Prepare for Digital Operational Resilience Act DORA Compliance

by | Feb 26, 2024

(Someone Had to Do It)

Something we’ve started to encounter when talking with European organizations is a law called the Digital Operational Resilience Act (DORA). DORA was introduced to in 2020, adopted in 2022, and finalized on January 16, 2024 after various EU authorities, including the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), clarified various technical standards. When the Act goes into effect on January 17, 2025 DORA compliance will be mandatory for financial services firms.

It’s interesting to me that we’ve already started hearing questions about the Digital Operational Resilience Act. New regulations rarely come out of the blue. And as was the case with DORA, there’s usually a process that typically involves a draft proposal, a period of public comment, the publication of finalized language and effective date, and then some tweaking that takes place as actual enforcements and challenges are made. It’s reassuring to see that many organizations are already taking steps to change their internal systems and processes in anticipation of the new law now that the details have been finalized. But we also know many more will take a wait-and-see approach. We won’t speculate as to why.

Keeping Abreast of Regulations

As a U.S.-based company, Coviant Software isn’t directly affected by DORA. We do try to keep abreast of regulations that pertain to our customers, however. And in this case we thought the impacts of DORA would be mostly tangential to the our product, which is true. But there are a few ways that our Diplomat MFT secure managed file transfer solution can complement DORA compliance (just as we do with many other regulations demanding information security and data privacy).

First, it’s important to recognize what DORA compliance is all about. Focused on the financial services sector, the Digital Operational Resilience Act is intended to advance the goal of ensuring that the vital flow of economic data continues even in the event of a cyberattack, natural disaster, or some other potentially disruptive event. Many governing bodies in the financial services sector already offer frameworks to help guide the industry in this way (The Basel Committee,  U.S. Federal Reserve, and Bank of England, for example); DORA compels them to adopt the necessary operational strategies.

Five Pillars of DORA Compliance

Whatever framework an organization chooses, the global consulting firm PwC cautions that DORA “provides a very specific set of criteria, templates and instructions that will shape how financial organizations manage ICT and cyber risks,” and says those criteria are based on five “core pillars that address various aspects or domains within ICT and cyber security.” Those pillars are:

  • Set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
  • All sources of ICT risks should be continuously identified in order to set-up protection and prevention measures.
  • A prompt detection of anomalous activities should be established.
  • Dedicated and comprehensive business continuity policies and disaster and recovery plans should be in place, ensuring a prompt recovery after an ICT-related incident.
  • Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.

Second, while European financial services organizations are the primary focus for DORA, the regulation does reach across to third-party information and communication technology (ICT) partners as well. That means managed services providers (MSPs), network services providers, X-as-a-Service providers, and the like. That means financial services organizations must be diligent in selecting partners, and then monitor those connections.

Complementing DORA Compliance

Diplomat MFT can help complement an organization’s strategy for DORA compliance by ensuring file transfers to and from the financial services firm and its digital trading partners are encrypted. Whatever technology is used, secure file transfers should support SFTP for transport encryption and PGP for file encryption. This is already required as a best practice for file exchanges with most large banks and Diplomat MFT conforms to those standards. And, as the recent attacks against some managed file transfer platforms shows, those technologies should be deployed behind a firewall and not exposed to the public internet. We address third party risk in more detail in this blog, while we tackle best practices for avoiding MFT security pitfalls in this blog.

When putting together any strategy for achieving regulatory compliance, we recommend consulting with experts who have the requisite certifications and bona fides. But once that plan is in place, if you find you have a gap to close in the file transfer department, Coviant Software can help. Diplomat MFT has been trusted for twenty years with secure and reliable file transfer automation. Contact me for more information.