Legal Spotlight: DORA may require risk management revamp

The upcoming Digital Operational Resilience Act (DORA) is increasingly emerging as a game-changing legislative framework within the European Union.

With cyber threats looming large and software infrastructures becoming more and more complex and advanced, the EU has introduced DORA to strengthen operational resilience in the financial services sector, demanding that banks and other finserv firms introduce a fundamental shift in cybersecurity governance.

“To thrive in this new landscape, financial organizations must adopt a top-down approach, with board-level From smoke signals and carrier pigeons to high-tech devices and networks,” argues Christiaan Koopman, a senior manager for insider risk at Signpost Six, a The Hague-based insider risk and consultancy firm.

Koopman, who was for years a risk & compliance management consultant at Capgemini,
Said “proactive threat mitigation, robust risk management frameworks, and diligent third-party risk management are essential to DORA compliance.”

As DORA gears up for full implementation by January 17, Koopman said the new legislation “solves an important problem” in the EU financial regulation.

Christiaan Koopman
Christiaan Koopman

Before DORA, financial institutions managed the main categories of operational risk primarily through the allocation of capital, but they did not manage all components of operational resilience, he pointed out.

“Under DORA, they must now comply with rules on protection, detection, containment, recovery, and repair capabilities against ICT-related incidents,” Koopman explained.

DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.

“This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardize the soundness of the entire financial system, even if there is ‘adequate’ capital for the traditional risk categories,” Koopman stressed.

By setting a comprehensive set of cybersecurity requirements DORA aims to consolidate and elevate previous risk requirements across various regulations.

These new standards aim to manage cyber risks, streamline incident reporting, implement resilience testing, monitor third-party risks, and facilitate information sharing to enhance the operational resilience of financial entities within the EU.

‘Top-down’ mandate

Koopman thinks banks and other financial institutions should take a ‘top-down’ approach when it comes to the implementation of DORA.

“Board-level involvement is crucial to ensure that cybersecurity initiatives are closely aligned with broader business objectives and to foster a culture of security awareness across the organization,” he said.

“Their oversight extends beyond the CISO’s office, including strategic direction, risk management, policy development, resource allocation, incident response, and regulatory compliance,” Koopman added.

In fact, under DORA, the board of directors is personally liable for cybersecurity governance and risk management, including all aspects such as reporting, testing and other necessary measures.

“This requires a comprehensive understanding of cyber threats to inform decision-making,” Koopman noted.

Moreover, “they define and approve the organization’s risk management framework, including third-party strategy, emphasizing the importance of informed decision-making to address emerging cyber threats effectively,” he explained.

In addition, DORA will require “financial organisations to “systematically identify, assess, and prioritise cyber risks, aligning with DORA’s requirements, Koopman said.

“This involves a comprehensive understanding of the ever-changing threat landscape,” he continued.

“By staying up-to-date on emerging threats and vulnerabilities, organizations can allocate their resources effectively, ensuring that they are directed towards the most critical areas of risk mitigation.”


“DORA will require financial organisations to systematically identify, assess, and prioritise cyber risks.”

– Christiaan Koopman

Even though many organizations within the financial services sector already have “some form of risk management framework” in place, as Koopman put it, often incorporating national good practices.

“However, these good practices will need to align with the stricter requirements introduced by DORA to ensure compliance and enhance cybersecurity governance within the financial sector,” he warned.

“By taking a proactive stance on cybersecurity, organizations can effectively strengthen their resilience against potential threats and demonstrate their commitment to safeguarding critical assets and maintaining operational resilience,” Koopman stressed.

ICT providers

A crucial element of DORA, if not one of the most important aspects, is its stipulations in relation to financial firms’ reliance on ICT third-party service providers (ICT TPP).

According to a study by ENISA, more than 60% of cyber incidents are caused by supply chain attacks. A supply chain attack is a type of cyberattack that targets both a trusted ICT TPP that provides services or software and its customers across the supply chain.

“Financial organisations must extend their security measures beyond internal systems and encompass the entire ICT supply chain, to be able to protect their data,” Koopman explained.

He pointed out that the risk of ICT TPPs should be reflected in contractually agreed security measures, including the necessary exit strategies when agreements are not met.

Furthermore, it is essential ICT TPPs are assessed on their risk before they are contracted and continuously monitored throughout the business relationship to assess their security practices.

“By proactively managing the risks that ICT TPP may cause, organisations are able to fortify their defences against potential threats originating from ICT third-party vulnerabilities, safeguarding their assets, reputation, and operational continuity,” Koopman continued.

Moreover, certain ICT TPPs are designated as “critical” (CTTP), he added, requiring direct oversight by EU financial authorities.

“Designating CTTPs involves a careful examination of their role in the ICT supply chain and how their services could affect the organisation’s operations and security. Thorough risk assessments, considering service importance, data access, and potential disruptions, enable effective resource allocation and implementation of targeted security measures,” Koopman said.


“It is important that resilience tests are performed by independent parties,” Koopman emphasized.”

– Christiaan Koopman

In summary, DORA requires organisations to keep track of all their CTTPs in a register, that must be shared with the local European Supervisory Authority (ESA).

This register includes the classification of vendors or suppliers, the services provided, and their importance to the organization’s primary processes. Any new ICT TPP arrangements must be reported to the appropriate authority on a annual basis.

“While traditional cybersecurity measures focus primarily on defending against cyber threats, DORA emphasizes the importance of resilience,” Koopman concluded, namely “the ability to recover swiftly and effectively from cyber disruptions, crucial in the face of the evolving threats.”

Testing

Koopman thinks testing will become more important than ever before.

“This involves various exercises such as scenario-based simulations, penetration testing, and simulated cyber-attacks to identify vulnerabilities,” he said.

“By subjecting defences to rigorous stress-testing, organisations pinpoint areas for improvement, ensuring their cybersecurity measures remain robust and adaptable, effectively mitigating the evolving landscape of cyber threats,” Koopman shared.

He summed up that these operational resilience tests consist of vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, or penetration testing.

“It is important that resilience tests are performed by independent parties,” Koopman emphasized.

“While vulnerability assessments are usually done on a continuous basis, threat-driven penetration tests can be caried out every three years. Maintaining operational resilience is crucial for organizations,” he concluded.

“As the 2025 deadline approaches, financial institutions face a pivotal moment.”


UPCOMING QA FINANCIAL EVENTS

SECURE YOUR SPOT TODAY

READ MORE


Become a QA Financial subscriber – for FREE

News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events

REGISTER HER