The Digital Operational Resilience Act (DORA) is a European cybersecurity framework that was enacted in December 2022 and will be enforced starting in 2025. While created specifically to ensure the resilience of the European Union’s financial systems and institutions in the face of cyberattacks and other incidents involving ICT (information and communication technology), DORA applies not only to financial institutions but also to third-party providers of critical ICT services for the financial sector.
DORA vs. NIS2
The Network and Information Security Directive (NIS, currently NIS2) was the first EU regulation on cybersecurity, aimed at ensuring a high and common overall level of cybersecurity across EU member states. In contrast, DORA is focused specifically on operational resilience for the financial sector, thus complementing the more general security measures and controls specified in NIS2.
What is DORA?
DORA establishes a detailed and systematic regulatory framework for enhancing digital resilience and business continuity across the EU’s financial institutions in the face of mounting cyberattacks and other threats to availability and data integrity. Considering that modern financial systems are both entirely digital and heavily interconnected and interdependent, a common framework is crucial to minimize security risks, define region-wide ICT resilience levels, and enforce a unified system of oversight. The regulation states upfront that cybersecurity concerns span not only the entire sector but also external providers, supporting the case for an overarching EU-wide framework to ensure resilience:
Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.
DORA isn’t only for banks
It is estimated that DORA will apply to over 22,000 entities within the EU, covering not only financial institutions but also their ICT service providers. The scope is extremely wide, ranging from banks, investment firms, stock exchanges, and insurance companies to credit rating services, electronic money institutions, crowdfunding service providers, and many more.
The definition of ICT service provider is equally detailed, covering entities that provide “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider.” In other words, a wide variety of providers serving a wide variety of institutions will need to comply with DORA requirements.
While DORA is an EU regulation, ICT services often span the world, especially when it comes to cloud service providers. The framework takes this into account, explicitly allowing oversight to extend outside the Union:
Critical ICT third-party service providers should be able to provide ICT services from anywhere in the world, not necessarily or not only from premises located in the Union. (…) The Lead Overseer should therefore also be able to exercise its relevant oversight powers in third countries. Exercising those powers in third countries should allow the Lead Overseer to examine the facilities from which the ICT services or the technical support services are actually provided or managed by the critical ICT third-party service provider.
Three European Supervisory Authorities (ESAs) are charged with ensuring DORA compliance and helping to navigate its requirements: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
Key focus areas of DORA
- ICT risk management: Financial entities must develop and maintain a comprehensive ICT risk management framework covering all aspects of ICT risk and resilience, from prevention and detection to response and recovery.
- Incident reporting and management: DORA requires entities to promptly report ICT-related incidents to competent authorities, establish incident management processes, maintain detailed records of incidents, and conduct post-incident analyses.
- Digital operational resilience testing: Crucially, DORA mandates operational resilience testing, including vulnerability scans and assessments, penetration testing, and gap analysis.
- ICT third-party risk management: Contractual arrangements with third-party providers must include adequate cybersecurity measures for financial institutions, and regular audits and risk assessments are mandated to mitigate supply-chain risks.
- Information sharing: Within their industry, financial organizations are required to exchange threat intelligence, define mechanisms to act on shared intelligence, and collaborate to enhance cybersecurity and resilience.
Application security testing under DORA
Article 25 of DORA explicitly requires financial institutions to perform operational resilience testing of their ICT systems and tools, including vulnerability assessments and scans:
The digital operational resilience testing programme (…) shall provide (…) for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
On top of that, centralized financial entities are specifically required to check for vulnerabilities before implementing any material change to their environments:
Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
Considering that Article 26 then provides detailed requirements for obligatory threat-led penetration testing (TLPT), it is clear that DORA puts a heavy emphasis on regular and proactive testing to ensure financial organizations (and their ICT providers) are constantly evaluating the resilience of their applications and infrastructure.
How Invicti can help with DORA-mandated vulnerability scanning
The Digital Operational Resilience Act recognizes the interconnected and almost entirely digital nature of modern financial services, providing a comprehensive framework to minimize risk and maximize the resilience of the European financial sector in the face of mounting cyberattacks.
With its test-driven platform for application and API security, including Predictive Risk Scoring and developer workflow integrations, Invicti can support financial institutions and their critical service providers in maintaining a proactive application security posture. Specifically, with continuous and accurate scanning solutions, Invicti helps solve requirements like those in Article 25 for performing vulnerability assessments before app deployment or redeployment.
Want to see us in action? Get a demo here.