by Michel Klompmaker
The Digital Operational Resilience Act, better known as DORA, was introduced in the EU last year. We talked about it with subject matter expert and Legal Director and Global Data Governance Officer at Commvault, Jakub Lewandowski.
What actually prompted the EU to introduce DORA?
Jakub Lewandowski : “In 2020, a major cyber-attack took place in the United States: the infamous Solar Wind Hack. Cybercriminals hacked a software vendor gaining access to more than 30,000 organizations including the U.S. government. The aftermath of this catastrophic event and several other high-profile incidents showed how vulnerable the ICT infrastructure of vital parts of our society is. Digital Operational Resilience Act (DORA) introduced in 2023 is a testament to how managing cybersecurity risks became a critical concern for the financial sector. In addition, regulation within the EU financial sector has historically been highly fragmented. The rules of DORA were established to harmonize and level the operational resilience of financial institutions. This gives all member states a single view of what operational resilience looks like. This is what makes DORA so special. ”
What does DORA legislation entail?
Jakub Lewandowski :”DORA covers four main areas. The first is about incident reporting and the visibility of a supervisor in the organization. The second is about operational resilience: what are the actual steps the organization takes and how does the ICT environment remain resilient. The third is an important one and deals with third-party risk management. This is a new layer when it comes to cybersecurity legislation, sparked by the Solar Wind incident, and something that current regulations have not delved into so far. The fourth area is about information and intelligence sharing in relation to cyber threats and vulnerabilities so that the financial industry as a whole becomes stronger. ”
What happens to financial institutions that do not comply with it?
Jakub Lewandowski : “DORA is directly applicable and imposes tough resilience requirements on financial institutions which can result in criminal and/or administrative penalties. If you want to operate within the EU financial sector you will have to comply with this regulation. For example, financial institutions must be able to demonstrate that their ICT vendors meet requirements defined by DORA and that they are able to bounce back and rebuild following an incident. Member states are currently allowed to determine the exact criminal penalties and administrative fines, so levels may vary depending on the market. Exactly how this enforcement will be carried out remains to be seen.”
By 2025, financial organizations will have to comply with all the requirements of DORA. What are the most pressing questions facing financial institutions right now?
Jakub Lewandowski : “There are a wide variety of questions facing financial institutions so I will give some examples. Exactly what cyber resilience requirements do they need to meet? And how do they ensure they become compliant? Which ICT vendors can support them in meeting security requirements? Who is responsible for adhering to this legislation within the organization; risk & compliance, security, the CIO, the entire boardroom or a combination of these? The nervousness surrounding the implementation of DORA stems from uncertainties about the details of the legislation. The deadline to comply with DORA has been announced, but certain secondary documents, so-called Regulatory Technical Standard (RTS) that will specify certain DORA elements, are not yet finalized. We will likely see these final texts around July, and only then will we know exactly what is expected of companies. By then, they will have less than six months to meet those expectations. So timely implementation could be difficult, which makes preparation incredibly important.”
What advice do you have for organizations currently facing these pressing questions?
Jakub Lewandowski : “Because the RTS is not yet finalized, it is difficult to give concrete answers to these questions at this time. I expect problems to arise primarily from insufficient collaboration between teams, insufficient understanding of third-party risk management, and inadequate assessment of gaps between the status quo and the requirements of DORA. DORA requires cooperation within and between different teams of an organization. After all, the legislation will impact different departments, especially those of the CIO, CISO and Compliance. Organizations will only be able to meet some of the requirements imposed by DORA if all the impacted teams come together to think coherently and comprehensively about the organization’s resilience. Cross-departmental teams and support from the C-level management is essential in this. In addition, I expect there will be problems with the required reporting of third-party risk. Even the most mature organizations struggle with a full analysis of their supply chains, which may be a problem with the advent of DORA. Therefore, it is important for organizations to get started on these analyses and get clear on what the additional risks are. DORA is not just about cybersecurity; it focuses primarily on business continuity and resilience. It recognizes proper protection of ICT systems by defining and implementing prevention, detection, response and recovery mechanisms. It also requires organizations to develop and document backup policies and procedures as well as restoration and recovery methods. Finally, organizations will need to step up their efforts in risk management.”
In summary, plenty of work for the experts in the coming time?
Jakub Lewandowski : “There is certainly plenty of work, and DORA will continue to cause a lot of controversy in the coming period. A tip to organizations that are in the process of implementing DORA within their organization: be open to the help of experts and engage in discussions with your ICT providers. Make sure you choose vendors that have a proper understanding of the changes to come. That way you can ensure your teams work efficiently and your resilience related assumptions and objectives remain feasible.”
