DORA's Impact on Cybersecurity: What Financial Institutions need to know

The Digital Operational Resilience Act (DORA) and its five pillars

Enter DORA. To protect the financial industry against cyber threats, operational disruptions and systemic risk, the European Supervisory Authorities (ESA) launched the Digital Operational Resilience Act (DORA) that entered into force on 16 January 2023 and will apply as of 17 January 2025.

DORA aims to improve the IT security of banks, insurance companies, and investment firms, as well as to ensure the resilience of Europe's financial sector in the face of severe operational disruptions. It sets uniform requirements for the security of network and information systems within the financial sector, affecting institutions globally. DORA establishes regulatory standards across five pillars: Risk Management, Third-Party Risk Management, Incident Reporting, Information Sharing, and Resilience Testing.

A new benchmark on ICT Risk Management

The new rules will install a level playing field, standardizing the regulations concerning operational resilience for the financial sector. They will protect the broader European financial system, as they will apply to twenty different types of financial entities and ICT third-party service providers.

“For banks, complying with DORA means reviewing current security policies and procedures,” says Financial Institutions BCB leader Jean-Philippe Thirion. “Especially those involving third-party providers handling digital financial data. Trusted security partners can help organizations in becoming DORA-compliant by assessing security maturity and implementing strong risk management programs. Early preparation is key since identifying issues, deploying solutions, and evaluating their impact takes considerable time before the compliance deadline.”

"DORA sets the new standard for ICT risk management,” says Nathalie Gys, Risk Management consultant at Financial Institutions TriFinance. ‘It includes guidelines for outsourced services, better threat-based penetration and resilience testing, and creates a platform for sharing incident information across the financial sector."

The Financial sector must be DORA-compliant by mid-January 2025 although several Regulatory Technical Standards are still to be published, leaving limited time for implementation. The ambition is extremely high in terms of timing and scope.

Operational Resilience and DORA-readiness

Management of IT Risk - Confirmation of the 2024 Supervisory Priorities

Between 2020 and 2023, the European Central Bank (ECB) conducted two key assessments to evaluate IT risk management across banks: a horizontal analysis based on an IT risk questionnaire and on-site inspections of individual banks under direct ECB supervision.

The horizontal analysis revealed that banks have made little progress in addressing existing gaps. 

On-site inspections highlighted the need for banks to increase efforts in managing information security risks. Both assessments underscore the 2024-2026 supervisory priorities, confirming that cyber risk and data security remain critical drivers of operational risk in financial institutions.

A recent ECB Supervision Newsletter emphasizes that there is no room for complacency in managing IT risk. The shortcomings might even be more important for smaller Financial Institutions.

IT Risk Questionnaire – Five areas calling for action.

Deficiencies in IT outsourcing and cyber resilience have been identified as priorities for ECB Banking Supervision from 2023-25. IT security concerns persist, with weaknesses found in asset management, protection, incident detection, and cyber incident response. To evaluate IT risk management across banks, significant institutions must annually submit a questionnaire covering various risk domains. Five domains call for action.

1. Outsourcing. The ECB believes that the shift towards cloud usage will result in increased concentration risks considering the limited number of service providers. Banks must ensure that contingency and exit plans for outsourced services are ‘fit for purpose’.
2. Data Quality Management. Banks consistently identified data quality management as the least mature IT risk control category notwithstanding the requirements included in the Basel Committee’s principles for effective risk data aggregation and risk reporting (BCBS 239). Data Quality Management is a key responsibility for the Board of Directors. Governance bodies will be held accountable for the progress made in this low maturity field.
3. IT Change Risk. IT changes and software issues were again identified as the root cause of critical services downtime. Banks must strengthen governance including an effective communication strategy in the event major migrations of IT systems or other software changes might directly impact customers.
4. IT Governance and Risk Management. Shortcomings are related to the lack of sufficient IT expertise at the level of the Board of Directors. Gaps were also reported by some banks in fundamental IT risk management controls.
5. Cyber and IT Security. While distributed denial-of-service attacks remained the most common incident type, the recent increase in ransomware incidents has raised supervisory concerns. Banks still rely heavily on end-of-life systems for critical activities. Some institutions continue to report gaps in risk control areas in the field of identity and access management, timely vulnerability patching, and in the banks’ security awareness programs.

On-site inspections on IT and Cyber Security have highlighted important shortcomings

Shortcomings have been identified across all cybersecurity domains.

Insufficient identification of potential risks to systems, data, and assets.

This deficiency often stems from incomplete IT asset inventories or the absence of a security classification for systems and data. IT outsourcing arrangements often failed to sufficiently address IT security requirements. Additionally, several banks have a weak second line of defense against IT-related risks and fail to utilize all available information to identify IT security risks.

Inadequate protection of IT assets.

The questionnaire revealed there are notable gaps in the protection of IT assets, which is critical for ensuring the confidentiality, integrity, and availability of essential data. Many banks showed weaknesses in perimeter security systems, network segregation, security patch management, and the establishment of hardening baselines for key technologies in use. Security considerations are not always integrated into IT projects from the inception or are addressed too late in the process.

Cybersecurity incidents are not detected in a timely manner.

Banks often fail to adequately implement Security Incident and Event Monitoring (SIEM), by not collecting all necessary logs from their perimeter security infrastructure systems and key business applications. Detection rules are often only partially implemented, preventing the correlation and detection of potential incidents. Additionally, IT security reviews and testing do not consistently cover the full perimeter or occur with the required frequency.

Shortcomings in responses to cybersecurity incidents

Banks must plan and test responses to cybersecurity incidents. Many banks have incomplete or outdated crisis management and communication plans. They show weaknesses in the cyber incident reporting process, and inconsistent criteria for assessing incident severity.

Forensic data are often unavailable or insufficiently detailed, and computer emergency response teams are not operational 24/7.

Not timely restore services and capabilities to normal operational levels.

Banks should be prepared to restore services and capabilities to normal operational levels in a timely manner. However, business continuity requirements often did not align with IT service capabilities. Many banks failed to run regular cybersecurity recovery tests for all critical applications and did not address the most common cybersecurity threats. Additionally, they did not fully test the ability to recover from backups and did not sufficiently involve service providers in continuity and recovery tests.

The gap analysis on DORA readiness is an outstanding opportunity for all financial institutions to take actions in areas with shortcomings in IT and cybersecurity risk management.

The next review will be the cyber resilience stress test in 2024, which will assess banks’ ability to respond to and recover from cyberattacks.

DORA readiness

Multiple publications have extensively covered the purpose, scope, and the five DORA pillars (ICT Risk Management, ICT-related Incident Management, Digital Operational Resilience Testing, Third-Party Risk Management, and Information Sharing). Therefore, we will limit our discussion to the high-level scheme below and a few key considerations.

The DORA- requirements to be addressed are not new at least not for the banking sector as demonstrated by the comprehensive ICT questionnaire and the on-site inspections.

"We believe that addressing the shortcomings already identified by the supervisory authorities will contribute to a large extent to DORA compliance," says Nathalie Gys. "DORA adds detailed requirements, formalization, and standardization, ensuring everyone speaks a common language and involves the second line of defense more."

The five DORA pillars present a significant challenge for financial institutions, given the tight deadline. The Board of Directors' extended accountability will be crucial for setting up proper governance, steering, and applying the proportionality principle.

Three Regulatory Technical Standards (RTS) were issued in mid-January 2024, complemented by Implementing Technical Standards (ITS). These focus on Information and Communication Technology (ICT), Third-Party Risk Management, and incident reporting frameworks. Another batch of RTS is expected this summer, leaving limited time for implementation.

"The new RTS and ITS set a higher bar with detailed expectations," says Risk Management consultant Nathalie Gys. "They include standardized processes with decision trees for incident classification and mandatory templates at both entity and (sub)consolidation levels. Importantly, all ICT third-party service providers must be considered, not just cloud providers."

Images by DC Studio and Freepik