Portal login· articles
Exploring DORA: The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) came into effect in January 2023, with financial organisations required to comply by January 2025. This guide explains how you can prepare yourself for these regulations, and how IT network infrastructure is a key part of the puzzle.
/f/148396/1500x1000/7d376b99ec/dora.png)
The Increasing Importance of IT Networks in Financial Services
As financial organisations become more dependent on technology, the risks associated with cyber threats have escalated. Downtime and data loss from cyber-attacks pose significant threats. Recognising these challenges, the European Union (EU) introduced DORA to bolster IT security and operational resilience across the financial sector.
This guide focuses on the critical role of IT networks in complying with DORA. Read on to learn about DORA, its enforcement, and the steps to prepare your IT infrastructure before January 2025.
What is DORA?
DORA is a regulatory framework designed to enhance the operational resilience of financial services operating in the EU. Its primary goal is to ensure the continuity of financial services, protect consumers, and maintain financial market stability by setting clear requirements for digital operational resilience.
Key Components of DORA
Risk Management: DORA mandates robust risk management practices, requiring financial entities to identify, assess, and mitigate digital risks to ensure the uninterrupted provision of critical services.
Third-Party Risk Management: Organisations must monitor and manage risks from third-party providers, ensuring secure practices through contractual agreements.
ICT Incident Reporting and Management: Financial entities must report significant incidents promptly, enabling authorities to respond quickly and mitigate disruptions.
Digital Operational Resilience Testing: Regular stress tests and scenario-based exercises are required to evaluate and enhance resilience measures against potential disruptions.
Information Sharing: DORA encourages collaboration and information exchange among stakeholders to improve collective response capabilities during critical incidents.
An Important Note for UK Financial Organisations
Post-Brexit, many UK firms—especially smaller third-party ICT suppliers—might believe they are exempt from these new cyber risk management and operational resilience requirements. However, this assumption is likely incorrect.
DORA applies to UK-based entities that engage in any of the financial market activities covered by the Act within the EU. Additionally, "Critical ICT Third Party Providers" (CTTPs) to European financial firms must comply with DORA's requirements. Even those not classified as CTTPs may face these requirements through their contractual relationships with financial firms.
DORA is expected to impact thousands of UK entities, many of which will encounter these standards for the first time.
There is a silver lining for in-scope UK firms: they might already be compliant with similar regulations and standards, such as SS2/21 and ISO27001, which align closely with DORA. This means much of the groundwork may already be in place for these organisations.
"DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers."
Why the IT Network is Crucial for DORA Compliance
The IT network is the backbone of any financial organisation's operations. Ensuring the resilience and security of this infrastructure is essential for compliance with DORA. Here’s why:
Data Integrity and Availability: A robust IT network ensures the integrity and availability of critical data, supporting continuous service delivery.
Incident Detection and Response: A resilient network infrastructure enhances the ability to detect, report, and respond to cybersecurity incidents promptly.
Third-Party Integration: Secure and well-managed network connections with third-party providers mitigate risks and contribute to compliance with DORA’s third-party risk management requirements.
Testing and Monitoring: Regular testing and monitoring of the IT network help identify vulnerabilities and assess the network's resilience to potential disruptions.
Information Sharing: Efficient and secure information sharing within the network supports collaboration and improves incident response across the sector.
Steps to Prepare Your IT Network for DORA
1. Conduct a Network Risk Assessment
Identify potential vulnerabilities within your IT network. Assess risks and develop mitigation strategies to ensure the network's resilience against cyber threats.
Want help with this? Contact us here:
Network Architecture Review2. Enhance Incident Reporting and Response
Develop and implement procedures for prompt incident reporting and response. Ensure your IT network supports these processes to minimise disruption and protect critical services. Cloud Gateway, for example, is able to consolidate security events and network logs into a single portal experience, allowing you to send data to a SIEM/SOC.
3. Regularly Test Network Resilience
Conduct regular stress tests and scenario-based exercises to evaluate your IT network’s ability to withstand and recover from disruptions. Use these tests to refine your response strategies. If you're using a service provider for your network, ensure they are doing this on your behalf and sharing the results with you.
4. Foster Secure Information Sharing
Promote secure information sharing within your organisation and with external stakeholders. This collaboration enhances collective cybersecurity efforts and improves incident response. Ensure any links you establish to users, sites, clouds and third parties are secure, with clear access controls.
5. Implement Robust Third-Party Management
Ensure that third-party providers adhere to secure practices. Establish contractual agreements that outline security requirements and regularly monitor compliance.
How Cloud Gateway Can Help
We can conduct a Network Architecture Review to provide insights into the state of your network, and flag any risks to your organisation from security and compliance perspectives.
Our platform is designed to bring resilient connectivity and security services together in a way that puts visibility and control back into your hands. Shadow IT, duplication and unsecured network connections can all pose a risk to DORA compliance and operational continuity.
Speak to us to find out more, or read more about our work with financial services organisations below.
Cloud Gateway for Financial Services/f/148396/5583x3727/c2733636e6/article-cloud-migration-risks-financial-services.jpg)
/f/148396/1500x1000/dbc7efe832/cloud-gateway-1500-1000-uk-insurance.png)
/f/148396/1500x1000/6dd863a98c/insurance-featured-image-website.jpg)