Digital Operational Resilience Act (DORA)
DORA is the European package of measures to enhance and support all the digital Financial and Insurance services and therefore related companies. It has been publish last November (2022) and will be implemented in December 2024:
- https://eur-lex.europa.eu/legal-content/TXT/?uri=CELEX%3A52020PC0595
- https://data.consilium.europa.eu/doc/document/ST-10581-2022-INIT/pdf
Financial sector is already regulated by the European Central Bank but the requirements, their application and interpretation remains local. DORA goal is to unify the rules with a common security level and help companies to:
- Identify the assets and related business risks
- Protect the information system to ensure the delivery of critical infrastructure services
- Detect cybersecurity events
- Respond to incident, support recovery activities and improve
- Recover and restore affected systems
The easy way to sum up DORA is to ensure a minimum level of resilience to the Financial sector.
Patrowl is fully compliant with DORA’s requirements about continuous monitoring of assets with Offensive Cybersecurity-as-a-Service. For details, please read Patrowl.
DORA for who?
DORA is for all the 22 000 companies related to the financial sector: credit, payment, crypto-asset service providers, insurance, reinsurance, intermediaries, pension fund…
The lone exception is for very small businesses with less than 10 employees and annual turnover less than 2 million euros.
Why DORA?
DORA is focused on resilience applied to cybersecurity by listing criteria and pragmatic recommendations.
All financial institutions are using computer and processing data. A uncontrolled cybersecurity incident can lead to a financial disaster (like the recent hack of FTX, a crypto currency exchange) and it’s the reason why the EU wrote DORA.
DORA in details?
DORA list several thematic to deal with:
- Risk management and governance to limit disruption caused by cybersecurity incident
- Permanent detection of cybersecurity incident
- Resilience of the service with a Business Continuity Plan (BCP) and crisis management process that must be tested and updated
- Permanent monitoring with pentest, related to resilience
- This is what Patrowl does with permanent pentest, the Offensive Cybersecurity as a Service, sometimes named Pentest-as-a-Service
- Permanent vulnerabilities detection
- This is also what Patrowl does by continuously rediscovering and monitoring companies’ external attack surface (Internet exposed assets)
- Classify cybersecurity incident to limit the spread, limit the impact and share knowledge with peers and regulators. DORA seems to be inspired by GDPR with a 24-hour reporting requirement
- Real consideration of the cybersecurity of third parties (suppliers) with risk analysis, control and audit
- Sharing intelligence between financial organizations
Go further about DORA?
To find out more about DORA, read the articles by Marc-Antoine LEDIEU explaining the issues, implications and consequences of the DORA law: https://technique-et-droit-du-numerique.fr/?s=dora