Are You Ready for DORA? If Not, Here’s 5 Tips on What to Consider during Planning

13. October 2023

The Digital Operational Resilience Act (DORA) is a regulatory framework that aims to ensure the operational resilience of financial institutions in the European Union. While DORA came into force on January 16, 2023, organizations were granted two years to implement its security requirements. If your institution is affected by DORA, you are probably wondering what your next steps should be to get ready. To help you get a head start, our expert for information security in the financial sector, Dr. Christian Schwartz, has compiled five tips on what you should consider first while preparing for DORA. While none of these starting points may be the most obvious at first, each one will have a great impact on your organization’s implementation of DORA requirements and, if taken into account early on, can save you a lot of time and effort later.

Dr. Christian Schwartz, DORA expert

1. Re-evaluate your method to classify services regarding criticality

Reason:

“Critical or important services” are subject to a number of additional requirements (e.g., regarding BCM, Vulnerability Management, ICS, Resilience Testing).

Chances:

Ensuring the correct classification as "critical or important"

  • applies leverage regarding the efforts to ensure compliance with the aforementioned requirements and
  • ensures the existing risk for critical or important services is effectively managed.

Estimated effort:

Design: Medium [1]

Implementation: Medium (scales with number of services)

2. Implement changes regarding the information register for ICT third-party risk management

Reason:

Comprehensiveness and timeliness of information register is a prerequisite for compliance with DORA regarding ICT third-party risk management.

Chances:

Provides foundation for

  • effective ICT third-party risk management and
  • handling of incidents involving ICT-third-party service providers.

Estimated effort:

Design: Large

Implementation: Large (scales with number of ICT third-party service providers and contracts)

3. Consolidate contractual arrangements of ICT-third party service providers regarding operational resilience

Reason:

DORA (especially the consultation paper for the Regulatory Technical Standard "for specifying the detailed content of the policy on the contractual arrangements regarding on the use of ICT services supporting critical or important functions provided by ICT third-party service providers") contains explicit requirements on the contractual arrangements.

Chances:

Updating existing contractual obligations (and defining a default for new contractual arrangements) ensures

  • compliance with DORA regarding the use of ICT-third party service providers and
  • provides a chance to align contractual arrangements and reduce number of edge cases during ICT third-party risk management.

Estimated effort:

Design: Medium

Implementation: Large (scales with number of ICT third-party service providers and contracts)

4. Update incident response processes to address DORA requirements, especially considering the reporting of incidents

Reason:

In addition to requiring specific approaches during incident management (e.g., including specific properties during incident classification, such as direct and indirect damages, impacted countries, etc.), DORA also requires incident reporting to be fulfilled in a short time frame and include detailed information regarding the incident (both have yet to be determined by an RTS).

Chances:

Early alignment of the incident response process with asset and information registers allows

  • to ensure all required information for classification are available from and
  • to reuse correlated information, e.g., to determine risk-based prioritization for threat led penetration testing.

Estimated effort:

Design: Medium

Implementation: Large (scales with number of services)

5. Tailor the approach for digital operational resilience testing

Reason:

The scale and selection of resilience testing can be selected regarding the proportionality principle and the risk profile of the financial entity.

Chances:

Implement digital operational resilience testing while

  • leveraging the attention due to DORA to put a strong, risk-based focus on ICT-services exposed to actual risk and
  • reducing the potential overall effort by focusing the majority of testing on critical or important systems [2].

Estimated effort:

Design: Medium

Implementation: Very large (scales with the number of services and especially critical or important services)

[1] Compared to the total effort it will take your organization to design and implement all DORA requirements.

[2] Note that the relevance cannot only rely on the business impact of individual systems but must also consider the possibility of lateral movement and pivoting by attackers.


Do You Need Help?

While two years may seem like plenty of time to prepare for DORA, we recommend you get started early and take it step by step. We are here for you if you need help or have any questions.

While it may seem like there is plenty of time left to prepare for DORA, we recommend you get started early and take it step by step. We are here for you if you need help or have any questions.

Get in touch

Also interesting:

Top 3 Vulnerabilities in Mobile App Pentests

Top 3 Vulnerabilities in Mobile App Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Security Advisories for SONIX and SAP

Security Advisories for SONIX and SAP

The pentest professionals at usd HeroLab examined SONIX Technology Webcam and SAP Fiori Sample Shop during their pentests. Our professionals discovered that systems with a SONIX Technology Webcam using the SonixDeviceMFT.dll driver in their default configuration are...

Categories

Categories