A demanding framework for a strategic sector
DORA aims to respond to the threat faced by the financial sector undergoing a digital transformation. The financial sector is the second industry most targeted by cyberattacks, with 77% of financial organizations having detected an attack on their infrastructure in 2023, compared to 68% for other sectors.1
DORA is also part of the European Commission's Digital Finance Strategy, which aims to foster innovation and the adoption of new technologies while ensuring financial stability and the protection of European investors and consumers. The text brings together and harmonizes the various regulations that until now have governed the cybersecurity of the financial sector in the Union.
DORA's reach extends beyond the 21 types of financial sector entities directly affected, and now includes their IT service providers and subcontractors, i.e. nearly 15,000 players in their value chain.
A risk-based approach to governance
DORA promotes a broad and ambitious risk-based approach to governance. 5 pillars are identified as essential to strengthen the operational resilience of the financial sector. The first, the most demanding and structuring for the entities concerned, provides for strengthened governance and the establishment of a comprehensive ICT risk management framework. Indeed, article 6 calls on organizations to establish a risk management framework that is "robust, comprehensive and well-documented, which enables them to address cyber risks in a timely, efficient and comprehensive manner." The framework will need to include the strategies, policies, procedures and protocols necessary to protect physical infrastructure and computer hardware, as well as information assets (i.e. the data). A comprehensive mapping of assets, risks and associated security measures will be essential to control the level of exposure to cyber risk. A "digital resilience strategy" will define the terms of its implementation.
The Article 5 of the regulation provides for the responsibility for operational resilience and the ultimate responsibility for risks management lying on the general management team, which "defines, approves, supervises and is responsible for the implementation" of this framework. Management will therefore have to determine its level of risk tolerance, and therefore arbitrate on the basis of an aggregated view
of the risks, between those on which to intervene to reduce them, the risks they choose to accept, and those they decide to transfer.
The associated system of penalties is intended to be a deterrent: administrative sanctions, corrective measures, and even the possibility for Member States to introduce criminal sanctions. This is a way of emphasizing that cybersecurity cannot be the concern of CISOs, CIOs, or compliance departments alone, but that it is a shared responsibility and must be addressed at the highest level of organizations. Decisions to impose an administrative penalty may be published on the official website of the competent authorities. Compliance with cyber requirements is more than ever a real reputational issue.
DORA involves the entire supply chain of financial entities and underlines the responsibility of financial entities in the respect and fulfilment of all the obligations arising from it towards their suppliers. It is now up to them to define a third-party risk strategy and policy, keep a record of all their contractual agreements, and identify third parties that cover critical functions prior to entering a contract. The entities in the scope will therefore have to assess the cyber posture of their subcontractors or suppliers to be able to make the right choices of service providers, thus reducing their cyber risks and ensuring a maximum level of security. This is essential to ensure the resilience of the sector across the entire value chain.
Stricter requirements
The text requires financial entities to establish and implement an incident management process to detect, manage and report incidents, as well as to classify them against certain predefined criteria. It also includes an obligation to report major incidents to the Top Management and the regulatory authorities, as well as a system of voluntary notification of "significant" cyber threats, in formats and content harmonized across Europe.
These measures should allow for better responsiveness of supervisory authorities in the event of threats or attacks, but also help the regulated organisations to better understand the evolution of the threat landscape. DORA also requires financial entities to establish, maintain, and review a robust and comprehensive digital operational resilience testing program to assess "IT incident readiness, identify weaknesses, failures, or gaps in digital operational resilience." The last pillar, which is not mandatory, finally empowers financial entities to set up mechanisms for sharing information and intelligence on cyber threats.
Beyond compliance, the path to resilience
Companies must actively prepare for compliance. Of the 5 pillars, risk management related to ICT service providers is by far the most delicate, as this approach is complex and will have to involve almost all the business lines in a cross-functional way as well as external stakeholders.
To start processing their compliance with DORA, companies must:
Determine the suppliers and third parties involved, and the requirements to which they will be subject, which may differ slightly depending on their nature and status;
Start collecting data to build information registers of ICT service providers;
Work on penetration test scenarios;
Develop a collegial approach and facilitate cooperation between all the actors concerned within the organization: CISO, risk manager, CIO, procurement functions, etc.
As such, companies are encouraged to commit today to an anticipation approach based on the analysis and management of cyber risks, combined with a process based on compliance. To achieve this, mapping assets and associated risks, through automated tools, will allow arbitrations on the company's posture with regards to its own risks but also the integration of its environment (subcontractors and suppliers), to ultimately make global decisions to the benefit of the entity's performance. These regulatory constraints will create opportunities by adopting a risk-based and compliance-based approach, with the goal understood by all: to ensure the security and global resilience of a vital sector in the context of growing cyber threats.