Everything EU & Swiss Companies Should Know About DORA (Digital Operational Resilience Act)
Introduction:
As digital technologies become integral to financial services, cyber resilience has become a top priority for banks, insurers, and other financial institutions. The European Union's Digital Operational Resilience Act (DORA) aims to strengthen cybersecurity across the financial sector. This article explores what DORA is, its implications for EU and Swiss companies, and how solutions like Network Detection and Response (NDR) can help organizations comply with its requirements.
What is DORA and why does it matter for cybersecurity?
The EU Commission's draft regulation Digital Operational Resilience Act (DORA) was published as an EU regulation and came into force on 16.01.2023. Financial companies now have 24 months to implement the requirements. The regulations will affect all regulated financial companies in the EU, which include banks and insurers, as well as investment firms, management companies, rating agencies, crypto asset providers trading platforms et al. An extra paragraph covers third-party IT service providers. As of proportionality, large banks or insurance companies must meet stronger requirements than smaller companies.
DORA’s Impact on Swiss Financial Companies and Cross-Border Compliance
All financial companies in Switzerland (as well as from other countries outside the EU e.g., Liechtenstein) mostly need to apply DORA standards too, when dealing with other financial companies in the EU and/or their customers. This includes companies that provide internal IT services for EU subsidiaries or sister companies or are IT service providers for companies based in the EU.
Key objectives of DORA
DORA's objectives can be summarized into five key areas:
1. Management of cyber-risks
As strengthening digital operational security and resilience in the financial sector with a uniform supervisory framework is the goal of DORA, companies need to implement strategies and take actions around their IT systems and tools that minimize the impact of IT risks. This includes proactive measures like identifying, classifying and documenting cyber-critical functions and assets, continuously monitoring all sources of IT risks, in order to set up protection and prevention measures, establishing prompt detection of anomalous activities.
2. Strategy for digital business resilience and business continuity
To ensure resilience, organizations must implement robust IT systems and security measures to protect networks and critical assets from risks like unauthorized access, data theft, or natural disasters. These measures should include firewalls, access controls, and disaster recovery plans. A comprehensive business continuity policy with contingency- and recovery plans as an integral part of a comprehensive IT risk management, must be established for that reason.
With DORA, the members of the board will have a personal obligation and liability to provide and monitor IT risk management and to set up mechanisms to learn and develop from both external and internal IT incidents.
3. Classification and immediate reporting of major IT-related incidents
An IT-related incident management obliges companies to respond promptly to IT incidents and breaches and to recover quickly from them. This needs suitable mechanisms to constantly detect anomalous activity, including network issues and IT-related incidents and a preassigned classification of sensitive and vulnerable data.
4. Continuous digital resiliency testing
With comprehensive testing, based on TLPT (Threat-Led Penetration Testing), organizations can verify the actual digital resilience of the company, which should be continuously assessed through audits and tests: Critical IT systems and applications must be tested at least once a year by independent internal or external auditors with simulation exercises, threat-oriented penetration tests, and so on.
5. Third-party security management
The potential risk brought in by service providers is extended by the obligation to control and ensure its security and liability (third party risk). This also affects cloud services, platform-as-a-service, or infrastructure-as-a-service.
DORA requires immediate reporting of cybersecurity incidents to the appropriate regulators and information sharing to minimize the spread of threats, and to support the financial industries overall defence capabilities and improve its threat detection techniques.
What NDR can do for DORA
A Network Detection and Response (NDR) solution as part of the DORA strategy addresses the compliance challenges and ensures the mandatory security and resilience of the network and information systems, in terms of response actions, required by this law and to minimize the impact of the external risks.
ExeonTrace, a machine learning based NDR solution, offers several benefits for organizations to comply with DORA in providing comprehensive visibility into the network traffic. For instance, by helping financial organizations to identify potential threats and vulnerabilities before they can be exploited. By continuously monitoring network traffic, ExeonTrace can detect and alert organizations to suspicious activity, such as unauthorized access attempts or data exfiltration.
ExeonTrace enables organizations to respond quickly and effectively to potential threats by triggering incident response procedures. As an instant reporting is obligatory, this NDR solution helps companies to meet the reporting requirements by providing detailed logs and reports of network activity and incidents.
When a SIEM (Security Information and Event Management) is already in place to collect security events from various sources, an NDR solution is recommended too, to divide the confusing quantity of events and alarms into clear risk patterns and meaningful alarms.
The immediate and real-time reaction to cyber incidents in the network makes the NDR, especially with regards to reaction and prevention, a mandatory asset to ensure the DORA guidelines.
According to the regulation, financial firms need to allocate "sufficient resources and capacity to monitor user activity, the occurrence of IT anomalies, and IT-related incidents, especially cyber-attacks". Network Detection and Response (NDR) solutions allow companies to lower their expenditures through reduced data usage, lower staffing requirements, immediate threat detection, improved operational efficiency, and scalable adaptability in managing cybersecurity.
With ExeonTrace, financial service providers can leverage their existing infrastructure without extra hardware investment, with the complete network log data analyzed, and all network activity made visible.
Summary:
Financial organizations need to establish a framework for effective and comprehensive management of cybersecurity and IT risks in financial markets and ensure the maintenance of resilient operations in the event of a business disruption. (New) topics such as threat intelligence and threat-led penetration are to be implemented and the dependencies between financial service providers and their service providers (3rd party risk management) e.g., of cloud service providers are to be audited and ensured, as well as the immediate reporting of all critical incidents to authorities. ExeonTrace solves major DORA requirements: logging, detection and response to cyber incidents in a safe and consistent manner and will be an important contributor for compliance.
To get your own personal tour of ExeonTrace or to speak to myself or one of our network security experts, click here.
Author:
Carola Hug
Chief Operating Officer
email:
carola.hug@exeon.com
Share:
Published on:
20.09.2023