What is the EU’s Digital Operational Resilience Act (DORA)?

A shadowy figure in front of a digital EU flag

In 2004, at the Washington DC headquarters of the FBI, assistant director Chris Swecker convened a press conference. Swecker was trying to highlight the problem of mortgage fraud – one he said “has the potential to be an epidemic”.

With little movement from the financial sector or regulators to address this known “pervasive problem” that was “on the rise”, Swecker held another news conference in 2005. This time he was joined by officials from the US Department of Housing and Urban Development, and the Internal Revenue Service (IRS).

The message was clear. The FBI had insight into a significant threat, which, if left unaddressed, could create wholesale financial disruption and lasting economic damage. The financial crisis wasn’t a case of unavoidable turmoil, but a case of weak corporate governance and weak risk management.

More than a decade on, the European Union (EU) is devising the Digital Operational Resilience Act (DORA) as a means of preventing anything like that from happening again.

What is DORA?

This is the EU’s recently proposed digital finance package, which is aimed at improving standards within the financial sector. The legislation oversees any companies that indirectly deal with the financial sector too, including IT operations in particular.

DORA, which is expected to come into force during 2022, will mean that financial entities must “address any reasonably identifiable circumstance in relation to the use of network and information systems”. But what does that mean in practice?

Although many might see the regulations as unduly burdensome, it’ll ultimately help businesses make better decisions, faster.

Why will DORA improve enterprise resilience?

There are two good reasons these regulations will improve the resilience of companies that fall within its scope.

Firstly, any warning from the FBI should resonate with firms and be acted upon without delay. This is risk management 101. Yet despite repeated warnings from the FBI about significant cyber threats, businesses generally have been slow to address the most significant cyber threat.

In 2020, for example, the FBI determined – based on data unavailable to the private sector – that business email compromise (BEC), remains the most significant cyber threat. The FBI isn’t alone, with the UK’s National Cyber Security Centre (NCSC) also warning about phishing campaigns and various offshoots, too. It’s so concerned that it also issued guidance that includes deploying the global industry standard protocol, DMARC, as the first line of defence.

RELATED RESOURCE

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

FREE DOWNLOAD

This brings us to the second good reason why we must keep in mind the causes of the financial crisis. While the reforms that followed the 2008 financial crisis strengthened the financial resilience of the EU financial sector, it broadly omitted IT risk.

DORA explicitly states that financial entities must address “any reasonably identifiable" IT risks, including malicious events, that may compromise enterprise networks. What is meant by “reasonably identifiable” will ultimately be a matter for the competent authorities and/or the courts to decide, but it’s hardly likely that they’ll suggest that the view from the intelligence communities should be ignored. That said, all firms would do well to address known threats, cyber security or otherwise, without delay.

Who falls under DORA’s scope?

The scope of DORA is sufficiently wide to capture a comprehensive list of every conceivable type of financial entity – from banks to statutory auditors – but it will also apply to third-party IT service providers.

For example, an investment firm that’s taken the trouble to address any reasonably identifiable circumstance, will, in all likelihood, identify banks that have taken the same steps. It’s unlikely that a firm that has gone to the expense and trouble of identifying cyber risks would then tolerate a lower standard from its own suppliers.

This strengthens the sector as a whole, creating a virtuous cycle. The bottom line for investors and consumers is that they become better protected and society benefits from the increased trust in the sector.

What are the benefits of DORA?

DORA is a smart and necessary piece of legislation that’ll make the financial sector and the individual firms bigger, better, faster and stronger.

DORA benefits: Better risk assessments

Under DORA, the management body of the financial entity must define, approve, oversee and be accountable for all arrangements relating to IT risks. Moreover, the management body shall bear the final responsibility for managing the IT risks.

They must also be duly informed, and need to follow specific training to gain and keep up to date sufficient knowledge and skills to understand and assess cyber security risks and their impact on the operations of the firm.

Having a better-informed management body that has skin in the game who are obliged to take part – and who are no longer permitted to turn a blind eye – can only serve to promote the success of the company (a statutory obligation) through better decision making to prevent unnecessary losses while simultaneously aligning with the directors’ fiduciary duty to exercise reasonable care, skill and diligence (another statutory obligation)

DORA benefits: Faster decision making

Frequently, a chief information security officer (CISO) or the chief information officer (CIO) will understand the cyber threat and the tool that they need to address that problem. Internally, they’ll champion for the speedy implementation of this tool. So far so good.

The problem often comes in the form of the budget committee. While such committees are a tested corporate governance tool providing extra eyes on spending, they sometimes comprise people who understand neither the problem nor the solution. Instead of facilitating the purchase of an essential tool to protect the firm, they act like sand in the wheels delaying – or even worse – scuppering the purchase of important defensive tools.

Anecdotally, there’s plenty of cause for alarm as budget committees have vetoed cyber tools and solutions essential to protect the firm, only for the firm to be hit with a cyber attack that was entirely avoidable. All it would take for a successful shareholder class action would be a single whistle-blower to come forward. Making faster decisions about important tools is critical to defend the corporation.

Faster decisions will be possible because the CISO or CIO within financial entities can now reference this piece of legislation (DORA) and pose the following four questions:

  1. Is the threat a reasonably identifiable circumstance? In other words, is the problem well known and understood?
  2. Is the source credible?
  3. Is the solution a global standard protocol (or similar)? The tools to address the cyber threat should be proportionate to meet the threat.
  4. Do reasonable IT directors recommend the solutions implementation or have governments or vendor neutral agencies, such as the NCSC?

If the answer to all four four questions is ‘yes’, it means there’s no reasonable excuse to delay action. It’ll lead to better decisions being made at pace and with certainty, saving the firm time, money and additional headaches.

Benefits of DORA: Strengthening IT estate management

By following DORA, financial entities will be more robust. Simply addressing reasonably identifiable circumstances will materially move the needle for a firm’s cyber security posture. In addition, there are at least three other provisions, which, if implemented without delay, would strengthen firms’ IT estate management.

The right tools: Financial entities are required to use and maintain updated systems, protocols and tools that are appropriate to the nature, variety, complexity and magnitude of problems. The movement to cloud computing is inevitable, and allows access to enterprise-class technology that’s affordable, scalable and can be maintained easily.

DORA obliges companies to use reliable tools with “sufficient capacity to process the data necessary for the performance of activities and the provision of services in time to deal with peak orders, message or transaction volumes, as needed.”

Managing the IT supply chain: Financial entities may only contract with third-party IT suppliers that comply with high cyber security standards. IT providers must address reasonably identifiable circumstances and conform to best practice and implement global industry standards, such as DMARC.

Managing exit strategies: Financial entities must implement exit arrangements with IT providers. This reflects deep and extensive research, and an acute understanding of the challenges that financial entities face, essentially offering a level of consumer protection.

Some IT suppliers have, in the past, behaved like squatters. When contracts near expiry, rather than facilitate a transition by removing their kit, they claim that pulling this hardware would disrupt business for weeks. This tilts the renegotiation in favour of the supplier, who has carte blanche to increase prices for the kit that’s no longer fit for purpose.

Benefits of DORA: A pathway for investment and growth

Businesses that demonstrate they’ve taken reasonable steps to address known cyber threats will be more attractive to investors and clients looking to protect their assets and data. It’ll provide those businesses with an immediate competitive advantage over the laggards who resist the changes.

Firms with a weak external cyber security posture will face compliance challenges. In all likelihood, significant shareholders looking to protect their investment will insist the firm meets the latest information security standards. Managers that resist can simply be replaced.

Rois Ni Thuama PhD is a doctor of law and an expert in cyber governance and risk mitigation. She is head of cyber governance for Red Sift.