How DORA affects US ICT service providers
DORA (the Digital Operational Resilience Act) is an EU regulation affecting financial entities that do business in the EU.
These entities must ensure ICT third-party risk management, meaning that the DORA Regulation’s requirements trickle down to ICT service providers.
If you’re offering ICT services to financial institutions in the EU – especially to larger entities, which will be more mindful of DORA compliance – it applies to you, even if you’re in the US.
However, by achieving DORA compliance, you can gain a competitive edge – becoming a supplier of choice for financial entities.
What is an ICT service provider under DORA?
DORA defines ‘ICT third-party service provider’ in Article 3(19) as “an undertaking providing ICT services”.
As to ‘ICT services,’ Article 3(21) defines this as: “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
Though this definition doesn’t mention providing these services to specifically financial entities, given the scope of DORA, this would be a reasonable addition.
Why is DORA compliance important?
When banking and other financial services are disrupted – whatever the cause – people and organisations are affected, often at a cross-border level.
This is true for all critical infrastructure organisations, but the stakes are especially high in the finance sector, which is vital to keep both economies and society at large running.
In turn, the finance industry heavily depends on ICT, which is often outsourced to third-party service providers. This demands operational resilience not just from financial institutions, but also from their supply chains.
What is operational resilience?
Resilience is a concept that’s been gaining traction for a while now, particularly for critical national infrastructure – a good EU example is NIS 2.
Meanwhile, the US has frameworks like the NIST CSF (Cybersecurity Framework), which – in spite of its name – has a clear focus on cyber resilience, covering not just ‘govern’, ‘identify’, ‘protect’ and ‘detect’ functions, but also ‘respond’ and ‘recover.’
Operational resilience – rather than mere cyber security – puts measures in place that ensure your critical services will continue to function in the event of a disruption, such as a cyber attack.
Though it has links to business continuity, operational resilience takes a broader and more proactive approach.
Andrew Pattison, our head of GRC (governance, risk, and compliance) consultancy in Europe, who leads our product development relating to DORA, explains:
“Where business continuity tends to be reactive and looking at individual risks, operational resilience looks at the bigger picture – in what space the organisation operates, that sort of thing – and proactively implements operational capabilities that allow the organisation to be unaffected by disruptions.
“So, as an example, if organisation A, having implemented business continuity measures, suffered incident X, it’d move to a reduced service to keep its critical functions going while it remediated the situation. Whereas organisation B, having implemented operational resilience, would carry on as normal if it suffered that same incident X.”
What are the requirements for DORA?
The simplest way to identify the key requirements of DORA is to look at the five pillars:
- Risk management
- Incident response and reporting
- Digital operational resilience testing
- ICT third-party risk management
- Information and intelligence sharing
You could, however, argue that all five boil down to the first pillar: risk management.
This lies at the core of not just the DORA Regulation, but virtually every information security-related law or framework, including ISO 27001, the NIST CSF, the PCI DSS (Payment Card Industry Data Security Standard), the EU GDPR (General Data Protection Regulation), and many others.
However, as our analysis of data breaches and cyber attacks shows, risk arising from the supply chain isn’t theoretical – many reported data breaches originate from a supplier.
A smart attacker will target software used by lots of organisations. By just finding one vulnerability they can exploit, they can gain access to confidential information belonging to thousands of organisations.
In short, vendors make for attractive targets.
Requirements for DORA vendors
From your customers’ point of view – whether in finance or another sector – their key concern is getting assurance from you that you’ll enable them to meet their obligations.
A compliant, risk-aware organisation understands that outsourcing a risk doesn’t equal getting rid of that risk. They’ll understand that although you’re the one implementing appropriate and proportionate security measures, they – the customer – remain responsible for ensuring you’ve done so.
To obtain this assurance, financial institutions will look for:
- External validation of your security, such as:
- SOC 2 certification
- ISO 27001 certification
- Proof of PCI DSS compliance
- An assessment by a trusted third party
- Evidence of regular vulnerability scans and penetration testing (at least monthly and annually respectively), with evidence of vulnerabilities being addressed in a time frame reasonable to the level of risk. Ideally, the penetration test is specific to DORA.
- Contract assurances. What service guarantees are you offering? Are you offering full cooperation if the customer wants to audit your security measures? Will you offer full cooperation in the event of an investigation? Will your relevant staff participate in DORA training?
How to get ready for DORA
If you’re looking for a better understanding of the DORA requirements, our Certified DORA Foundation Self-Paced Online Training Course can help.
Learn in your own time, at your own pace, about each of the five DORA pillars and how you can meet them.
Get essential knowledge and insights to make informed decisions in your organisation with confidence and due care. Equip yourself to steer activities that’ll ensure operational resilience, regulatory compliance, and a competitive edge for appealing to financial institutions.
The post Is DORA Applicable in the US? appeared first on IT Governance Blog.
