DORA – Challenges & Solutions

The Digital Operational Resilience Act (DORA) is a directly applicable EU regulation to increase the digital resilience of financial companies and thus strengthen confidence in the financial sector. Further important objectives are:

Harmonize EU-wide the regulation of financial companies (including banks, insurance companies, payment service providers and investment firms)
Strengthen monitoring and control of ICT third-party providers (ICT = information and communication technologies)
Improve and further harmonize reporting and notification obligations with regard to cyber and IT incidents
Strengthen ICT risk management and resilience (e.g. through extended testing of ICT systems)

The implementation of DORA poses significant challenges to the financial sector that need to be overcome. Effective ICT risk management, handling ICT risks and cyber threats, regular testing of digital operational resilience and managing ICT service providers are core elements to meet the DORA requirements. Financial organisations need to implement these measures to strengthen their cyber resilience and to sustainably meet regulatory requirements.

The first step is a gap or maturity level analysis, which shows you where you still have discrepancies in IT risk management, IT security and IT service provider management.

To close the identified shortcomings, the required actions and timeliness need to be planned, dependencies identified and responsibilities assigned. We support you in planning and implementing your action plan to adequately and proportionately close the identified shortcomings and strengthen your resilience. Close cooperation between 1st and 2nd Line of Defence (LoD) functions is essential to ensure that all regulatory requirements are met comprehensively and seamlessly. We recommended to involve the 3rd LoD in an early stage.

Financial organisations must develop and implement a comprehensive ICT risk management framework that is tailored to their size, complexity and risk profiles. This framework must ensure that risks associated with ICT systems are identified, assessed, mitigated and (continuously) monitored.

Challenges of ICT risk management

Governance & organisation: The management and supervisory bodies are directly responsible for effective ICT risk management and monitoring and controlling ICT risks. To this end/For this purpose, clear responsibilities and processes for decision-making and regular / ad hoc reporting to the management and the relevant supervisory authorities must be defined. Also, sufficient resources need to be made available for appropriate ICT risk management and both management and all employees must be trained regularly to ensure that they are sufficiently aware of potential ICT risks.
DORA resilience strategy: Companies must decide whether they want to develop their own digital operational resilience strategy or adapt existing strategies to the requirements of DORA and supplement them if needed.
Prevention, detection and defense (continuous monitoring): Companies must implement measures to prevent, detect and defend against ICT risks. This includes security controls, continuous monitoring, and structured emergency strategies. The focus is on ensuring the continuous availability of critical services and minimizing downtime.

Solutions

A tried-and-tested process model is essential for effective ICT risk management. You can rely on our experience in gap assessments to precisely identify your weaknesses and develop targeted measures. Through our audit experience, we can help you prepare your company for audit situations by, among other things, focusing on adequate evidence to prove your compliance with regulatory requirements. Furthermore, we can offer tailored training and awareness sessions for managers and staff to increase their competence to proactively counter ICT risks.

Companies can strengthen their digital resilience and meet the requirements of DORA - with a structured approach and continuous improvement. This not only creates security, but also trust among customers and partners.

Another important aspect of DORA is the compliance/ managing of ICT disruptions and cyber threats. Financial organisations must be able to respond quickly and effectively to security incidents. To this end, institutions must ensure that they have the necessary resources to successfully fend off cyber-attacks and minimise the impact of incidents in the best possible way.

The challenges

Identifying incidents currently happens in silos: The current approach to identifying ICT incidents frequently does not meet the DORA requirements. Serious incidents, IS incidents, security incidents and payment transaction incidents are currently often identified in separate silos or responsible units. The DORA classification of serious ICT incidents / cyber threats requires establishing a centralised responsibility for identification and the currently used tools for incident, security, payment transaction and/or incident management may also need to be modified.
Classification using the DORA matrix: The DORA decision matrix and criteria for deriving serious ICT incidents / cyber threats need to be integrated in the target process. A particular challenge is to adapt or supplement the database required to quickly or even (partially) automatically categorise an ICT incident / cyber threat based on the defined criteria.
ICT incident report: In terms of the reporting process and reporting deadlines, the ICT incident report is based on the European requirements for PSD2[1] and the known reports regarding serious payment security incidents. The reporting content, however, is more extensive. Automated reporting using already established incident and/or incident management tools is a possible solution that we implement for various clients in the context of a comprehensive SIEM solution.
ICT incident handling: In the event of a security incident, a rapid and targeted response is required. Documentation, reporting and processing must be carried out by competent and trained specialist personnel and in accordance with applicable guidelines. If there is no in-house team to deal with incidents, a call-off contract must be concluded in advance with a suitable service provider. Prior registration in BaFin's reporting portal and integrating this platform into internal processes is also required.

Solutions

Harmonising security and other incident processes

In collaboration with BDO Digital GmbH and BDO Cyber Security GmbH, we are developing an approach to harmonise security and other incident processes. Our aim is to establish a standardised and efficient approach that both meets regulatory requirements and increases operational efficiency.

BDO Cyber Security GmbH as a BSI-qualified APT response service provider

Our certified and BSI-qualified emergency team will support you quickly and competently in dealing with, clarifying and processing security incidents that have occurred. We offer retainer contracts with guaranteed response times and round-the-clock availability.

Implementing these measures will create a robust and resilient ICT infrastructure that can cope with current and future cyber threats.

^[1] Implemented nationally in the Payment Services Supervision Act [ZAG]

DORA requires financial organisations and third-party ICT service providers to regularly test the digital operational resilience of their relevant applications and systems once a year. This includes a variety of test scenarios, including stress tests and penetration tests.

Penetration tests are an extremely effective tool for uncovering potential security gaps, identifying remedial measures, and thus increasing the level of security. Through regular penetration tests, companies can actively combat threats and better protect their data and business processes.

To best prepare for an emergency and improve resilience in the long term, DORA also stipulates the regular performance of Threat-Led Penetration Tests (TLPT) in accordance with Threat Intelligence-based Ethical Red Teaming (TIBER DE/EU) for financial organisations of particular importance to financial stability. This involves a targeted review of established security mechanisms to identify potential for optimising cyber defence measures.

The challenges

Increased number of penetration tests: Digital operational resilience testing is mandatory once a year for all critical and important systems and applications. These tests must be integrated into a digital cyber resilience testing programme and follow a risk-based approach. For financial institutions, it is recommended that these tests must be carried out by external service providers.
Structured test process required: A framework programme for security tests must be created. In addition to the identification of systems to be tested and their prioritisation, a test concept and test plan must be created, documented and tracked accordingly. In addition, a process for disclosing vulnerabilities is required.
Conducting threat-led penetration tests (TLPT): TLPTs require highly qualified testers who must complete a formalised testing process in cooperation with the relevant supervisory authority. The choice of providers of such tests is currently limited.
DORA readiness: Many affected companies are currently unclear about how best to prepare for the new DORA challenges and also how to ensure verifiability. This applies in particular to institutions such as critical ICT third-party service providers, which have not previously been subject to direct regulation by the supervisory authorities.

Solutions

BDO as a service provider for penetration tests and TLPT’s

Identify vulnerabilities in your company networks, applications and systems with the help of our certified penetration testers. Our team will analyse your solution from the perspective of a real attacker to determine the level of security. You will receive a detailed report that not only lists the identified vulnerabilities and their criticality, but also indicates possible remediation measures.

Our experienced Red Teaming experts also simulate realistic cyber-attacks on your company to best prepare for an emergency and improve resilience in the long term. We support you in planning and implementating TLPT’s based on the TIBER framework in close cooperation with you and the relevant supervisory authorities.

Integration of test programme into IT processes and IT landscape

It is crucially important to integrate the test programme with IT service providers and processes . To this end, the systems to be examined must be identified and prioritised and repeatable test scenarios defined in a test concept to effectively address specific threats. Our experts will continue to support you with test management, planning, preparation and execution of penetration tests.

These measures are essential for financial organisations to significantly increase cyber resilience and better prepare for future IT incidents.

Be well prepared with our readiness workshops

Is your company obliged by the new DORA regulation to carry out regular security checks? What does this mean for your systems and processes? What do you need to prepare for? We would be happy to support you with these and other questions. We will work with you to identify tailored measures so that you are optimally prepared for an emergency:

Attack simulation as part of a pre-TLPT: We offer you the opportunity to test the resilience of your technical and organisational measures even before the DORA Regulation comes into force. This allows you to be optimally prepared for the prescribed TLPT’s.
Targeted review of specific systems as part of a penetration test: Have you introduced a new system and would like to review its security mechanisms? offer to carry out targeted analyses of individual systems for you and thus help you achieve and maintain a homogeneous level of security.
Risk and threat analysis: As part of the risk and threat analysis, we help you identify potential hazards at an early stage.
Consulting and support: Together with you, we analyse gaps in your company's compliance in the area of resilience and TLPT testing. We then define a roadmap and help you to become compliant for digital operational resilience testing.

Companies must develop more comprehensive processes for monitoring and managing the risks posed by ICT service providers. In addition to extended minimum contract standards, due diligence must be carried out when selecting service providers and all ICT risks associated with the procurement of services must be identified and assessed. Based on the ICT risks, it must also be determined whether a third-party ICT service provider is involved in supporting critical or important functions for which extended requirements (e.g. sufficient resilience and coordinated emergency plans) apply.

The challenges

Updating the existing contracts based on the new contract standards is a challenge. Another key element is the ICT information register. Developing this register and establishing the reporting route and reporting processes depend on the outsourcing management tool currently in use. Careful planning and implementation are essential to ensure that all relevant information can be recorded and reported.

Solutions

Our proven process model for risk assessment and risk management is the ideal solution for companies that want to fulfil requirements efficiently. This model is based on best practices and industry experience.

Our experience with gap assessments shows that existing gaps in compliance can be reliably identified and closed in a targeted manner. This allows processes and systems to be adapted in a targeted manner.
The systematic classification of ICT third-party service providers according to their risk and significance for the company is an indispensable step in risk management. This helps you set the right priorities and take targeted measures.
Tools for contract analysis (AI) and data collection (e.g. MS Forms): The use of AI-supported tools for contract analysis and MS Forms for data collection is the most efficient and precise method for collecting and analysing relevant information.
Creating templates for the supervisory authorities: Standardised templates for reporting to the supervisory authorities are a must. They ensure a smooth process and ensure that all required information is submitted correctly and completely.