diligence for your potential vendors with ease and speed – read more about it below.

  • Ensure that the agreements with the ICT third-party providers contain all necessary monitoring and accessibility arrangements, such as a full-service level description, indication of locations where data is being processed, etc.

  • Identify and assess potential risks associated with the organisation's digital infrastructure, including operational, technological, and cyber risks.

  • Develop risk mitigation strategies and controls to minimise the likelihood and impact of disruptions in your organisation.

  • Implement regular monitoring and reporting mechanisms to track your own risk exposure and that of your service providers. KYND's powerful, low-touch cyber risk management technology can help in managing third-party risks – read more about it below.

5. Strengthening your organisation’s incident response and recovery capabilities:

  • Establish clear protocols and procedures for incident response and recovery, including escalation paths and decision-making authorities.

  • Conduct regular training and drills to ensure your employees are familiar with their roles and responsibilities during cyber incidents.

  • Maintain up-to-date contact lists of internal and external stakeholders involved in incident response, including regulators, law enforcement, and relevant vendors.

  • Develop a robust business continuity plan to ensure critical functions can be maintained or quickly restored in the event of a disruption.

6. Planning for large-scale penetration testing:

  • Conduct regular penetration testing exercises to assess the security and resilience of your organisation's digital systems. Be sure to engage your critical technology and data service providers in this process too.

  • Define specific scenarios and objectives for the pen-testing exercise to simulate real-world cyber threats.

  • Engage qualified and independent third-party experts to perform the penetration testing and provide objective insights into vulnerabilities and areas for improvement.

  • Use the results of pen-testing to enhance cybersecurity measures, address identified weaknesses, and update incident response plans.

7. Investing in employee training and awareness:

  • Provide comprehensive training programs to educate your employees about DORA requirements, cyber security best practices, and incident response procedures.

  • Foster a culture of digital resilience by promoting employee awareness of potential risks and their role in maintaining operational resilience.

  • Encourage reporting of potential vulnerabilities or incidents through internal reporting channels and anonymous reporting mechanisms.

By adopting these measures, your organisation can proactively prepare for DORA and enhance your operational resilience in the face of ever-growing cyber threats. Compliance with the new EU regulation not only mitigates operational risks but also helps protect your organisation's reputation, customer trust, and overall stability in today’s dynamic digital landscape.


How KYND can help financial organisations

Manage your risks easily with KYND

DORA is undeniably a large and comprehensive piece of legislation, and it can be overwhelming not knowing where to start. Thankfully, KYND’s powerful suite of cyber risk management technology and services can help you identify and manage your financial organisation’s cyber risks and those of your critical vendors in a simple and efficient way, effectively supporting your organisation’s overall risk management strategies and regulatory compliance.

To manage your own exposure, KYND ON, our cutting edge proactive risk-monitoring technology, continuously monitors your organisation to show you a comprehensive and actionable overview of your risks at a glance, along with prioritised remedial actions. KYND ON also includes an advanced vulnerability scanning tool which uses a catalogue of known exploited vulnerabilities. This value-add tool focuses on the vulnerabilities that are actively being exploited and therefore pose the most significant risk. KYND scans in that list of threats on an ongoing basis, meaning that rather than providing you with a vast array of data that you may not know how to interpret, KYND will curate and prioritise the most pressing issues.

Be in control of your third party risk with KYND

Financial institutions are increasingly relying on third parties outside the finance sector for key functions or services, such as cloud-based computing services, external HR bodies, office suppliers, or legal firms. Although outsourcing processes is common, it's also become riskier with the advent of digitisation and remote work; allowing third parties to access your systems remotely is common practice. Because financial organisations are entrusted with so much valuable information, due diligence is an inescapable reality for financial organisations, and this means that auditing potential third-party suppliers pre-contracting is a necessity. With KYND START, you can perform an instant and non-invasive scan of any organisation such as vendors you are planning on utilising. It will provide an overview of all that organisation's risks, with a prioritised list of remedial actions for them to take should they want to be contracted by you.

KYND SIGNALS is a powerful third-party risk management solution that helps financial organisations efficiently identify and address the cyber risks facing their vast third-party ecosystems. By leveraging its industry-leading advanced cyber risk analytics, KYND SIGNALS empowers you with immediate insights into your organisation's third-party exposure. Armed with this knowledge, you can effectively assess the potential risks posed by your vendors and take better-informed risk management decisions for your organisation in a timely manner. By being proactive in your risk management, you can ensure comprehensive security and support regulatory compliance throughout your organisation, simultaneously minimising the likelihood of cyber incidents occurring.

When you’re supported by KYND, adhering to DORA regulations is easier and quicker. KYND is therefore essential for financial services organisations that need to stay on top of changing regulatory action and a constantly evolving cyber threat landscape. If you'd like to find out more about how KYND's technology can help you face upcoming regulatory changes such as DORA, please reach out to our team of friendly experts who will provide you with comprehensive information about our industry-leading cyber risk management services. Click here to get in touch with us today.


Share this article
Get in touch

Accreditation & Features