DORA Is Now Mandatory. Is Your Institution Ready?

First Pillar: Governance and Risk Management

ICT Risk Management Frameworks under DORA

Under the Digital Operational Resilience Act (DORA), financial entities across Europe are mandated to adopt robust ICT Risk Management frameworks. This regulatory measure ensures that institutions are equipped to manage and mitigate risks, safeguarding their digital infrastructure. DORA provides a comprehensive framework for digital operational resilience, covering everything from cyber threats to operational disruptions. While DORA sets the standard, organizations can further strengthen their ICT strategies by adopting established international frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework, and COBIT.

Adopting these frameworks helps institutions in assessing and enhancing their resilience against a wide array of threats. Effective ICT Risk Management is not only about compliance with DORA regulations but also about building a robust digital infrastructure that can adapt to and recover from disruptions, ensuring continuous service delivery across Europe.

• ISO/IEC 27001: This internationally recognized standard provides a structured approach for establishing, implementing, maintaining, and continually improving information security management systems (ISMS). It helps organizations manage their data security risks effectively, ensuring compliance with various data protection regulations.
• NIST Cybersecurity Framework: A widely adopted framework that provides guidelines to help organizations understand, manage, and reduce cybersecurity risks. Its core components--Identify, Protect, Detect, Respond, and Recover--align closely with the principles of resilience advocated by DORA regulations, particularly in the European context.
• COBIT: A framework for IT governance and management that enables organizations to optimize the value of their technology investments. COBIT helps align business goals with IT strategies, ensuring technology resources support operational and strategic objectives effectively, which is essential under DORA.
• ITIL: A set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business. It aids in establishing a service-oriented approach, critical for maintaining operational continuity as required by DORA regulatory standards.
• CIS Controls: A prioritized set of actions for cyber defense that provides specific and actionable ways to stop today's most pervasive and dangerous attacks. Implementing these controls can significantly improve an institution's cybersecurity posture, aligning with DORA's focus on digital operational resilience.
• PCI DSS: A security standard for organizations that handle branded credit cards from the major card schemes. This framework ensures that payment systems are secure, protecting financial institutions from breaches and ensuring compliance with DORA's technical standards on data security.
• GDPR: Although primarily focused on data protection, GDPR imposes significant security obligations on data controllers and processors. Compliance with GDPR complements DORA's emphasis on protecting information and maintaining operational integrity.
• EBA Guidelines on ICT and Security Risk Management: Guidelines provided by the European Banking Authority, tailored for the financial sector's unique needs. These guidelines enhance the implementation of DORA regulation across financial entities in Europe, ensuring a unified approach to risk management.

Adhering to these frameworks can significantly enhance an institution's resilience against ICT-related risks, aligning with DORA's objectives to strengthen digital operational resilience across the EU's financial sector. By implementing a comprehensive ICT Risk Management strategy, financial institutions can proactively address vulnerabilities and ensure seamless operations even during unforeseen disruptions.

Step 1: Risk Assessment and Identification of Critical Assets

Actions to Undertake

Mapping of IT Assets:
Create a detailed inventory of systems, applications, databases, and digital infrastructure, covering both internally hosted assets and cloud services. This mapping process ensures that all critical components are identified and accounted for, a fundamental step under DORA's requirements.

Identification of Critical Assets:
Determine the essential business processes and IT systems that support them. This may include transaction processing systems, customer databases, CRM applications, and other key systems integral to daily operations. Identifying these assets is crucial for prioritizing security measures in line with DORA regulation.

Identify Risks:
Systematically identify and document all potential risks that could impact ICT systems and operations, ranging from cyber attacks to natural disasters. Effective risk identification is the cornerstone of a resilient ICT framework under DORA.

Risk Analysis:
Assess potential threats such as cyber attacks, technical failures, human errors, and natural disasters. Analyze the likelihood and impact of each risk scenario to prioritize mitigation efforts effectively. This step ensures compliance with the DORA regulatory technical standards.

Business Impact Assessment (BIA):
For each critical asset, evaluate the potential impact of a disruption on banking operations. This aids in prioritizing resilience efforts based on the significance of each asset to daily operations, aligning with DORA's focus on continuous operational resilience.

Evaluate and Prioritize Risks:
Effective risk evaluation and prioritization are fundamental to ICT Risk Management under DORA. Institutions must conduct thorough assessments to identify potential vulnerabilities across their IT infrastructure. Prioritize risks based on their severity and the urgency of mitigation actions.

Defining the Level of Risk Appetite:
Collaborate with key stakeholders to establish the acceptable level of risk for each business process and IT system. This will guide decisions regarding investments in security and resilience, ensuring compliance with DORA regulatory standards.

Implement Mitigation Strategies:
Develop and implement appropriate strategies to mitigate the prioritized risks, including preventive measures, contingency plans, and robust recovery processes. Effective implementation of these strategies is vital for adhering to DORA's guidelines.

Monitor and Review:
Continuously monitor the risk environment and the effectiveness of implemented mitigation strategies, adjusting as necessary to address new or evolving risks. Regular reviews ensure ongoing compliance with DORA standards and enhance overall operational resilience.

Enhance ICT Resilience:
Strengthen the resilience of ICT systems against disruptions through robust design, redundancy, and comprehensive recovery planning. This aligns with DORA's goal of ensuring that digital operational resilience is maintained across all financial institutions.

Compliance with Regulations:
Ensure compliance with all relevant legal, regulatory, and contractual obligations related to ICT risk management. Adhering to DORA regulatory technical standards ensures that organizations are prepared to handle operational disruptions effectively.

Stakeholder Communication:
Maintain open and effective communication with all stakeholders regarding ICT risks and the measures taken to manage them. Transparent communication is key to ensuring trust and collaboration across departments, a principle supported by DORA.

Pillar 2: Operational Resilience Testing

In today's interconnected world, cybersecurity threats and system disruptions pose significant risks not only to individual organizations but also to the stability of financial systems globally. Recognizing this, the Digital Operational Resilience Act (DORA) mandates comprehensive resilience testing to ensure that financial entities can withstand and recover from various types of disruptions.

Effective resilience testing allows organizations to proactively identify, address, and mitigate vulnerabilities, ensuring they can detect, prevent, and respond to potential cyber incidents. By exchanging insights, threat intelligence, and best practices, financial entities can enhance their collective defenses against cyber threats, ensuring robust operational continuity across the industry.

This section will explore key aspects of operational resilience testing, including the importance of structured planning, the use of frameworks like TIBER-EU for guiding tests, and collaboration between internal teams and external partners.

Understanding the TIBER-EU Framework

The Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) Framework is a European framework developed by the European Central Bank (ECB). It provides guidelines for conducting simulated cyberattacks against financial entities to assess their readiness to detect, respond, and recover from real-world attacks.

The TIBER-EU Framework helps financial institutions understand their vulnerabilities from the perspective of an attacker, enabling them to strengthen their defenses based on realistic scenarios.

Step 1: Designing and Planning Resilience Tests

Actions to Undertake

Identify and prioritize systems and processes for resilience testing based on their criticality to business operations: Effective planning starts with recognizing which systems and processes are most vital to your daily operations.

Develop testing scenarios that reflect potential disruptions, including cyber attacks, system failures, and disaster response: Scenarios should simulate real-world threats. Utilize frameworks such as NIST Cybersecurity Framework and ISO/IEC 27001 for guidance.

Plan tests that challenge the organization's ability to respond and recover from disruptions while minimizing impact on operations: Tests should assess the organization's capacity to recover quickly, including testing incident response plans, backup systems, and communication protocols.

Step 2: Executing Resilience Tests

Actions to Undertake

Carry out planned tests, simulating various disruption scenarios: Execute scenarios to stress-test systems. Use tools such as Metasploit for penetration testing and Cyber Range platforms for realistic simulations.

Engage both internal teams and external partners: Collaboration is key. Engaging with external security experts brings new insights while internal teams ensure organizational nuances are covered.

Document test results, including any identified weaknesses: Accurate documentation is crucial for regulatory compliance and improving future resilience strategies.

Step 3: Reviewing and Enhancing Resilience Measures

Actions to Undertake

Analyze test results to identify root causes of failures: Post-test analysis helps pinpoint specific vulnerabilities and understand how incidents were handled.

Update and enhance resilience plans based on findings: Use insights to refine operational plans, improving responses to future threats.

Implement changes and conduct follow-up tests: Regular follow-up testing ensures modifications are effective and systems remain resilient.

Adopt advanced tools like Metasploit and Cyber Range: State-of-the-art tools enhance the realism of testing scenarios.

Post-test analyses to identify and correct vulnerabilities: Thorough analyses should follow every testing phase.

ICT Resilience Framework under DORA

DORA mandates a highly structured approach to ICT resilience. Financial entities must demonstrate their ability to analyze critical ICT services, define impact tolerances, conduct Threat-Led Penetration Testing (TLPT), map all dependencies, evaluate third-party critical ICT providers, and validate continuity across critical chains.

Key Actions for ICT Resilience

Analyze Critical ICT Services: Identify and map all ICT services essential to business-critical operations including core banking systems, payment platforms, trading infrastructure, and custody services.

Define Impact Tolerances: Establish quantifiable thresholds for each critical service, including specific RTO and RPO targets aligned with regulatory expectations.

Conduct TLPT: Implement penetration tests following the TIBER-EU framework, simulating realistic attacks based on TTPs used by threat actors targeting the financial sector.

Complete Dependency Mapping: Document all internal and external dependencies, identifying Single Points of Failure and cascade failure scenarios.

Evaluate Third-Party Critical ICT Providers: Conduct comprehensive due diligence per DORA Articles 28-30.

Validate Critical Chain Continuity: Ensure operational continuity across all critical processing chains and test failover mechanisms.

Advanced Banking Cyber Attack Scenarios

DORA requires financial entities to model, simulate, and test advanced cyber attack scenarios specific to the banking sector. These scenarios must be executable, measurable, and demonstrate detection, response, and recovery capabilities.

Ransomware Attack Scenarios

Ransomware with Identity Provider Compromise: Simulation of ransomware combined with IdP compromise, testing the ability to maintain operations when central authentication systems are compromised.

Core Banking and Payment System Encryption: Simulation of encryption attacks targeting core banking and payment infrastructure. Evaluation of failover procedures and restoration timelines.

Log Compromise (Anti-Forensic Attack): Scenario where attackers delete or alter security logs, testing detection capabilities without logs and forensic readiness.

Payment System & Data Corruption Scenarios

Transactional System Desynchronization: Simulation causing desynchronization between front-office and back-office systems, evaluating emergency reconciliation procedures.

SWIFT Cluster Failure: Scenario of major failure affecting SWIFT messaging systems, testing failover and alternative payment routing.

Database Corruption: Simulation of data corruption affecting critical databases, evaluating corruption detection and point-in-time restoration.

Simultaneous Cloud and On-Premise Failure: Scenario of concurrent failure, evaluating multi-cloud strategies and true disaster recovery capabilities.

Banking Architecture Analysis for ICT Resilience

Effective ICT resilience assessment requires deep understanding of banking technology architecture. Security teams must analyze core banking applications, high-availability systems, network segmentation, and identity management infrastructure.

Critical Architecture Components

Core Banking Applications: Analysis of central banking systems managing accounts, credits, deposits, and back-office operations. Evaluation of high-availability architecture and failover mechanisms.

Transaction Middleware (ESB, MQ, API): Analysis of integration layers managing inter-application flows, identifying congestion points and queue management mechanisms.

High Availability / Fault Tolerance: Review of clustering architectures, automatic failover mechanisms, and switchover procedures.

Segmented Networks (SWIFT, Trading Desk): Evaluation of network isolation for critical environments with access controls and intrusion detection.

Multi-Layer IAM (AD, MFA, PAM): Review of identity management architecture identifying critical dependencies and compromise scenarios.

Technical Banking Incident Response Playbooks

Technical playbooks provide detailed procedures for detecting, responding to, and recovering from security incidents specific to the banking context.

Incident Response Playbooks

Playbook: Stolen Credentials Attack: Complete procedure for detecting and responding to credential compromise, including authentication log analysis and remediation.

Playbook: Active Directory Cluster Takeover: Response procedure covering domain controller isolation, restoration from verified backup, and trust reconstruction.

Playbook: VM Backup Corruption + Restore Testing: Procedure for validating backup integrity and emergency restoration including ransomware scenarios.

Playbook: Primary Datacenter Loss: Failover procedure to recovery site in case of complete primary site loss.

Playbook: Major SOC Incident Affecting Trading: Specific procedure for incidents impacting market activities with trading desk coordination.

Required Technical Competencies for DORA Compliance

Effective implementation requires specific technical competencies. Banks expect teams capable of modeling and testing attack scenarios with demonstrable execution evidence and recovery time proofs.

Core Competency Domains

Cyber Kill-Chain and MITRE ATT&CK Mastery: Operational understanding of adversary TTPs with ability to design realistic test scenarios.

Banking Infrastructure Expertise: Deep knowledge of VMware, enterprise SAN storage, Kubernetes, SIEM platforms, and EDR/XDR solutions.

Architectural Resilience Patterns: Expertise in stretch clusters, active-active configurations, immutable backups, and Zero Trust architecture.

Cloud Banking Constraints: Knowledge of compliant cloud environments: Azure Landing Zones, AWS Financial Services, GCP compliant configurations.

Pillar 3: Incident Management and Recovery

As digital technologies become integral to operations, robust ICT Incident Management and Cyber Threat Reporting mechanisms are critical. These processes are essential for detecting, responding to, and mitigating the impacts of cybersecurity incidents.

The Digital Operational Resilience Act (DORA) mandates that financial entities implement comprehensive incident management protocols. DORA emphasizes not only mitigating incidents but also learning from them to prevent future occurrences.

Step 1: Establishing ICT Incident Management Protocols

Actions to Undertake

Develop an ICT incident response plan: A detailed plan outlining step-by-step procedures for detecting and addressing various types of incidents.

Implement detection systems: Utilize monitoring tools such as Splunk and IBM QRadar for real-time incident detection.

Train the incident response team: Regular training and simulation exercises using tools like Cynet for cybersecurity simulation.

Step 2: Cyber Threat Reporting and Information Sharing

Actions to Undertake

Set up internal reporting systems: Develop a clear process where employees can report potential threats to a dedicated incident response team.

Establish communication channels with financial authorities: Share insights and threat information with bodies like the EBA and industry partners.

Create a threat database: Maintain a central repository using frameworks such as MITRE ATT&CK to understand adversary tactics.

Pillar 4: ICT Third-Party Risk Management

Organizations increasingly rely on third-party ICT service providers to support critical operations. While these partnerships offer benefits, they introduce risks that must be carefully managed. ICT Service Provider Risk Management identifies, assesses, mitigates, and monitors risks associated with outsourcing ICT services, ensuring compliance with the Digital Operational Resilience Act (DORA).

Objectives of ICT Third-Party Risk Management

• Ensuring Continuity: Services provided by third parties must not disrupt core operations.
• Strengthening Resilience: Minimizing dependencies and identifying single points of failure.
• Compliance with Regulations: All third-party engagements aligned with DORA.
• Risk Mitigation: Strong risk management practices to mitigate ICT service disruptions.

Step 1: Identification of ICT Service Providers

Actions to Undertake

Create a comprehensive list of all ICT service providers: Map all external services interacting with core systems.

Assess the criticality of each service provider: Classify based on impact to core operations.

Establish evaluation criteria: Develop standardized assessment methodology for security posture, compliance, and disaster recovery.

Step 2: Assessment of ICT Service Provider Risks

Actions to Undertake

Conduct risk assessments for each provider: Evaluate security, compliance, and operational continuity standards.

Identify dependencies and single points of failure: Map dependencies between internal systems and external services.

Evaluate providers' own risk management: Analyze disaster recovery and business continuity plans.

Step 3: Implementation of Risk Management Controls

Actions to Undertake

Develop and implement risk management controls: Technical and administrative controls including encryption, access controls, and monitoring.

Establish SLAs enforcing resilience standards: Include provisions for uptime, incident response, data protection, and compliance penalties.

Set up continuous monitoring: Tools and processes to monitor service provider performance and emerging risks.

Regular due diligence and audits: Verify compliance with security standards and contractual obligations.

Managing risks associated with third-party ICT service providers is critical for digital operational resilience under DORA. Leveraging standards such as ISO 31000 and NIST SP 800-37 will aid in developing a resilient approach to third-party risk management.

Pillar 5: Cybersecurity Information Sharing

Cybersecurity information sharing has emerged as a pivotal component for enhancing the collective resilience of the financial sector. DORA recognizes the importance of establishing robust channels for sharing cybersecurity-related information among financial entities, regulatory bodies, and other stakeholders.

Objectives of Cybersecurity Information Sharing

• Promoting Transparency: Open exchange of information regarding cyber threats and vulnerabilities.
• Enhancing Situational Awareness: Improving collective awareness of cyber risks for informed decisions.
• Facilitating Timely Response: Accelerating dissemination of critical cybersecurity intelligence.
• Building Collective Resilience: Pooling resources, knowledge, and best practices in cybersecurity management.

Step 1: Establishing a Cybersecurity Information Sharing Framework

Actions to Undertake

Join the MISP community: Leverage collective knowledge and data on cybersecurity threats through the Malware Information Sharing Platform.

Integrate MISP within your infrastructure: Implement MISP as part of your cybersecurity strategy for seamless threat intelligence exchange.

Collaborate with financial sector communities: Engage with specialized communities through MISP Financial Sector.

Step 2: Participating in Threat Intelligence Sharing

Actions to Undertake

Share indicators of compromise (IoCs): Proactively sharing helps build collective defense.

Develop internal threat intelligence procedures: Establish structured protocols for handling, validating, and sharing threat intelligence.

Encourage collaboration culture: Promote regular meetings and information-sharing sessions within the sector.

Step 3: Enhancing Sector-Wide Cyber Resilience

Actions to Undertake

Use shared intelligence to enhance defenses: Leveraging shared information allows organizations to quickly adapt security strategies.

Contribute to sector-wide best practices: Sharing and adopting best practices strengthens overall security posture.

Regularly review resilience strategies: Ensure strategies reflect the evolving threat landscape.

Collaborate with regulatory authorities: Working closely with regulatory bodies enhances compliance.

Active participation in ISACs: Engagement in Information Sharing and Analysis Centers for latest developments.