Understanding the European DORA Regulation

Understanding the European DORA Regulation

The European DORA regulation on digital operational resilience comes into force at the beginning of 2023 and will be in effect on January 17, 2025. What are the major changes for stakeholders and what are the expectations of this new regulation? Frans Imbert-Vier, CEO of UBCOM, answered these questions.

🎙 If you don’t have time to read the article, you can listen to the podcast in French: HERE

 

What is the main objective of DORA and what does it offer?

Frans Imbert-Vier (FIV): DORA (Digital Operational Resilience Act) regulation is designed to prevent and mitigate the cyber threat. It provides a detailed and comprehensive framework on digital operational resilience for financial institutions including office families as soon as funds under management exceed €2 million.

Who does it concern?

FIV: DORA regulation applies to financial institutions and service providers operating within the European Union in financial services. This concerns about 20,000 financial organizations across Europe. These include credit and payment institutions, but also trading platforms, trade repositories, fund managers, asset management companies, data communication service providers, insurance companies, credit rating agencies, securitization repositories and professional withdrawal institutions.

What is the basis of DORA regulation?

FIV: DORA regulation is based on 5 pillars

  1. The establishment of an IT risk management framework. That it is solid, complete and documented
    Mandatory reporting to the ACPR (Autorité de contrôle prudentielle et de résolution) of major IT incidents
  2. The implementation of an operational resilience testing program.
  3. Annual tests and for some threat-based penetration tests
  4. The implementation of a risk management framework for third-party IT service providers
  5. Finally, the possibility to organize information and intelligence sharing on cyber threats between financial entities
What are the consequences for financial entities?

FIV: Financial entities need to consider whether the service they are offering is critical, to take into account the level of complexity, as well as the extent of the relation of dependency with the service provider.

Under DORA regulation, financial entities will be required to update subcontracts with subcontractors, including complete descriptions of services, final location of data hosting, guarantees of access, recovery and return of data in the event of provider failure, and third-party technical audit capabilities (audit capability). DORA regulation defines a resilience testing program to be performed at the organization’s expense, at least once a year, by independent internal or external parties. This includes a series of assessments, methodologies, practices and tools.

What is the big picture of the digital operational resilience strategy? What are the actions that need to be planned?

FIV: We need to identify what we have that is strategic. That is to say, the information that, if it were to become known to an adversary, would cause an economic disaster for the victim organization. It is also necessary to detect what has been leaked and which concerns us in order to clear it up. This protects reputation, reduces brand noise on the internet, and most importantly, allows for better regulatory compliance as of 2025. Thus, the organization will be able to claim full compliance and increase its chances of gaining market share against the competition. Finally, it will be necessary to continuously identify information about the organization that could facilitate its compromise. This means detecting leaked passwords, contractual documents published on leaks servers or monitoring the reputation and image of an executive to preserve privacy, but also the reputation of the brand.

How can UBCOM’s experts support the actors concerned by DORA regulation?

FIV: UBCOM offers strong expertise in business intelligence and investigation, supported by a sovereign search engine, which respects the law, and enables threats to be identified at a lower cost by generating tangible facts that can be exploited in a legal context, for example.

UBCOM benefits from a team of renowned experts and selects the best technological solutions in order to accompany you on the various stakes related to this new European regulation. The French solution of Aleph Networks is one of them. Thanks to a high-performance search engine certified by UBCOM, the Aleph Search Dark solution combined with the expertise of UBCOM consultants are at your disposal to assist you in the risk analysis and audit of contracts with technical service providers in the context of DORA regulation.