Ever wondered how well the financial sector could handle a major cyberattack or a system-wide outage? The EU has, and it is taking action.Â
The Digital Operational Resilience Act (DORA) is a new regulation that’s set to transform how financial entities in Europe approach digital security.Â
Live from 17th January 2025, DORA requires organisations, from banks to investment firms, to significantly strengthen their ability to prevent, withstand and recover from ICT disruptions, impacting 21 different types of financial entities. It’s all about creating a more resilient financial system that can weather any digital storm – and that includes making sure that your cloud is robust to cope with whatever is thrown at it.
While it is likely that relevant organisations have already taken the steps to ensure compliance with the act, for those who have not, we have broken it down here in plain English.Â
The main pillars that organisations need to address in relation to DORA are:Â
- ICT risk management: Establishing a robust framework for managing ICT risks.
- ICT-related incident management: Developing processes for detecting, responding to, and recovering from ICT-related incidents.
- Digital operational resilience testing: Regularly testing systems and processes to ensure they can withstand disruptions.
- ICT third-party risk management: Managing risks associated with third-party ICT providers, including cloud service providers.
- Information sharing: Establishing mechanisms for sharing cyber threat information and intelligence.
When it comes to those using the cloud, compliance can be broken down into three phases (many of these steps you might have already taken, but if not, it is important to take action):
- Phase 1: Assessment and gap analysis: Begin by understanding DORA’s scope and its specific implications for your organisation’s cloud usage. Conduct a thorough assessment of your current cloud environment, including an inventory of all services, data mapping of sensitive information, and identifying business-critical cloud services. Compare your existing ICT risk management, incident response, and third-party risk management practices against DORA’s requirements, paying close attention to your cloud service contracts. Identify any gaps, paying close attention to contractual clauses relating to security, audit rights, subcontracting, exit strategies, and business continuity. Our cloud optimisation services can help you identify and mitigate cloud-specific risks, ensuring you meet DORA’s requirements for ICT risk management and resilience testing.
- Phase 2: Remediation and implementation: Develop a DORA compliance roadmap, prioritising the identified gaps. Update or create a comprehensive ICT risk management framework that addresses cloud-specific risks and strengthen your incident response plans to handle cloud-related incidents effectively. Implement regular resilience testing for your cloud services. Critically, enhance your third-party risk management processes for cloud providers, including due diligence, ongoing monitoring, and contractual safeguards.
- Phase 3: Ongoing compliance and improvement: DORA compliance is not a one-time project. It is important that you continuously review and update your policies, conduct periodic audits, and stay informed about regulatory updates. Participate in information-sharing arrangements to enhance collective cyber resilience.Â
Specific considerations for cloud users:
For those who have cloud architectures, it is vital that you explore and are clear on the following areas:
- Shared responsibility model: Understand the shared responsibility model with your cloud providers. Clearly define which security and resilience responsibilities fall on you and which fall on the provider.
- Data residency and cross-border transfers: Ensure compliance with data residency requirements and regulations governing cross-border data transfers.
- Cloud Security Posture Management (CSPM): Consider implementing CSPM tools to automate the monitoring and assessment of your cloud security configuration.
- Cloud Access Security Broker (CASB): Explore using CASB solutions to gain greater visibility and control over your cloud environment.
By following these steps, those using cloud services can effectively prepare for DORA and enhance their overall digital operational resilience.Â
Keep in mind though that DORA compliance is not a one-time project but an ongoing process that requires continuous monitoring, assessment, and improvement. Preparation is key to ensure a smooth transition and avoid potential penalties.
If you have any questions on how you can ensure your cloud architecture is resilient and complies with DORA, get in touch with us here: https://cirrushq.com/contact/Â