What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is a European Union (EU) legislation designed to improve the cybersecurity and operational resiliency of the financial services sector. It complements existing laws such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR), ePrivacy and others. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member countries, aiming to strengthen cyber security readiness and resilience, and to mitigate cyber security incidents risks.
Key DORA Requirements
DORA addresses a broad spectrum of topics pertaining to digital operational resilience in the financial sector. It establishes consistent requirements for the security of network and information systems of companies and organizations within the financial sector, as well as critical third parties that offer ICT-related services to them, including cloud platforms or data analytics services. Some of the key areas encompassed by DORA include:
- ICT Risk Management, Governance and Organization requirements
- Resiliency Testing
- Information Sharing
- ICT risk management requirements and Managing ICT third-party risk
- Incident Management, Classification & Reporting:
- Track, Monitor, Audit & Analyze Access
SecuPi For DORA Compliance
Compliance with DORA’s regulatory requirements is a complex process of mapping current structures and processes, planning decisions and implementing measures across the organization operations.
Mapping, Discovery & Classification
First, financial institutions should map out all current strategies, policies and processes for managing ICT-related risks, along with roles and responsibilities for all ICT related functions and coordination structures within their organization.
While mapping of policies and processes are labor consuming, they are critical part of the planning process and gaps analysis.
SecuPi offers a set of sensitive data discovery and classification capabilities, these include:
- Application Driven Discovery and Classification.
- Auto-discovery and classification engine – for datastore level discovery.
- Out-of-the-box integration and seamless enforcement of policies over ISV data catalogs and data-discovery tools.
DORA requirements should be properly classified and systematized by relevance and priority in order to have a clear picture of the overall measures, tools, and processes involved, as well as their interdependencies, necessary to establish a solid action plan for compliance. SecuPi offers a context-aware user activity monitoring, tagging & analysis, providing unmatched visibility into the end-to-end user activities across the organization and ICT technologies and users.
The information gathered throughout the mapping and classification provides valuable information into the organizations’ gap-analysis process, allowing accurate visibility into who is doing what, where and when, allowing the organization to develop an action plan to mitigate the gaps identified during the analysis process.
Implementation of the Action Plan
The action plan outlines the anticipated state of DORA compliance upon implementing the requisite controls. Organization stakeholders are required to review, discuss, and approve the action plan, including its timetable. Additionally, they should facilitate the necessary delegation of authority to the program owner, enabling the financial entity to meet DORA requirements. This process should take into account the application of the proportionality principle, ensuring the implementation of the required controls.
SecuPi offers a technology-agnostic data-centric security platform, specifically designed to address regulated organizations compliance, governance privacy and data security requirements and regulations, offering a superset of capabilities, consistently enforced over on-premises, hybrid and cross-cloud platforms:
- Real-time visibility and user behavior analysis
- Fine-grained access control (ABAC)
- Deidentification of data, at rest & in-use
Want to learn more about how SecuPi helps organizations comply with DORA requirements?