Expert Discussion: Enhancing Cyber Resilience Initiatives for DORA Compliance

DORA (Digital Operational Resilience Act) is a new European regulation that will take effect on January 17, 2025, aimed at strengthening the operational resilience of financial players against cyber threats. Some technical and implementation details (RTS, ITS) are due to be published in July 2024 and the key pillars of the act include ICT risk management, Incident management, resilience testing, and third-party risk management.

Imad Abounasr highlights key challenges, including the limited time left to meet regulatory expectations, the complexity of the regulations, and the need to formalize new risk-based processes. Identifying critical processes, assessing associated risks, and managing third-party providers are essential. As third parties often handle critical processes, DORA imposes strict requirements for their selection, supervision, and contracting.

Effective ICT Risk Management under DORA: Senior Leadership and Cross-Department Collaboration

For Imad Abounasr, DORA places the ultimate responsibility for ICT risk management at the senior management level. This requires the establishment of a comprehensive governance framework and strategy for DORA compliance. Senior management must ensure that risk management measures are properly implemented and monitored.

On the operational side, DORA compliance requires collaboration across several departments and roles within organizations. Key stakeholders include IT, risk management, business experts, security, and procurement.  Each department brings its unique expertise, contributing to a comprehensive approach to ICT risk management.

Architects play a central role in DORA compliance due to their in-depth understanding of both application and operational architecture. They connect business processes with the information system architecture so that ICT risks can be identified and mitigation measures prioritized in accordance with DORA's requirements.

NIS 2, DORA, the Cyber Resilience Act (CRA): Identifying commonalities between different cyber regulations 

DORA, NIS 2, and the other cyber regulations share a common objective: to enhance both the security, and maturity of organizations in terms of cybersecurity. However, they differ in their scopes of application and specific requirements.

In terms of scope, DORA specifically applies to the financial sector, while NIS 2 covers 18 different industries. Other regulations target more specific areas, such as the European Union (EU) Cyber Resilience Act (CRA), which focuses on products or software with digital components.

In terms of requirements, DORA outlines detailed obligations for operational resilience and ICT risk management, encompassing a wider scope than NIS 2 directive. It positions itself as the 'lex specialis' for the digital operational resilience of the financial sector.

Together, these regulations contribute to creating a comprehensive and coherent regulatory framework for cybersecurity in Europe.

Strategies for DORA compliance: Proactive planning and collaboration

Imad Abounasr provides two essential recommendations to guide financial sector players in achieving DORA compliance.

Anticipate, plan

• Do not underestimate the magnitude of this task. DORA introduces new requirements that demand a thorough analysis and the adaptation of existing processes.  
• Start now. The deadline is tight, so it's crucial to start assessing your current situation and define a DORA compliance roadmap.  
• Mobilize the necessary resources. Achieving DORA compliance requires a multidisciplinary approach. Create a team composed of experts in security, risk, business, IT, and procurement to manage the project.  

Seize the opportunity for improvement

• DORA is not just a compliance exercise. Seize this opportunity to strengthen your organization's operational resilience maturity. Start by performing a complete mapping of critical business processes, followed by the identification of associated operational risks.
• Establish clear links between IT and business risks. This holistic approach improves risk management and enables more efficient resource allocation.
• Remember that DORA is an ongoing process. Set up a monitoring program and regular tests to ensure that your resilience measures remain effective against evolving threats. Adopt a proactive approach to risk management and continuously adapt your strategy to conform to new requirements and best practices.

By actively embracing DORA compliance, you help protect your financial institution against cyber threats while ensuring the continuity of its critical activities.