In the digital age, cybersecurity is not just about protecting data; it is about ensuring the very fabric of our financial systems remains intact and resilient against threats. The introduction of the Digital Operational Resilience Act (DORA) by the European Union marks a significant milestone in the journey toward a safer, more stable financial ecosystem. As cybersecurity veterans, we have witnessed firsthand the evolution of digital threats and the increasing sophistication of cyber adversaries. It is against this backdrop that we delve into the importance of DORA and its potential to redefine the landscape of financial services cybersecurity.
Understanding the DORA Act and How it’s Enforced.
DORA was formally ratified in November 2022 by the European Parliament and Council of the European Union, which are the legislative entities in charge of passing laws inside the EU. Before enforcement begins, financial firms and outside ICT service providers have until Jan. 17, 2025, to comply with DORA.
The Digital Operational Resilience Act emerges in response to the growing dependency of financial entities on information and communication technologies (ICT). DORA aims to standardize the digital operational resilience framework across all EU member states, ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.
At its core, DORA focuses on several key areas:
- ICT risk management: Establishing stringent requirements for financial entities to identify, manage, and mitigate ICT risks.
- Incident reporting: Mandating timely reporting of significant cyber incidents to relevant national and EU authorities.
- Digital operational resilience testing: Introducing rigorous testing requirements to assess the resilience of financial entities against cyberthreats.
- Third-party risk management: Enhancing oversight and management of ICT third-party service providers, including cloud computing services.
Even though DORA has been formally endorsed by the EU, the European Supervisory Authorities (ESAs) are still working out several important issues. The European Banking Authority (EBA), the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority are among the ESAs, which are the regulatory bodies in charge of the EU financial sector.
The regulatory technical standards (RTS) and implementation technical standards (ITS) that covered entities are required to implement are drafted by the ESAs. It is anticipated that these standards will be completed in 2024. It is anticipated that the European Commission will complete the development of an oversight framework for essential ICT providers by 2024.
The enforcement of the standards will be left to the “competent authorities,” or designated regulators in each EU member state, after they are finalized, and the deadline of January 2025 has passed. Financial entities may be asked to take security precautions and address vulnerabilities by the appropriate authorities. In addition, entities that disobey will be subject to administrative penalties, as well as criminal penalties in certain situations. The penalty will be decided by each member state separately.
ICT providers that the European Commission has classified as “critical” will be under the direct supervision of lead overseers from the ESAs. Lead overseers have the same authority as competent authorities to demand security measures, corrective actions, and penalties from noncompliant ICT providers. Lead overseers are authorized under DORA to impose fines on ICT providers equal to one percent of the provider’s average daily global turnover from the preceding fiscal year. Up to six months of daily fines may be imposed on providers until they comply.
Who Needs to Comply with the DORA Act?
The Digital Operational Resilience Act (DORA) is designed primarily for entities within the financial sector of the European Union. It aims to ensure that all participants in the financial system have the necessary safeguards and mechanisms to manage cyberthreats effectively. Here is a breakdown of entities that need to comply with DORA:
- Credit institutions: This includes banks and other financial institutions that offer credit facilities. They are required to ensure their digital operations and services are resilient against cyberthreats.
- Payment institutions: Organizations providing payment services need to comply with DORA to protect payment processes from cyber disruptions.
- Electronic money institutions: Firms issuing electronic money, facilitating electronic payments, or providing related financial services fall under DORA’s scope.
- Investment firms: Companies offering investment services, including brokerage services, portfolio management, and investment advice, must adhere to DORA’s requirements.
- Crypto-asset service providers: With the increasing integration of cryptocurrencies into the financial system, entities providing services related to crypto-assets are also required to ensure operational resilience.
- Insurance and reinsurance companies: Insurers and reinsurers need to comply with DORA to protect their operations from ICT-related risks, ensuring they can continue to provide services even during cyber incidents.
- Central securities depositories and central counterparties: Entities involved in the post-trade processing of securities transactions must ensure their digital and operational resilience.
- Trading venues: This includes stock exchanges and other platforms where financial instruments are traded. They must have measures in place to mitigate cyber risks.
- Third-party service providers: Although not directly regulated by DORA, third-party providers, including cloud services, to regulated financial entities are indirectly affected. Financial entities must ensure their third-party partners also adhere to resilience standards that comply with DORA.
- Other financial market participants: This includes a broad category of other entities engaged in financial activities that are critical to the financial market’s infrastructure, subject to regulatory oversight to ensure operational resilience.
DORA sets a comprehensive framework for operational and digital resilience across the financial sector, reflecting the EU’s commitment to safeguarding the financial system against ICT and cyberthreats. Compliance with DORA not only enhances the resilience of individual entities but also contributes to the stability and integrity of the financial market.
DORA Act’s Implications for Financial Entities
For financial institutions across the EU, DORA is not just another regulation — it is a transformational shift towards a more unified and robust approach to cybersecurity. By harmonizing requirements, DORA aims to level the playing field, ensuring that all entities, regardless of size or complexity, adhere to high standards of digital resilience.
The implementation of DORA will undoubtedly present challenges, particularly for smaller institutions that may lack the resources of their larger counterparts. However, it also offers an opportunity to strengthen defenses, improve incident response mechanisms, and foster a culture of continuous improvement and resilience.
The Cybersecurity Veteran’s Perspective
Drawing on years of experience in the trenches of cybersecurity, we view DORA as a critical step forward, and a very necessary one. Operational resilience is about more than just preventing attacks; it is about ensuring that financial services can continue to operate effectively, even in the face of disruption. DORA’s comprehensive approach to risk management, testing, and third-party oversight reflects a deep understanding of the multifaceted nature of modern cybersecurity.
Looking ahead, we anticipate that DORA will drive innovation in cybersecurity practices and technologies. As financial institutions work to comply with DORA’s requirements, we are likely to see an increase in the adoption of advanced cybersecurity and cyber resilience practices, processes, and solutions.
Practical Steps Towards Compliance
For financial institutions beginning their journey towards DORA compliance, here are some actionable steps to consider:
- Conduct a gap analysis: Assess current cybersecurity and operational resilience practices against DORA’s requirements to identify areas for improvement.
- Strengthen ICT risk management: Develop comprehensive risk management policies and procedures that address the identification, assessment, and mitigation of ICT risks.
- Foster a culture of resilience: Implement training and awareness programs to ensure that all employees understand their role in maintaining operational resilience.
- Enhance incident response plans: Review and update incident response and business continuity plans to align with DORA’s reporting requirements and resilience objectives.
Veeam as Part of the Solution
As the most trusted provider of backup, recovery, and data management solutions, Veeam is well positioned to help meet the rigorous regulatory mandates prescribed under DORA. Veeam, together with its partners and system integrators, helps deliver market-leading and integrated backup, recovery, and data management solutions as part of an overall transformation and compliance strategy.
Jointly, we craft the right solution that ensures customers unique data protection and regulatory needs are met. Our joint offerings ensure digital transformation and compliance initiatives are facilitated, disaster recovery (DR) plans and orchestration directives are accomplished, and business continuity plans are delivered.
Together, we protect against cybercrime and drive business continuity while ensuring that data is always protected and available, no matter where it is located, through the complete alignment of services offered by GSIs (Global System Integrators). Our joint solutions offer workload management through a single platform that works for cloud, virtual, physical, SaaS, and Kubernetes environments.
Some of the benefits include: (but not limited to)
- Article 9: Protection and Prevention — implement strong ICT security measures to protect critical systems and data, and ensure high standards of availability, authenticity, and integrity of confidential data, whether at rest or in transit:
Veeam Recovery Orchestrator creates an orchestrated DR architecture to ensure business continuity and resilience to support the availability of ICT systems.
Network transport encryption ensures end-to-end security in the means of data movement, both at rest and in transit.
Veeam’s SureBackup and Disaster Recovery Orchestrator both test and validate that data is recoverable, effectively minimizing the risk of corrupt data. Hardened Repository guarantees the data is always available via immutability.
Veeam’s AI/ML-powered malware detection adds an extra layer of protection to backup data by identifying and isolating infected files before they can be restored, preventing the spread of malware, and ensuring the integrity of the backup data.
- Article 10: Detection — entities must have mechanisms that identify potential vulnerabilities and anomalous activities such a plausible cyberthreat, and put security controls into place to protect against these risks:
Veeam ONE provides powerful monitoring, analytics, and alerting to detect ransomware or anomalous activities in both the productions environment and backup and recovery process.
Built-in alerts notify of any anomalous activities and drastic performance changes which may be an indicator of a threat.
Incident response protocols can be configured to trigger an automatic remediation process to isolate the threat of ransomware activity.
Our AI/ML-powered malware detection bolsters an organization’s ability to detect sophisticated and evolving threats that may evade traditional signature-based detection methods. By leveraging machine learning algorithms, Veeam can identify patterns and anomalies indicative of malware, even in previously unknown or zero-day threats, thereby improving the overall detection capabilities and helping organizations meet DORA’s requirements.
Furthermore, our AI/ML-powered malware detection enhances an organization’s risk management processes by proactively identifying and flagging potential malware in backup data. This allows organizations to take swift action to isolate and remediate threats, minimizing the risk of data breaches or operational disruptions.
- Article 12: Backup policies and procedures, restoration and recovery procedures and methods — ICT business continuity policy requires backup policies, restoration, and recovery:
Backup policies and procedures – specify the scope of the data subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data.
Veeam Platform backup is policy-based and defines the timing, scope, and target of backups. It covers backup frequency and recovery methods and meets organizational SLA requirements.
Veeam’s feature set includes backup verification to ensure the success of the backup
Veeam’s enabling technology protects against cybercrime and drives business resiliency across any platform; on-premises, cloud, hybrid, and multi-cloud.
Recovery methods – in determining the recovery time objectives (RTO) and recovery point objectives (RPO) for each function, consider whether it is a critical or important function, and the potential overall impact on the market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.
Veeam’s platform minimizes data and transaction loss. Veeam has multiple ways to recover either automatically or manually depending on the specific business need.
Veeam offers data security options that include: backup, replication, storage snapshots and continuous data protection (CDP) which provides minimum recovery time objectives and point objectives based on your need.
- Threats to email and domain security — recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.
Veeam offers backup and protection of Active Directory, Microsoft 365 data which includes Exchange Online (mailbox and archive), OneDrive for Business, SharePoint Online and Teams, as well as on-premises installations of Microsoft Exchange Server and Microsoft SharePoint Server.
Veeam VB365 solution protects Microsoft 365 backups from threats and offers granular restores of data to any location, on on-premises or cloud platform.
Please contact us for more detail on functionalities and capabilities.
Summary
The Digital Operational Resilience Act is more than just a regulatory requirement; it is a blueprint for a more secure, resilient financial sector. As we navigate the complexities of the digital age, the principles underpinning DORA will undoubtedly play a crucial role in shaping the future of cybersecurity. For financial institutions, the path to compliance is also a path toward greater operational resilience, offering a competitive advantage in an increasingly uncertain world.
By embracing the challenges and opportunities presented by DORA, we can ensure that our financial systems are not only protected against current threats but are also prepared to face the challenges of tomorrow.