Digital Operational Resilience Act (DORA) Part 2 - The Importance of Incident Response

Why is DORA needed?

The need for the Development of Online Reliable Sources (DORA) arises from the increasing concern over the spread of misinformation on the internet. DORA aims to promote fact-checking and address the detrimental effects of fake news in today's society.

In recent years, the proliferation of fake news has had a profound negative impact on individuals and communities alike. False information spreads rapidly, causing confusion, division, and mistrust among people. The consequences of this misinformation can be severe, influencing public opinion, sowing discord, and even shaping political outcomes.

In this era of information overload, reliable sources play a vital role in ensuring that people have access to accurate and verified information. Reliable sources integrate fact-checking measures and methodologies into their reporting, providing a safeguard against the spread of fake news. By establishing a standard for trustworthy and accountable journalism, credible sources act as a bulwark against the erosion of public trust.

DORA's objective is to educate individuals on the importance of fact-checking and encourage them to seek information from reliable sources. Its initiatives focus on promoting critical thinking skills and media literacy, enabling people to discern fact from fiction in an increasingly complex digital landscape. By empowering individuals to be more discerning consumers of information, DORA aims to combat the harmful effects of misinformation and foster a more informed and engaged society. 

The Impact of DORA on Financial Services

The Digital Operational Resilience Act (DORA) is a legislative proposal introduced by the European Commission as part of its Digital Finance Strategy. DORA aims to enhance the operational resilience of the financial sector by addressing technological risks and ensuring business continuity in the digital age.

DORA will have a significant impact on financial services as it introduces specific requirements and changes for financial entities. Firstly, it mandates that financial institutions, such as banks, insurance companies, and financial market infrastructures, become more proactive in identifying, managing, and mitigating operational risks related to their digital activities. This includes cyber risks, IT disruptions, and data breaches.

Secondly, DORA requires financial entities to adopt a risk-based approach to their digital operations. They must conduct regular self-assessments and implement appropriate measures to ensure the continuity and security of their services. This involves the development of robust ICT systems, regular testing and auditing, and the establishment of incident response and recovery plans.

Furthermore, DORA introduces supervisory requirements for competent authorities responsible for overseeing financial services. It empowers them with increased powers to monitor and evaluate the operational resilience of financial entities, conduct cybersecurity assessments, and impose penalties in case of non-compliance.

Impact on Incident Management

Incident management refers to the process of identifying, analysing, and resolving any unplanned events or issues that occur within an organisation. These incidents can range from IT system failures, security breaches, or natural disasters to employee conflicts or legal disputes. Effective incident management is crucial for maintaining business continuity and minimising any negative impacts on an organization's operations and reputation. In this article, we will explore the impact that incidents can have on incident management and how organisations can effectively respond to and mitigate these impacts.

How DORA Will Impact Incident Management at Financial Entities 

The Digital Operational Resilience Act (DORA) is set to have significant impacts on incident management at financial entities.

One important aspect of DORA is the establishment of incident management requirements. Financial entities will be required to promptly detect, respond to, and mitigate any incidents that may affect their operational continuity. This includes incidents caused by information and communication technology (ICT) risks.

Moreover, DORA will introduce stricter reporting obligations for financial entities. They will be required to notify the competent authorities of any incidents that have or could significantly impact their provision of services. This will ensure that incidents are properly assessed and managed to minimise their impact on the financial sector.

DORA also emphasises the importance of incident resolution capabilities. Financial entities must develop comprehensive incident response plans and test them regularly. By doing so, they will be better prepared to address ICT risks and mitigate the effects of incidents, thereby ensuring digital operational resilience.

Who Does the DORA Regulation Apply to?

As briefly mentioned, DORA regulation applies to the EU’s financial sector and those third-party suppliers to that sector. This includes all traditional financial institutions, such as banks, investment firms, and credit institutions, as well as nontraditional entities, such as crypto-assets service providers and crowdfunding platforms.

When Does DORA Come into Force?

DORA’s compliance date is fast approaching for the EU’s financial landscape. This new legislation was introduced on 16 January 2023 and is due to come into effect on 17th January 2025. This has given financial entities two years to become compliant.

How Penetration Testing can Help Achieve DORA Compliance

To contribute to an organisation's risk management, financial organisations should conduct regular pentesting.

Penetration testing is a pivotal component of DORA compliance, offering valuable insights into the security posture of control systems. OnSecurity, is a leading pentesting provider, delivering high impact, high-intelligence testing to businesses of all sizes. Delivering seamless testing, OnSecurity helps simplify the delivery and management of pentesting for its clients.

Purpose of DORA

DORA, which stands for DevOps Research and Assessment, is a model designed to measure and enhance the effectiveness of DevOps practices. The purpose of DORA is to provide organizations with valuable insights into their software delivery process, enabling them to identify areas of improvement and optimise their DevOps capabilities.

The objectives of DORA include assessing the performance of software delivery teams, understanding the impact of DevOps practices on organizational outcomes, and identifying areas where organizations can make changes to enhance their delivery process. By measuring key metrics such as deployment frequency, lead time, change failure rate, and mean time to recover, DORA helps organizations identify bottlenecks and inefficiencies in their software delivery pipeline.

The benefits of using DORA include increased agility, faster time-to-market, improved product quality, enhanced customer satisfaction, and higher organisational performance. By implementing the recommendations from DORA assessments, organisations can streamline their software delivery process, foster collaboration and communication between teams, and create a culture of continuous improvement.

The target audience for DORA is organisations that are looking to embrace DevOps practices and improve their software delivery process. This includes software development companies, IT departments, and any organisation that wants to optimise their software delivery pipeline.

DORA Focused Incident Response Plan  

Between September 2024 and January 2025, businesses must take specific actions to become DORA Compliant. These actions include: 

• Updating risk management frameworks
• Conduct due diligence and renegotiate contracts with third-party service providers
• Develop Incident Response Plans
• Plan and conduct internal audit 

Key Compliance Requirements 

1. Risk Management Framework: Establishing a robust risk management framework is foundational to compliance. This involves identifying, assessing, and mitigating risks, such as weaknesses in your security infrastructure, to ensure operational continuity and security.
2. Incident Reporting and Response: Prompt and effective incident reporting and response mechanisms are essential. Financial entities must swiftly detect and respond to incidents, minimising disruption and mitigating potential harm.
3. Business Continuity Planning: Developing comprehensive business continuity plans to ensure operational resilience in the face of disruptions. These plans should outline procedures for maintaining critical functions during adverse events to support the wider security team to mitigate risks.
4. ICT Risk Management: Managing Information and Communication Technology risks involves identifying vulnerabilities, implementing controls such as ongoing threat intelligence, and continuously monitoring systems to monitor potential threats.
5. Third-party Risk Management: This is important for financial institutions as they use more third-party service providers. Entities must conduct due diligence, monitor performance, and ensure compliance with security standards with all third-party partnerships.

Penetration testing services and DORA compliance

Here's how OnSecurity's penetration testing services contribute to DORA compliance.

1. Identifying Vulnerabilities: OnSecurity operates manual pentesting to simulate real-world cyber attacks, uncovering vulnerabilities that could compromise the operational resilience of financial systems.
2. Assessing Security Controls: Through penetration testing, OnSecurity evaluates the efficacy of existing security controls and provides recommendations for strengthening defences against cyber threats.
3. Mitigating Risks: By identifying and remediating vulnerabilities, financial institutions can mitigate risks and enhance their operational resilience, aligning with the objectives of DORA.
4. Comprehensive Reporting: OnSecurity delivers detailed reports outlining findings, recommendations, and actionable insights, enabling organisations to prioritise remediation efforts and improve their security posture.

Incident Response Plans 

Here at Pentest People, our tailored Cyber Incident Response Services stand out for their bespoke approach, meticulously crafted to meet the unique requirements of every business. With a hands-on approach led by our experienced Incident Response team, we guide you through the entire service, ensuring a seamless and effective response to any cyber threat.

Having an Incident Response Plan is crucial as part of the new DORA requirements, so its vital that financial companies invest in a quality Incident Response service that is going to put your security first. 

At Pentest People, we understand that you're not just another business; that's why our services are designed to provide you with the personalised attention and expert support you deserve. Trust us to safeguard your assets and confidently navigate the complex cybersecurity landscape.

With three different packages, we tailor our services around you. Enquire today to get your Incident Response Package secured before January 2025.