Interpret the 5 DORA Pillars In 5 Minutes

05 Interpret the 5 DORA Pillars In 5 Minutes

How quickly can you interpret the five pillars of the Digital Operational Resilience Act (DORA)?

With this guide to DORA pillars (the central chapters in the DORA legislation documentation), you could have a good idea about DORA requirements in around five minutes - yes, we timed how long this takes to read.

We give you an overview of each pillar and tell you who’s responsible for implementation. We also discuss other vital details and include frequently asked questions about each pillar.

ICT risk management

Overview: You need to have an ICT risk management framework with strategies, policies, procedures, ICT protocols and tools for the protection of information and software as well as physical assets.

Who’s responsible: Your Chief Information Officer (CIO), Chief Technology Officer (CTO), IT security team and risk management team.

What else: This is the biggest DORA pillar. It says you need to:

DORA ICT risk management FAQs

No. DORA does not mention specific technologies, but adequate security controls are mandatory for compliance. Your security stack may or may not need to be upgraded.


ICT-related incident management, classification and reporting

Overview: You need to be able to classify data breaches and other incidents and report them very quickly after they happen.

Who's responsible: Your IT, security, incident response and operations teams.

What else: You need to be able to record, classify, and address all ICT-related incidents and cyber threats and their root causes within one week. You also need a process for reporting major incidents to senior management, relevant authorities, and clients if their financial interests are impacted.

DORA ICT-related incident management, classification and reporting FAQs

Any event that has a “significant impact” on your ICT systems. This could be a data breach or an attempted insider attack.

Less than 4 hours since you became aware of the incident. You also need to provide a more detailed report within a week.


Digital operational resilience testing

Overview: You have to test for vulnerabilities and attack pathways regularly and thoroughly. This means standard tests you might already do, like vulnerability assessments, network security testing, and penetration testing.

However, this DORA pillar also brings in something called threat-led penetration tests (TLPT). These advanced tests, conducted every three years, are like red teaming exercises. TLPTs must be delivered by an independent party, whether you use an internal or external team to do the actual testing and adhere to a risk-based approach. You also need procedures to fix anything that comes up during a test.

Who’s responsible: Your internal IT and security teams and any external consultants you contract.

What else: There are two critical requirements for who you get to do your threat-led penetration testing.

External testers must be reputable, technically capable, accredited, and have professional indemnity insurance.

Internal testers need the approval of competent authority (national or regional regulatory bodies like the European Banking Authority), have dedicated resources to avoid conflicts of interest and use external threat intelligence providers.

DORA digital operational resilience testing FAQs

Standard testing should be done annually, while TLPTs are required every three years.


Managing of ICT third-party risk

Overview: You need to manage risks associated with ICT third parties and ensure contractual and operational resilience in case of a supply chain attack.

Who’s Responsible: Internal risk management and procurement teams.

What else: You need a holistic third-party risk strategy. This means having a register of all your third-party ICT providers and ratings of their importance to your operations and their security risks.

You must review your third-party risk strategy and register regularly (at least annually). You need to report it to the competent authorities at least yearly.

It’s your job to ensure that these third parties meet security standards through your contracts. Plus, you need to plan for continuity. This means having exit strategies for critical services and ensuring your customers won’t be impacted if your main providers fail.

DORA ICT ICT third-party risk FAQs

You need to choose ICT services partners that are DORA compliant. You will also need to divide your ICT providers into two categories - providers supporting critical or important functions and those supporting non-critical functions.

DORA has specific requirements for both of these types of service providers. You can read more about them here.

You need to vet them and make sure they comply with DORA's security and reporting standards.


Information-sharing arrangements

Overview: You can share cyber threat intelligence within trusted, small communities to enhance awareness and protect sensitive data.

Who’s Responsible: Your crisis communication team, public relations (PR) team, and senior management.

What else: Any information you share needs to protect any sensitive information involved. You must avoid sharing customers’ personally identifiable information or doing anything that might violate the GDPR.

DORA information-sharing arrangements FAQs

Any threat signatures, behaviours or tactics that could prevent future attacks on other financial firms.


...

4:58

4:59

... aaand five minutes! Mission accomplished.

:-)



Become DORA Compliant with SECFORCE

SECFORCE offers an end-to-end DORA consultancy service that pairs our FSI compliance experts with your internal team to bring you honest, independent gap analysis and DORA compliance strategy.


Left with any questions?
Contact us and let's have a chat.

You may also be interested in...

Visual
May 9, 2024

Why You Shouldn't Go for the Lowest Penetration Testing Quote

Our expert technical team explains why a low penetration testing quote can be dangerous and even more expensive at the end.

See more
IoT
July 10, 2024

IoT Security Legislation Roundup

With the Cyber Resilience Act (CRA) on the horizon, we created this up-to-date roundup of existing mandatory and voluntary IoT-specific legislation.

See more