ICT Providers in the Time of DORA

The Digital Operational Resilience Act (DORA) is a major regulatory action of the European Union that underscores the importance of technology and its providers to the overall stability of the financial system. DORA clarifies that ICT providers are now just as crucial as the financial entities (FEs) they support, as they are no longer considered mere vendors but are recognised as essential partners in ensuring the stability and security of the financial sector.

DORA aims to enhance the operational resilience of financial institutions by establishing a robust framework for managing ICT risks. It mandates stringent standards for information security, business continuity and risk management. By doing so, DORA acknowledges the critical role that ICT providers play in the financial ecosystem and extends its regulatory reach to these providers. Competent Authorities are expected to identify national and pan-European providers as critical and directly oversee them.

Under DORA, ICT providers are expected to implement and assure several aspects of information security and digital resilience. This involves a comprehensive approach to information security, including threat-led penetration testing, business continuity planning and active participation in data recovery processes during crises. Moreover, ICT providers must achieve security awareness, grant rights to audit their processes and not overly rely on external certifications.

Threat-led penetration testing is a cornerstone of DORA compliance. ICT providers, in conjunction with FEs, must regularly conduct simulated attacks on their systems to identify vulnerabilities before they can be exploited by malicious actors. These tests must go beyond typical penetration tests; they must be informed by identified threats to the financial system and consider extreme but plausible scenarios that could impact both an FE and the ICT provider.

DORA also emphasises the need for resilience testing. ICT providers must ensure that their systems can withstand various disruptions, whether they are technical failures, cyber-attacks or natural disasters. This involves regular testing of backup systems, failover mechanisms and recovery processes. ICT providers must demonstrate that they can maintain operational continuity under adverse conditions, ensuring that critical services always remain available to FEs. It is no longer enough to strive to prevent adverse conditions; it is necessary to consider resilience in light of such conditions.

In the event of a data breach or system failure, the ability to recover data quickly and efficiently is paramount for FEs. ICT providers must develop and maintain comprehensive data recovery plans that enable FEs to recover their critical data. Providers must work closely with FEs to ensure seamless data recovery processes and minimal disruption to business operations.

DORA also requires ICT providers to be mindful of geopolitical risks. Providers operating in or outsourcing services to regions with potential political instability must establish strategies to mitigate these risks. This includes ensuring that data is stored in secure, politically stable locations and that there are contingency plans for transferring services or data if geopolitical conditions threaten service continuity.

ICT providers must implement robust ongoing awareness training programmes to educate their staff about DORA requirements and cybersecurity best practices, which should be tailored to different roles within the organisation. Employees must be aware of the latest threats and know how to respond to potential security incidents. Regular training sessions simulated phishing attacks and updates on emerging threats are essential components of a comprehensive awareness training programme, which should be conducted in cooperation with the support of FEs’ ICT providers.

Effective incident response is crucial for DORA compliance. ICT providers must have detailed incident response plans that outline the steps to take when a security breach or operational disruption occurs. These plans should include procedures for identifying and containing the incident, assessing its impact and communicating with affected parties. They must also work with FEs to ensure that incidents are resolved swiftly and that lessons learned are incorporated into future prevention strategies.

The ‘Iron Price’ of DORA

Compliance under DORA means more than just paperwork; it demands ongoing technical resilience and collaboration. ICT providers must be prepared to undergo technical testing, identify and address vulnerabilities and collaborate closely with FEs to resolve any issues that arise. Specifically, DORA limits the reliance on external certifications and expects FEs to critically assess the scope, depth and operational effectiveness testing that such certifications require.

This ‘Iron Price’ of compliance requires that ICT providers demonstrate real, actionable security measures and resilience, which entails embracing continuous improvement through technical testing and being ready to respond swiftly and effectively to any identified vulnerabilities. This level of commitment ensures that both the ICT providers and the FEs they support can maintain robust operational resilience.

Adhering to DORA offers substantial market opportunities to ICT providers. Those that fully embrace the regulation not only comply with necessary standards but also gain a significant competitive edge. By proving their commitment to operational resilience and security, ICT providers can position themselves as preferred partners in the financial services industry.

The rigorous compliance requirements of DORA can become a market differentiator. ICT providers that meet these standards will be seen as leaders in security and reliability, potentially attracting more clients seeking robust ICT solutions. Embracing DORA is not just about meeting regulatory demands; it’s about setting a benchmark for excellence in the ICT services industry.

By Demetris Antoniou, Senior Manager, Cyber and Strategic Risk, Deloitte Cyprus

(This article first appeared in the July issue of GOLD magazine. Click here to view it)

Read More

Svitlana Khaikova: How to build a corporate training system
Unlocking the Value of Augmented Reality (AR) in Marketing
Katie Kapodistria: What Donald Trump’s re-election could signal for Europe
Costas Papadopoulos on the transformative role of AI in Regulatory Compliance for financial institutions
Fotini Tsiridou: Limassol is not receiving its due
The Draghi Report: A Regressive Outlook on EU Competitiveness
The Rise of Sustainable Investing: The Challenges of ESG and Green Bonds for an Investor
Cyber Awareness Month: Is Your Firm Ready for the Cyber-Spooks?”
The Rise of Digital Finance: “Safeguarding Investors in a Technology-Driven Future”
Bringing AI to the workplace: How Cyprus can catch up and ride the wave of change