DORA (Digital Operational Resilience Act)
DORA (Digital Operational Resilience Act) is the European package of measures to enhance and support all the digital Financial and Insurance services and therefore related companies. It has been publish last November (2022) and will be implemented in December 2024:
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
- https://data.consilium.europa.eu/doc/document/ST-10581-2022-INIT/en/pdf
Financial sector is already regulated by the European Central Bank but the requirements, their application and interpretation remains local. DORA goal is to unify the rules with a common security level and help companies to:
- Identify the assets and related business risks
- Protect the information system to ensure the delivery of critical infrastructure services
- Detect cybersecurity events
- Respond to incident, support recovery activities and improve
- Recover and restore affected systems
The easy way to sum up DORA is to ensure a minimum level of resilience to the Financial sector.
Patrowl is fully compliant with DORA’s requirements about continuous monitoring of assets with Offensive Cybersecurity-as-a-Service. For details, please read Patrowl
DORA for who?
DORA is for all the 22 000 companies related to the financial sector: credit, payment, crypto-asset service providers, insurance, reinsurance, intermediaries, pension fund…
The lone exception is for very small businesses with less than 10 employees and annual turnover less than 2 million euros.
Why DORA?
DORA is focused on resilience applied to cybersecurity by listing criteria and pragmatic recommendations.
All financial institutions are using computer and processing data. A uncontrolled cybersecurity incident can lead to a financial disaster (like the recent hack of FTX, a crypto currency exchange) and it’s the reason why the EU wrote DORA.
DORA in details?
DORA list several thematic to deal with:
- Risk management and governance to limit disruption caused by cybersecurity incident
- Permanent detection of cybersecurity incident
- Resilience of the service with a Business Continuity Plan (BCP) and crisis management process that must be tested and updated
- Permanent monitoring with pentest, related to resilience
- This is what Patrowl does with permanent pentest, the Offensive Cybersecurity-as-a-Service, sometimes named Pentest-as-a-Service
- Permanent vulnerabilities detection
- This is also what Patrowl does by continuously rediscovering and monitoring companies’ external attack surface (Internet exposed assets)
- Classify and attune cybersecurity incident to limit spread of cybersecurity incident, limit the impact and share knowledge with peers and regulator. DORA seems to be inspired by GDPR with a 24-hour reporting requirement
- Real consideration of the cybersecurity of third parties (suppliers) with risk analysis, control and audit
- Sharing intelligence between financial organizations
Go further about DORA?
The famous lawyer Marc-Antoine LEDIEU has written twelve articles explaining DORA stakes, implications and consequences:
- Why DORA ? Objective: operational resilience
- Who is concerned ? Financial entities! and ?
- The official threat and its legal definitions
- Risk analysis and security policy
- Mandatory technical security measures?
- Resilience tests (the heart of the system)
- Mandatory requirements for testers?
- Vulnerability detection incident notification
- Cyber crisis management requirement and communication
- Contractual resilience obligations
- Not yet published: 11
- Not yet published: 12