High-level implementation guide
Short description and background
The Digital Operational Resilience Act (DORA) is an EU regulation that can be compared to GDPR, but for digital products and services instead of personal data. DORA is specifically developed for the financial sector and, slightly simplified, all companies under the supervision of the Financial Supervisory Authority in each country (for instance Finansinspektionen in Sweden) are covered by DORA.
Additionally, companies that are not directly under the supervision of the Financial Supervisory Authority may also need to comply with DORA if their customers are subject to it.
The goal of DORA is to ensure that the financial sector can withstand, properly manage, and effectively recover from all types of disruptions and threats to their IT services (ICT, using DORA lingo).
IT services are referred to in DORA as “ICT”. The more formal definition in DORA is: "ICT-related threats and incidents." "ICT" stands for Information and Communication Technology and is a widely used term throughout DORA (the Swedish term is "IKT"). Please note that DORA manages technology and digital services, not a wider array of risks as in, for instance, ISO 27001, where all types of risks should be included.
High-level Compliance Overview
Below follows a high level overview of requirements that organizations are expected to implement in order to be DORA compliant. Being an overview, this is not an exhaustive list of all requirements. However, it provides a comprehensive starting point for organizations to understand the key areas they need to address to achieve DORA compliance. For more details regarding what needs to be implemented, please see this article.
The following points outline the main aspects of a DORA compliance.
Use a risk-based information security approach to manage ICT related risks to secure the delivery of your service. If you are working accordingly to ISO 27001, you are already doing this. If not, looking at the risk assessment & treatment parts of ISO 27001 will give you all you need to be compliant with this requirement.
Secure and protect data in relation to:
availability: basically, uptime, including strategies around redundancy, disaster recovery, performance and scalability
authenticity: that your data is genuine, original, and has not been tampered with or altered in an unauthorized manner
integrity: slightly simplified, data “correctness”, meaning that if you transfer $100 to your savings account the bank must secure the integrity of the data by making sure that you have $100 on your savings account no matter what, by using, for instance, input validation, error checking, audit trails, means of quick and secure recovery in case of disruptions, etc.
confidentiality: the protection of sensitive information from unauthorized access, disclosure, or exposure - basically, appropriate access control
Use a proactive approach to manage ICT vulnerabilities.
If applicable, use established standards and best practicies for information security like ISO 27001, SOC 2, NIST Cybersecurity Framework, CSA Cloud Control Matrix, and SOGP.
Implement clear roles and responsibilities to manage security and use role segmentation.
Make sure to effectively handle ICT assets including capacity management and risks with legacy systems.
Put in place appropriate ICT change management processes and procedures.
Separate test and production environments.
Implement effective patch management.
Secure procedures to timely communicate potential security threats.
Only strong identification measures to manage user access rights should be used.
Establish comprehensive ICT-related incident management policy and procedures.
Secure procedures to timely communicate potential security threats.
Regularly review and improve your ICT risk management framework.
Implement effective, DORA compliant, incident reporting procedures.
The most important pice of advice
If you have done a SOC 2 or ISO 27001 certification, the actions above will sound very familiar and most probably, you only have a couple of smaller steps to take for being DORA compliant. But if you are just starting out, it's easy to become overwhelmed with the list above. The most important piece of advice we can give you is to not feel like this looks just too much and too complicated. We won't lie to you, it will definitely require work from your side but at the same time, it's not as bad as it might look and it's definitely not that complicated.
Start with risksAs you probably know by now, the core of DORA is to use a risk-based approach. Therefore, we strongly advise you to start there. Do your homework around how to do an ISO 27001-based (you don't need the whole ISO 27001 shebang to start with if you want to keep things simple) risk assessment and treatment and start there. Once you have implemented this part, you will have done most of the things that DORA requires and the rest should be a walk in the park.
Please note that DORA does not require you to do things the ISO 27001 way. It does encourage you to use established and well-proven standards if applicable, but there are no strict requirements to use ISO 27001 or any other standard. The reason why we are advocating using ISO 27001 for the risk parts is that it's kind of the gold standard of a risk-based approach to security management.
If you feel like you might need some support with implementing DORA compliance, please don't hesitate to reach out to us. We will make sure to give you exactly the level of support you need, nothing less, nothing more.
