Last Call for DORA

As you may already know, the Digital Operational Resilience Act (DORA) will come into full effect in all European Union member states on January 17, 2025. This applies to all parts of the regulation and is binding in all EU countries. The affected financial market participants and financial infrastructures must implement the appropriate measures to comply with the new regulations by this date.

The first step is to determine if your organization is subject to DORA. DORA affects many players in the financial sector, from insurance companies to management companies. Large or small, Directive (EU) 2022/2555 ensures that everyone is covered. In Germany, BaFin is preparing for implementation; in Austria, it's FMA.

Financial organizations across Europe need to understand the scope and implications of DORA, as the regulation imposes stringent cybersecurity and risk management requirements. Proactive steps are necessary to ensure compliance and protect digital infrastructure, but tools and measures are available to assist with DORA compliance.

As DORA addresses cybersecurity, ICT risks, and digital resilience, affected companies should check their cybersecurity practices and operational resilience.

Focus on Cybersecurity

DORA introduces stricter security requirements for companies, particularly with regard to risk management. The regulation extends its scope to various financial actors that were not previously affected. The "size cap rule" ensures that all types of financial organizations are treated equally. The focus of DORA is clearly on cybersecurity, reporting, and supervision.

Companies will have to report material incidents and breaches, and national regulators such as BaFin will be given more powers to enforce the rules. In risk management, responsibility for ICT risks will be delegated to an independent control function to avoid conflicts of interest. Companies should use up-to-date and robust systems and tools, and perform a resilience test at least once a year.

Threat-oriented penetration tests should be conducted at least every three years. ICT security policies should be aligned with the digital business resilience strategy, and regular security audits should be conducted.

The Steps

There are several important steps that companies need to take to ensure that their systems are DORA-compliant. First, all critical resources, such as hardware, software, and data should be identified and documented. This helps to prioritize and allocate resources wisely.

Good cyber hygiene and regular staff training are a must. Vulnerability scans and quick updates are also important to minimize risk. A comprehensive incident detection and response plan with monitoring systems and clear response procedures is essential. Continuous security monitoring with advanced tools helps to detect and respond to threats in real-time. A risk management framework ensures continuous compliance and resilience. Incident management procedures should also be in place to report incidents to the relevant authorities. Regular digital resilience testing, such as penetration testing, helps to identify and address security vulnerabilities.

Improved Compliance with DORA Regulations Through AI-Based NDR Systems

A machine learning (ML) Network Detection and Response (NDR) system enhances the ability to efficiently detect, classify, and report incidents, facilitating DORA compliance. These systems continuously monitor network traffic and detect unusual patterns or anomalies that may indicate security incidents. They classify and assign severity levels to incidents, helping to distinguish between false positives and real threats.

After detecting and classifying an incident, they automatically generate detailed reports and send alerts to the appropriate stakeholders.

ML-based NDR systems also continuously improve through feedback and adapt to new threats, and maintain detailed logs of all incidents, actions, and results, facilitating audits and regulatory reviews.

Summary:

AI-powered NDR systems provide an efficient solution for network security and meet DORA's stringent requirements. They improve threat detection, shorten response times, reduce false positives, and ensure continuous compliance.

Organizations subject to DORA regulations should consider AI-powered NDR solutions for their ability to detect sophisticated threats and provide around-the-clock monitoring. Automated responses significantly reduce response times and allow IT teams to focus on more complex issues.

For detailed guidance and information on how to implement this and for a comprehensive approach to IT systems assessment, download our DORA checklist below. It pairs managerial actionable steps with technical tips from our security experts!