Financial Services Firms and DORA: What the EU Regulations Mean and How to Ensure Compliance

Vitali Edrenkine
EVP, Marketing

The Digital Operational Resilience Act (DORA) establishes standards for financial services firms—and their third-party technology providers—that do business in and with the EU, much like the General Data Protection Regulation (GDPR).

This regulation states that financial institutions must manage all components of operational resilience, following “rules for the protection, detection, containment, recovery, and repair capabilities against [information and communications technology] ICT-related incidents.

Those risks are high. Sophos’ The State of Ransomware in Financial Services 2023 global survey of IT and financial industry cybersecurity professionals found that 64 percent of firms in the sector have been hit by ransomware. The costs of these attacks were significant, with nearly 39 percent of those attacked paying a ransom of $1 million or more. Those numbers illustrate the challenges and costs that come with failure to ensure data is protected. 

What Is DORA?

DORA standardizes and strengthens digital operational resilience by mandating that financial institutions have robust mechanisms in place to withstand, respond to, and recover from ICT-related disruptions and threats. It covers a wide range of financial organizations, including banks, insurance companies, and investment firms. The regulation’s inclusion of “third-party technology providers” is especially vital to note. If you are an IT pro at one of these firms, you must also ensure your vendors and partners are compliant.  

DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk monitoring. 

DORA’s Implications for Data Protection

Essentially, DORA mandates that you take a comprehensive approach to cybersecurity, including addressing these areas:

Perform regular risk assessments to identify vulnerabilities within your systems and processes.

Deploy robust cybersecurity and data protection defenses that eliminate identified vulnerabilities and ensure data is stored securely.

Ensure you can deliver regulatory reporting to authorities in a timely manner and have effective incident management and mitigation capabilities in place.

Establish a digital operational resilience testing framework that ensures your systems are resilient against cyber threats. 

In this regard, the International Bar Association (IBA) notes that “All financial entities must perform appropriate regular tests of ICT tools and systems, such as vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.”

Incorporate third-party risk management into your ICT risk management framework to comply with Article 6 of DORA, which states that you must “define a holistic ICT multi-vendor strategy, at group or entity level, showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.”

Ensuring DORA Compliance

Your financial services firm must employ technology solutions that strengthen cyber defenses, ensure data protection, and provide operational resilience for business continuity. Here are a few solutions to include in your comprehensive data protection strategy.

Deploy advanced cybersecurity solutions such as firewalls, intrusion detection systems (IDS), and endpoint protection platforms. Sophos Intercept X Advanced offers a front-line cybersecurity defense that uses a deep-learning neural network to detect known and unknown malware without relying on signatures, protecting your data and backups.

Encrypt all data at rest and in transit to ensure data integrity, especially for sensitive data. Learn more about data encryption in our post 5 Common Encryption Algorithms and the Unbreakables of the Future.

Employ identity and access management (IAM) solutions to limit access to sensitive information only to authorized personnel.

Invest in effective disaster recovery (DR) and business continuity solutions that ensure your backups are always secure and available and that fast recovery is always possible. Arcserve Unified Data Protection (UDP) software delivers an all-in-one data protection, ransomware defense, and cybersecurity solution to neutralize attacks, restore data, and perform effective DR.

Deploy third-party risk management solutions that ensure vendor compliance with DORA. These tools help you assess your vendors’ cybersecurity practices and contractual compliance and ensure continuous monitoring of their services for potential risks. For more on the subject, see Gartner’s 2023 Third-Party Risk Management Benchmarking Report.

A Challenge and an Opportunity

For financial services firms, reputation is everything. While DORA regulations present compliance challenges, it is also your opportunity to further protect your reputation by implementing a comprehensive approach to data protection.

For expert help with data backup and disaster recovery, choose an Arcserve reseller technology partner

You May Also Like