January 7, 2025
Chief Technology Officer
As we all know, in January 2025 DORA (Digital Operational Resilience Act - officially Regulation (EU) 2022/2554) comes into force for financial companies – but what does this mean for the rest of us?
Actually, if you’re already SOCII or ISO27001 certified, potentially not a great deal.
We, as a service provider, providing services to financial entities, are affected – even though we’re in Switzerland (Switzerland’s financial services sector is not obliged to adopt DORA at the time of writing).
But what about companies that are outside of the EU but provide services to companies who have adopted DORA?
For Swiss entities, because we’re providing services directly to those who are subject to DORA, we’re also DORA obliged.
By way of recap, before going into what needs to be done for DORA, it’s worth considering what the underlying goal is that we’re trying to achieve. The goal of the EU’s DORA initiative is to create a single, high-standard baseline for digital operational resilience, to ensure that the financial sector can maintain essential functions even in the face of ever-evolving digital threats. It aims to protect consumers, preserve market integrity, and enhance the overall stability and competitiveness of the European financial system in a digitally-driven era. And the EU is trying to achieve/enforce this using regulation.
Having understood what it is that the EU would like to achieve with the regulation, it’s worth taking a moment to consider the high level requirements so we can better understand how they relate to ‘us/you’ (from a company perspective).
The six areas that DORA focusses on are:
For anyone who’s familiar with either SOCII or ISO-27001 this might look familiar – and with good reason. One of the key tenets of DORA is that they should not replace/duplicate existing standards. Whilst it might not replace them, it does try to extend them in places.
As a company, we are SOC2 certified – So how does DORA extend SOC2?
Let's consider the risk management area. For SOC2 we typically consider risk management in the context of IT and for a lot of companies this has been interpreted in a very ‘vanilla’ fashion; when we look at what DORA is anticipating we see that we as providers are expected to consider the wider, or more holistic, environment and further develop scenario based risk analysis. I must admit, at the time of writing, this puts a smile on my face. The reason that I’m now grinning is because over the last couple of years I’ve “killed” our head of DevOps (and “seriously injured” our CFO) and had key a key member of our professional services team “executed” (by the mob) in order to facilitate an internal attack. So now with DORA, I don’t have to justify these executions anymore nor pushing different departments to ‘show me how you recover’. If you’re not already doing scenario-based risk analysis I can only recommend it, your company will benefit in ways that you wouldn’t imagine. I should stress that no-one actually gets injured during our exercises (HR would not approve) – but they do ‘role play’.
If we look at third party risk management, we again see that DORA asks for a little more than standard SOC2 but not more than some of us are already doing, specifically DORA looks at exit strategies and continuous monitoring of SLA’s/Risk.
Operational resilience is perhaps the subject area where most COOs and CIOs would assume that the most change is coming – but in real terms (at least for us) it’s not. SOC2 asks for Pen testing and Vulnerability testing by default – DORA points to the use of ‘Red team’ tests and formalised DR/BCP testing. So, if you’re already doing ‘Red team’ tests, have scenario-based DR testing and have regular BCP tests – you’re already ticking this box.
The next item on the list is incident management and again, I can see that if you’re not ISO27001 or SOC2 certified this might seem a little daunting. Ironically enough, anyone who works in the financial service sector really should have this in place whether they’re certified or not - it’s simply a matter of formalising how you as a company are going to behave when things go wrong – how you’re going to classify an incident, manage it, return to ‘Normal’, recover from it and finally report it.
One thing that is more heavily emphasized with DORA is the idea of taking part in the cyber security community (information sharing), specifically to have in place a formal process for collaborating with external partners/parties and to be able to show that you actively participate in threat analysis networks.
Finally, we have the notion of oversight. DORA puts in place the expectation that senior management will take part in the incident management and reporting process whilst also being accountable for it (or problems with it).
In summary, for some of us DORA will include small changes whilst for others it will involve putting more thought into the ISO/SOC certification process - but overall, especially for our clients, this is simply a set of requirements to ensure that as service providers we are taking care to be the good shepherd that we should already be.
I hope that this was re-assuring for the majority of you whilst pointing in the right direction for those who need a little help.
