Fortinet always has a sharp eye on cybersecurity developments around the world, so it’s no surprise that we are keenly aware of the European Union’s proposed Digital Operational Resiliency Act (DORA). Recently, the Council of EU presidency and the European Parliament reached a provisional agreement on DORA. It is expected pass into law by each EU member state by the end of this year.
In addition to the DORA agreement, the Council and the European Parliament also agreed on a directive to further improve the resilience and incident response capacities of the EU’s public and private sectors to cyberthreats. The NIS2 directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.
DORA is designed to consolidate and upgrade information and communications technology (ICT) risk requirements across the EU financial services industry (FSI). The goal is to harmonize risk management across member states in the financial sector using one common set of standards for their operations to mitigate cybersecurity risks. Proponents of DORA say it will “make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.”
One reason for the creation of DORA is that the global pandemic accelerated digital banking. This trend of customers doing more online is prompting banks and financial services companies to respond correspondingly and accelerate their migration to the cloud and provide more digital services.
Another reason for DORA is PSD2, which is an EU directive that leveled the playing field in the financial marketplace. The objectives of PSD2 were to create a more integrated European payments market, making payments more secure and protecting consumers. The result is that new players like challenger banks and digital natives (e.g., Fintechs, BigTechs) are coming into the market and offering financial-type services to customers via APIs. This is referred to as “open banking,” and it is a global trend that allows non-traditional players and banks to share customer data.
For open banking to be successful, organizations need to adopt digital platforms that facilitate cloud computing, Software-as-a-Service (SaaS) services, and other online applications. However, because there are only a handful of cloud service providers (CSPs) on the market, EU regulators are concerned about the concentration of risk and the systemic effect on the entire financial industry if a CSP were to experience a major issue. Consequently, EU regulators are drafting DORA to mitigate these effects, prescribe best practices, and ensure a more resilient financial industry against cyberattacks.
In addition to DORA, the European Union Agency for Cybersecurity (ENISA) is in developing a cybersecurity certification process that aims to further improve the EU’s internal market conditions for cloud services by improving and simplifying the services’ cybersecurity guarantees.
Currently, the proposed DORA regulation reads: “Financial entities shall identify all ICT systems accounts, including those on remote sites, the network resources and hardware equipment, and shall map physical equipment considered critical. They shall map the configuration of the ICT assets and the links and interdependencies between the different ICT assets.”
The draft copy goes on to say that the EU’s financial organizations must follow a risk-based approach to “establish a sound network and infrastructure management” and use “automated mechanisms to isolate affected information assets in case of cyberattacks.”
Furthermore, European financial services organizations will be required to “design the network connection infrastructure in a way that allows it to be instantaneously severed and shall ensure its compartmentalization and segmentation, in order to minimize and prevent contagion, especially for interconnected financial processes.”
In addition to uniformed ICT risk management, Europe’s financial services organizations will be required to report all major ICT-related incidents to “the competent authorities; perform periodic digital operational resiliency testing; share information and intelligence related to cyberthreats and vulnerabilities; and measure and manage third-party ICT service provider risks.”
It seems very likely that DORA will have strong effect on third-party organizations that service FSI companies. The current proposed law will require an “oversight framework for critical ICT third-party service providers when providing services to financial entities.” And there will be clear “rules on cooperation among competent authorities and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.”
Additionally, in the event of an ICT cybersecurity incident, DORA requires third-party service providers to provide assistance to FSI organizations at no extra cost.
One of the key components of DORA is the digital operational resilience testing program, which calls for a broad range of assessments of European FSI organizations. The tests include “vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing or penetration testing.”
Organizations that fail to meet DORA standards can expect to pay fines that “calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year.”
The drafting of DORA’s regulatory technical standards was done by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) along with ENISA.
DORA will apply to an expansive range of FSI organizations. They will include credit institutions; payment institutions; electronic money institutions; investment firms; crypto-asset service providers, issuers of crypto-assets; central securities depositories; central counterparties; trading venues; trade repositories; managers of alternative investment funds; management companies; data reporting service providers; insurance and reinsurance undertakings; insurance intermediaries, reinsurance intermediaries and ancillary insurance; intermediaries; institutions for occupational retirement pensions; credit rating agencies; statutory auditors and audit firms; administrators of critical benchmarks; crowdfunding service providers; securitization repositories; ICT third-party service providers; and crypto assets providers.
Many of these types of organizations have not previously been subject to the ICT regulations that are within DORA’s scope. The expectation is that financial service organizations under its purview will treat DORA as a best-practices guide for their industry, specifically regarding cybersecurity and resiliency.
While DORA will be an EU regulation, its effects will go well beyond Europe’s borders. It will impact businesses and industries on a global scale, similar to how the General Data Protection Regulation (GDPR) affects countries outside of the Union since it became law in May 2018.
As usual, Fortinet is staying ahead of the curve. Before DORA becomes law, we are prepared to help our European financial services customers and global organizations that work with EU companies anticipate and respond to DORA’s demands.
Of course, Fortinet will assist our customers in monitoring networks and mitigating cyberthreats and cyberattacks. We will also help our customers comply with the DORA rules by aligning to the final version of the regulations and provide:
Find out more about how Fortinet secures financial services organizations from cyber threats while optimizing cost and efficiency. Also, check out our financial services focused series of podcasts on this topic below.