DORA and why resilience (once again) matters to the board

It would be easy to dismiss the EU’s Digital Operational Resilience Act, or DORA, as just another obscure, niche piece of legislation.

After all, DORA aims to covers the financial services sector in the EU. So it would be understandable if chief information officers (CIOs) feel it does not apply to them.

But, given the bloc’s importance in global trade, EU rules tend to have an influence far beyond the Union’s geographical borders. We have already seen this with the General Data Protection Regulation (GDPR), which became a blueprint for data protection regulations around the world.

DORA could yet follow suit, especially as enterprises look more closely at their own resilience, and how to improve it.

DORA and its 5 pillars

DORA – or more formally, Regulation (EU) 2022/2554 – was introduced to tackle the problems faced by financial services firms, or “financial entities”, when it comes to resilience in their digital systems.

DORA is not cybersecurity legislation. But it covers cyber threats as well as broader risks to information and communications technology, especially third-party and supply chain risks.

DORA also covers incident reporting, intelligence sharing, and digital operational resilience testing. This includes post-incident recovery: a vital, but often neglected, component of resilience.

For businesses that are directly covered by DORA, the legislation applies from January 17, 2025.

DORA itself breaks down into five key pillars: ICT risk management, ICT-related incident management, digital operations resilience testing, third-party risk management, and information sharing.

Part of the thinking behind DORA was to move away from the financial services sector’s approach of operational risk by using capital to cover any losses. With financial services firms now so tightly connected through technology, the EU believed that IT incidents could threaten the bloc’s entire financial system.

Setting aside cash, in the form of capital, to fix problems after the event is no longer seen as enough. Instead, firms need to be able to withstand incidents and, if they are disrupted, have a fully-tested plan in place to recover.

None of this is all that controversial, or indeed that hard to achieve. Many of the measures set out in DORA are steps that banks, insurance companies and other financial services firms take as a matter of course anyway.

What is more novel is bringing these steps together in a single set of rules, and DORA’s emphasis on both third-party risk and information and intelligence sharing.

Beyond financial services

DORA, though, might be overlooked because of its finance-specific focus. The act has not attracted the attention of NIS2, which sets out cybersecurity standards for 15 critical sectors in the EU economy. And NIS2 came into force in October; CIOs and hard-pressed compliance teams could be forgiven for not focusing on another piece of legislation that is due in the New Year.

But ignoring DORA altogether would be short-sighted. Firstly, as Rodrigo Marcos, chair of the EU Council at cybersecurity body CREST points out, DORA is a law, not a framework or best practice guidelines. Failing to comply could lead to penalties.

But DORA also covers third-party risks, which includes digital supply chains. The legislation extends to any third party supplying a financial services firm, if the service they supply is critical. This will include IT and communications suppliers, including cloud and software vendors.

And the law will also affect UK (and other non-EU) companies, even if they are not directly supplying EU financial entities. As Charlotte Witherington, a partner at the law firm Taylor Wessing points out, firms could be affected indirectly by DORA because their customers need to manage third-party risks, or directly, if they are designated as critical third parties.

She adds that the UK is developing its own “UK DORA” to cover a similar set of risks to financial services.

Why resilience matters

With DORA, NIS2, and legislation such as the EU Cyber Resilience Act, authorities are looking to make technology more robust and better able to recover from cyberattacks and other outages.

And CIOs are also putting more emphasis on resilience and recovery. In some ways, we have come full circle. Disaster recovery and business continuity were once mainstays of IT operations planning but moved down the list with the move to the cloud.

Cyber attacks, and especially ransomware, have pushed both resilience and recovery right back up the agenda.

Increasing geopolitical risks, the recent spate of natural disasters and extreme weather events, data center fires, and outages such as those traced back to Crowdstrike earlier this year, are all focusing minds at the board level.

Some research from vendor Cockroach Labs shows the scale of the problem. In its State of Resilience report, researchers point out that 55% of companies see IT disruptions and outages on a weekly basis. The per-incident cost ranges from US$10,000 to over $1m, and almost half of companies said that outages took two or more hours to fix. At the same time, 48% of executives said they were not doing enough to address operational weaknesses.

As with all vendor research, this data can only offer a snapshot of what enterprises are experiencing. It is hardly surprising that senior IT leaders are worrying about resilience. And so are lawmakers, which is why legislation such as DORA is coming into force.

DORA’s third pillar, resilience testing, sets out the requirement to test, through tools such as red teaming and penetration testing. It also requires organizations to apply a risk-based approach to their testing plans, and to make sure that findings from the tests are put into practice.

Incident management, the second DORA pillar, is also critical to ensuring that organizations can cope with an attack or outage, or at least minimize the impact. If there is no such thing as a perfect defense or a system that never breaks, how enterprises handle an incident and recover from it is what matters.

Of course, a mature organisation should be doing all this anyway, and not waiting for legislators – whether in Brussels and Strasbourg or elsewhere – to demand it.

READ SOURCE