Español 
English (UK) #1 Another European cyber regulation … not quite.
The Digital Operational Resilience Act (DORA) comes into force in January 2025 for financial entities operating in Europe, and their ICT suppliers. Whilst most are expecting a soft launch, being resilient is not a quick fix.
In this first post in my series on the DORA regulation, I’ll cover the synergies and overlaps with existing frameworks and standards.
Frameworks and Standards
All the common cybersecurity frameworks cover risk management, incident response and third-party risk management. NIST CSF 2.0 has a new Govern function, emphasising the importance of risk management within the organisational context. The implementation of ISO 27001 often requires organisations to rethink their risk management strategy, involving board and senior executives on the journey. The CIS18 framework covers Service Provider Management as a core control, even within the minimal Implementation Group (IG1).
Therefore, if your organisation aligns to, or is based upon, an existing cybersecurity framework, then you are on the right track for DORA compliance. The area you are most likely to need to mature is the risk management ownership at the most senior leadership level of the organisation. It is also not sufficient to discuss risks in general terms; risks should be linked to business processes with impact analysis performed to understand how disruptions will affect the business and what measures are in place to mitigate the risks.
Where existing frameworks are weak, is testing of an organisation’s operational resilience. Testing within NIST, ISO27001 and CIS18 focusses on the organisation’s defences, backups, awareness, software vulnerabilities and incident response. DORA goes a step further, outside the bounds of traditional cybersecurity and into Business Continuity Management. Therefore, the responsibility of DORA will not sit solely with the CISO.
DORA’s innovation is the mandated Threat-Lead Penetration Testing (TLPT), to take place at least every 3 years and could involve several financial entities. These tests will focus on critical functions, be performed in live production environments and must be run by external teams.
What next?
On the 1st October 2024, Marc Andries started as Director for DORA oversight for critical third party suppliers, appointed by the joint European Supervisory Authorities (ESA). Marc continues to work for the Banque de France and the European Central Bank. Regulatory technical standards will follow which will help financial organisations when selecting critical ICT 3rd party vendors.
In my next post, I will look at overlap and synergies with other EU regulations and directives.
#DORA #regulation #EU #cyber #cybersecurity
