DORA in a Global Cybersecurity Landscape: The impact on the US and beyond

Think DORA only impacts businesses in the EU? Think again. The Digital Operational Resilience Act is here to push the boundaries of cyber resilience across the financial sector of the globe. From crypto exchanges, payment gateways, and insurance companies, businesses operating in the realm of financial services—especially those with a footprint in the EU—need to be closely monitored.

DORA is a direct answer to the increase in the intensity of threats like ransomware and phishing that exploit the weakest link in the chain – like a third-party vendor – only to cast a wider net within the network and compromise other systems and entities. 

From the look of it, DORA doesn’t seem like another standard in the regulatory jungle, it is the beginning of a new era that guarantees greater resilience for consumers of cloud-based financial services.

TL;DR

DORA sets strict cybersecurity and operational resilience standards for financial services in the EU, but its influence extends globally. U.S. businesses and others with EU ties must adapt to these stringent standards, particularly in managing ICT risks and third-party vendors.

DORA emphasizes immediate incident reporting, rigorous operational resilience testing, and comprehensive third-party risk management, pushing companies towards faster response times and thorough preparedness against cyber threats, even for businesses outside of EU.

Beyond immediate compliance, DORA encourages a collaborative approach to cybersecurity, with information-sharing guidelines that could inspire similar regulations in other sectors globally. Embracing DORA not only enhances security but could also offer competitive advantages in resilience and operational efficiency.

What is DORA? A quick summary

DORA is the Digital Operational Resilience Act that is purpose-built to enhance the resilience of businesses operating in the realm of financial services within the EU. It outlines certain principles and mandates criteria to ensure that financial entities can recover, respond to, and withstand ICT-related cyber threats that can materialize across their supply chain. Hence, there is an increased focus on evaluating the vendors and sub-vendors of these entities.  

Before DORA, financial institutions relied on drawing guidance from other frameworks like NIS2 to ensure resilience across their supply chain. However, DORA now brings a more nuanced approach to operational resilience and strategies to safeguard financial entities from ICR risks and digital disruptions. 

The Five Pillars of DORA: Paving the road for the global changes 

DORA compliance focuses on five primary pillars that organizations need to integrate into their operational models:

1. Tightening ICT Risk Management in EU– the rest might follow

ICT risk management encompasses all the processes and mitigation activities that are used to identify, analyze, evaluate, and address the risks associated with the information and communication technology assets as well as services within an organization. 

It is the backbone of DORA compliance as it mandates organizations to set up resilient processes to identify, assess, and mitigate ICT risks across their supply chain. This involves assessing vendors, outlining control protocols for internal purposes as well as vendors, and establishing resilient ICT practices across the vendor and sub-vendor network. 

To achieve ICT risk management, DORA advises developing ICT systems based on secure networks, encrypted databases, and robust backup policies. 

How does it affect businesses in the US and beyond? While businesses in the US are already prepared to comply with NIST CSF, and NIST SP800-53,  the guidelines presented by DORA are a bit more nuanced, especially when it comes to handling third-party and 4th-party agreements. 

Thus, the financial businesses in the US like crypto exchanges, banks, wallets, payment gateways, or the ones that have plans of expanding services to businesses in the EU will need to be cognizant of these stringent practices of DORA. 

2. DORA mandates Incident reporting not in weeks but in hours

Incident reporting wages a three-pronged war against adverse events. First, it instills accountability across the financial sector to monitor, resolve, and contain adversaries before they lead to disruptive losses. Second, it allows regulators and other businesses to partner with resilient businesses, eliminating the possibility of introducing threats into their network due to vendor issues. The goal of incident reporting is to set up a culture of resilience across the financial sector. 

So far, DORA is one of the most stringent regulations in terms of incident reporting. It mandates that financial institutions:

• Report major ICT-related incidents as soon as possible, yet, within 24 hours after discovering the incident or a breach. 
• The intermediate report of the breach or the incident must be compiled and submitted within 72 hours of the notification. 
• The final report is mandatory and must include a resolution and detailed information on what was learned from the event. 

 For the rest of the world, businesses need to start preparing for such stringent timelines as the possibility of regional regulations imposing such timelines on financial institutions could be a real possibility. 

3. Operational resilience testing – a model that US regulations might soon adopt

DORA mandates financial institutions to test their resilience against evolving threats regularly and monitor their recovery and mitigation efficacy. Businesses can do this by simulating adverse events and scenarios like phishing attacks, ransomware attacks, system outages, and escalated privilege attacks to identify which links in the system are most susceptible. 

As a result of this exercise, also enables businesses to maintain an updated understanding of evolving attack pathways and build better defenses against them. 

DORA’s operational resilience testing is bound to elevate global standards when it comes to control performance monitoring and resilience reporting. Global standards like NIS2 will evolve to outline resilience testing as a norm for business across sectors, and this makes it important learning for companies in the financial sector in the US and the globe to incorporate such practices. 

For companies based out of the US and the rest of the world, particularly those dealing with money or financial services across borders, adopting such resilience testing and simulation principles can greatly enhance their security by embracing thorough testing methods. DORA’s detailed testing approach could push these companies to be even more careful and organized in their resilience efforts. This is especially important for companies that work with clients or partners in Europe.

4. Third-party risk management – CMMC’s twin?

The new rules outlined by DORA cover a financial institution’s entire life cycle – from pre-contract to partnerships and revenue. Thus, it becomes critically important for enterprises to evaluate the effectiveness of their third-party service providers’ security practices and ICT risk management to curb external risks. DORA mandates the primary buyer of services to push their vendors for diligence, and only partner with external providers after due diligence of their security posture. For this, businesses may need to assess any risks that a partnership may bring and develop a containment plan to curb the fallout during an event. 

As businesses in the US prepare for CMMC refresh, the similarities between tightening regulations around vendor relations are eery. Both DORA and CMMC for the US defense sector prescribe heavy assessments of vendors and the entire supply chain for resilient posture. For third-party vendors, this is a wake-up call, adapting resilient practices is the need of the hour, or businesses may risk contracts and revenue from enterprises. 

5. DORA’s Information sharing guidelines might help global resilience

DORA encourages financial institutions to share information on adversaries, breaches, and ways to combat them. This is classified as the fifth pillar, Information sharing, as per DORA, and it aims not only strengthen individual institutions but also the financial ecosystem as a whole. This collaborative approach to cybersecurity can lead to faster innovation and more robust defense mechanisms against cyber-attacks globally. 

For businesses outside of the EU: DORA needs your attention

There’s no doubt that DORA will set a chain of events that will inspire global regulatory bodies to push the boundaries of resilience and security. So, thus businesses compliant to NIST CSF, and other similar frameworks can expect updates in the coming months. Understanding DORA and its requirements will only help businesses maintain the lead tomorrow when the rest of the world and regulations catch up. 

However, besides readiness, here are two reasons why cybersecurity professionals in the US, as well as anywhere else in the world, should be looking closely at DORA:

1. Business Activity in Europe

If your company does business in Europe, or if you work in one of the 22 industries affected by the new DORA regulations, you’ll need to carefully examine the risks throughout your entire network of suppliers. This means not just looking at the companies you directly work with, but also the companies they work with, and so on down the line. Think of it like tracing a complex web of connections to understand the potential risks at every step.

2. Increase Your Professional Value

Being versed with DORA as a compliance or audit individual can raise your professional value by 3 means – offering a competitive advantage, broadening your understanding of risk management in the financial sector, and making you eligible for global opportunities. Let’s see them under the lens:

DORA as a competitive advantage in your career: The EU’s market size is growing at an increasing pace. In light of the fact that businesses outside of the EU partnering with, or supplying to financial institutions in the EU would need to meet DORA standards, your knowledge and understanding of DORA would put you in demand and give your professional journey a competitive advantage over others. 

Transferable risk management practices: DORA introduces stringent risk management and risk reduction measures. A deeper understanding of DORA can definitely help you in your career as it makes you more equipped to implement and execute a rigorous risk reduction program, even if it’s outside the EU or outside of the financial institution. 

Unlocking opportunities for business with DORA

While DORA seems like just another regulation, it has the potential to change the playing field for most businesses at once. The ones that fail to comply to DORA will be left behind and risk losing revenue.

However, in the future, returns for businesses that adopt can be massive. Think about a future where financial institutions don’t have to lose millions in ransomware attacks or risk losing business due to loss of trust. Plus, hygienic and resilient practices instill more agility into business units and supply chains by homogenizing security practices. Overall, markets can save and prosper in an environment of collective resilience. 

While change can be challenging, embracing new technologies and smarter working methods often leads to unexpected benefits – from cutting costs to being more agile in responding to market changes.

Perhaps most importantly, DORA serves as the first step for increased resilience of the financial sector, and in turn, the economy. By harmonizing cybersecurity rules across the EU, and perhaps the world, it’s making life simpler for businesses while keeping everyone safer.

Simplify DORA compliance with Sprinto

Sprinto simplifies your path to DORA compliance by leveraging the Secure Controls Framework (SCF), a globally recognized standard for secure operations. DORA requirements are seamlessly mapped to SCF controls, which align with baseline frameworks like ISO 27001 and SOC 2. This integrated approach minimizes effort while ensuring comprehensive compliance.

Our implementation partners help you identify the right controls for DORA and guide you on how you can monitor them continuously with Sprinto. With our automated evidence collection and audit collaboration window, you can build up a clear audit trail and manage the entire audit cycle from one window.

FAQ

How does DORA impact financial entities in the US?

US financial entities operating in the EU or partnering with EU-based entities will need to comply with DORA regulations. This compliance involves strengthening their ICT risk management processes, adhering to stringent reporting and testing requirements, and managing third-party ICT service provider risks according to DORA’s standards.

How does DORA address third-party ICT risk?

DORA emphasizes the need for rigorous oversight and management of third-party ICT service providers, requiring financial entities to ensure that their partners and vendors also comply with resilience standards. This helps mitigate risks associated with outsourcing critical ICT services.

Can DORA serve as a model for other regions in establishing digital resilience regulations?

Yes, DORA can serve as a benchmark for other regions aiming to enhance their financial sectors’ digital operational resilience. Its comprehensive approach to ICT risk management, incident reporting, and resilience testing may inspire similar regulatory frameworks globally.

What are the benefits of global alignment with DORA standards?

Global alignment with DORA standards facilitates smoother cross-border financial operations and enhances international cooperation in managing and mitigating ICT risks. This alignment can lead to more uniform security practices and easier compliance for multinational entities.