Organisations in the financial services sector in the European Union (EU) have less than a year to demonstrate Digital Operational Resilience Act (DORA) compliance.
What is DORA, does it apply to your organisation, and how does DORA compliance intersect with one of today’s major cybersecurity concerns: identity threat detection and response (ITDR)? Semperis digital resilience experts answer these questions and more in this all-encompassing overview of DORA compliance.
Learn more about ITDR
What is DORA?
DORA is an EU regulation that comes into effect in early 2025. Unifying and replacing guidance such as the Operational Resilience Act, DORA is far-reaching and more prescriptive and enforceable than previous guidelines.
This new framework demands that financial institutions, services, and any other financial entity show their ability to protect and recover critical services in the event of operational disturbances. DORA compliance has an increased focus on cyber security events and IT issues, mandating that firms demonstrate their cyber incident response capabilities through improved visibility, planning, and rigorous testing.
Do DORA compliance demands apply to you?
Are you a financial entity or do you operate in financial services in or with the EU? Or are you an information and communication technology (ICT) provider that supports such an organisation? If so, then you need to prepare to adhere to DORA requirements.
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU. The regulation also applies to the ICT infrastructure that supports those organisations from outside the EU1.
If your organisation meets these conditions and falls within one of the following categories, DORA compliance requirements will apply to you:
- Credit institutions
- Payment institutions
- Electronic money institutions
- Investment firms
- Crypto-asset service providers, issuers of crypto-assets, issuers of asset-referenced tokens, and issuers of significant asset-referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
- Institutions for occupational retirement pensions
- Credit rating agencies
- Statutory auditors and audit firms
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
- ICT third-party service providers2
Even if you’re a financial institution that operates outside the EU, DORA requirements may still apply to you. Many non-EU countries are releasing legislation similar to DORA regulation. The time to assess your DORA compliance is now—wherever your organisation is located.
Why DORA? Why now?
Advancements in technology and engagement with third- and fourth-party technology partners make risk mitigation, preventative measures, and visibility both complex and challenging for finance entities.
Technology is a double-edged sword; both threat and solution. Alongside grappling with new technology within their own environment, organisations in the financial services sector must also address the evolution of malicious technology.
Increasingly sophisticated technology is enabling AI-powered deepfakes and large-scale attacks. At the World Economic Forum 2024 in Davos, Mary Erdoes (Head of Asset and Wealth Management at JP Morgan) said the bank suffers 45 billion hacking attempts every day3. No wonder cyber and ICT considerations take centre stage for DORA.
“The proliferation of new technologies is opening banks to risks they may have never had to grapple with before,” notes Deloitte. “Open banking and the increase in partnerships with technology partners can expose banks’ infrastructure to new vulnerabilities and cyberattacks. Fourth-party risks are also becoming more of a threat as banks engage in more partnerships with service providers that have their own vendors.”4
The challenges of DORA compliance
By now, every tech team—whether focused on IT operations, infrastructure, security, or identity—has some form of disaster recovery plan: processes to follow in the event of an attack or cyber event. This is especially true for those in financial services. However, the complexities within the new remit for DORA, particularly concerning cyber resilience and ICT, are seismic.
This regulation will undoubtedly expose gaps and uncover risks in existing plans and processes. DORA is set to challenge the readiness of even the most sophisticated financial services organizations. What’s more, finance entities must not only consider DORA compliance for the technology systems they own, but for all the systems and services they procure from third-party providers.
The consequences of failing DORA compliance requirements
Companies that are found to be non-compliant with DORA will be subject to significant and sustained fines. Similar to GDPR non-compliance, there is no fixed penalty. Instead, fines will be proportionate.
- An organization found to be non-compliant by the relevant supervisory body may be subject to a periodic penalty payment of 1% of the average daily global turnover in the preceding year, for up to 6 months, until compliance is achieved.
- The supervisory body may also issue cease-and-desist orders, termination notices, additional pecuniary measures, and public notices.5
It isn’t just fines that organizations should be keen to avoid, though. There is also a sizable reputational risk to non-compliance, especially if it relates to a poorly handled disruption or incident. Loss of trust and poor reputation in the industry can be even more costly than fines. For small to midsize organisations, such issues can cause irrecoverable damage to the business.
Where to begin: DORA compliance and ITDR
How does DORA compliance intersect with ITDR—a growing necessity as cyberattackers increasingly target identity systems in an attempt to gain access to and control of resources in targeted organisations?
Consider the following three paragraphs from DORA Article 5, discussing the ICT risk management framework.
- Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size and complexity.
- The ICT risk management framework referred to in paragraph 1 shall include strategies, policies, procedures, ICT protocols and tools which are necessary to duly and effectively protect all relevant physical components and infrastructures, including computer hardware, servers, as well as all relevant premises, data centres and sensitive designated areas, to ensure that all those physical elements are adequately protected from risks including damage and unauthorized access or usage.
- Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, protocols and tools as determined in the ICT risk management framework. They shall provide complete and updated information on ICT risks as required by the competent authorities.6
Identity is widely acknowledged as the new security perimeter. It is also the key to operational resilience. In the case of Active Directory, for example, cyber resilience (the ability to keep AD running and to recover it quickly if needed) is the foundation of operational resilience. If AD is down, so are operations.
When we talk about risk and risk management as part of DORA, we must include risk to the identity infrastructure. So, where do you begin?
1. Identify your critical IT systems and services
First, examine your environment and identify which services must remain available to avoid negative impacts to your customers. For example, a bank would need to maintain the accessibility and functionality of banking applications, including paying in a cheque, making an international money exchange, or any system or service that connects to a clearing house.
Next, determine which systems, services, and technologies in your organisation support these critical services. Map out all associated dependencies.
2. Plan to protect and recover
When you have mapped dependencies comprehensively for every service and scenario, the next step in DORA compliance is to ensure that you can monitor those services and dependencies effectively. You will need a testable recovery process.
After spending a lot of time talking to organizations going through the DORA compliance process for Active Directory, one of the biggest takeaways is that the regulation requires regular ‘live drills’ for your recovery tests. Although many teams test some of their critical systems semi-regularly, the testing conditions might not be fully realistic. Sometimes it’s a partial test, or they might test services independently of dependent systems.
DORA requires a level of live drill testing that most teams are not used to doing.
3. Get your head around DORA—then get your hands around AD security
Active Directory is a critical system in almost every organization. AD is used to:
- Store user information
- Manage user access and authorization
- Allocate resources to services, assets, and data
Active Directory also acts as the authentication engine for users. This means that not only is it very firmly within scope for DORA for almost 100% of organizations, AD is also a major infiltration target and a perfect entry point for bad actors, acting as a gateway to your users, data, and organization.
DORA compliance and Zero Trust
Zero Trust refers to a security framework that treats every potential user as untrustworthy until proven otherwise. It means that all users must be verified before being given access to privileged parts of your network.
Such privileged access management is a pillar of DORA regulation. Yet an effective Zero Trust strategy depends on effective delegation management in Active Directory. Configuration creep, lax access control across various users and groups, and simple human error can give cyber threats a means to gain or escalate privilege in AD. And successful identity compromise hobbles even your most strenuous Zero Trust efforts. As we often say, “Most attackers don’t hack in … they log in.”
DORA compliance: Headache or opportunity?
Compliance with any new regulation is daunting and can be frustrating due to the complexities and changes that need to be made. Many teams facing this challenge see DORA as a headache. But the new regulation also brings opportunities, especially for AD security and management.
DORA is working to improve the operational resilience of organizations through tighter regulation. Do you have concerns about:
- Active Directory bloat or ‘configuration drift’
- Ongoing maintenance challenges or human error
- A shaky AD recovery process
If so, now is the time to address these issues. As DORA will be part of the law, and the risks of non-compliance include large, sustained fines (1% of daily global turnover until compliance is deemed achieved) alongside reputational damage, regulation compliance must be a strategic priority for the business. Resource and budgetary allocation to support this project will be more compelling for sign-off at the board level.
The process might be painstaking at times. But this is your chance to get your house in order and set up the level of monitoring, testing, and governance required to best maintain AD moving forward.
How to simplify the path to DORA compliance
Semperis helps organizations gain control of Active Directory security. With the Semperis identity resilience platform, your organization can:
- Evaluate the AD attack surface
- Locate hybrid AD vulnerabilities
- Monitor changes to Active Directory and Entra ID
- Spot advanced threats that are designed to evade traditional monitoring tools
- Automate the rollback of suspicious changes
- Create secure, efficient AD backups and recovery plans
- Recover AD an average of 90% faster than via manual recovery
Explore ITDR solutions
DORA is the future
Many advisory bodies have suggested that organizations not within DORA’s remit should still consider aligning with the regulation’s practices where possible. Similar regulation may arrive for other industries, or such businesses could become targets once DORA has improved the sophistication and cyber capabilities of finance entities. Either way, full visibility, comprehensive mapping, and detailed recovery planning and test readiness are clearly the future of cyber and operational resilience for all organizations.
Other articles in our DORA compliance series
Resources
- https://www.pwc.co.uk/industries/financial-services/insights/dora-and-its-impact-on-uk-financial-entities-and-ict-service-providers.html
- https://www.digital-operational-resilience-act.com/DORA_Article_2_(Proposal).html
- https://fintechmagazine.com/articles/capgemini-the-challenges-and-opportunities-dora-presents
- https://www2.deloitte.com/xe/en/insights/industry/financial-services/financial-services-industry-outlooks/banking-industry-outlook.html
- https://www.orrick.com/en/Insights/2023/01/5-Things-You-Need-to-Know-About-DORA
- https://www.digital-operational-resilience-act.com/DORA_Article_5_(Proposal).html