Interview with Aline Moyret, GRC Practice Manager & Christophe Ruppert, Lead Advisor Business Continuity Management
The new European DORA (Digital Operational Resilience Act) regulation will come into force on 17 January 2025. The major challenge is to support the operational resilience of financial players in the cyber environment by harmonising requirements in this area across the European Union. For DEEP's Consulting Business Line, the players concerned will have to cope with new capacities to ensure the continuity of their services.
DORA, Europe's new standard for digital operational resilience
The new Digital Operational Resilience Regulation (DORA) for the financial sector was adopted by the European legislator at the end of 2022. It will come into force in January 2025, requiring European financial players to take a series of measures to guarantee the continuity of their services and, more broadly, their resilience in the digital world. National regulators, such as the CSSF and the CAA in Luxembourg, and international supervisory bodies, such as the EBA and EIOPA, had already established a series of requirements and best practices to be followed," explains Aline Moyret. DORA extends these rules of good conduct to the digital world. A European regulation, like DORA or the RGPD, applies uniformly across the Union, without having to be transposed into national legislation. This new text will therefore help to harmonise the rules on governance and risk management inherent in the use of digital resources to support financial activities.
A better understanding of risks to respond effectively thanks to the DORA regulation
Monitoring ICT service providers
At a time when businesses are becoming increasingly dependent on technology, the European legislator wanted to raise awareness and impose a working framework on players in the financial sector in the broadest sense. Here," explains Christophe Ruppert, "the DORA regulation aims to ensure that everyone is in a position to deal with any possible incident and be ready to overcome it while limiting the business impact". Risks come in all shapes and sizes. While we often think of IT security, aimed at protecting the organisation's digital assets from malicious intent, there are other considerations that need to be taken into account, particularly those relating to critical third-party ICT providers (CTPPs). "Operations are increasingly dependent on IT resources managed by external partners and subcontractors. We need to ask ourselves what the consequences might be, in terms of assembling the value chain, if a service provider were to fail," comments Christophe Ruppert. Through DORA, which formally introduces the concept of resilience, the regulator wants to oblige all players to better understand these risks and to implement the appropriate resources to respond to them, but also to test them under real conditions".
The DORA regulation speeds up the migration of businesses to the Cloud
The resilience of processes and workloads moved to the cloud, in particular to the public cloud and its IaaS, PaaS and SaaS services, is therefore largely in DORA's own hands. DORA therefore goes much further than predicting a step backwards in cloud adoption or scale-up strategies. The directive calls for a culture of agnosticism or portability of the cloud(s) or any other outsourced service. A real challenge...
The 5 pillars of the DORA (Digital Operational Resilience Act) regulation
DORA is built around five main pillars, with the aim of setting financial players on the path to greater resilience.
- ICT risk management: IT risk management, based on ad hoc governance, which involves risk analysis mechanisms, resource mapping and business continuity plans, for example.
- Incident reporting: Financial institutions are bound by a set of reporting requirements relating to incidents involving information and communication technologies (ICT).
- Testing: DORA provides for a mechanism to test the digital operational resilience of organisations, in particular through the use of a Red Team whose mission will be to assess the incident response of the supervised bodies.
- Risk management for third parties: An important chapter is devoted to risk management for subcontractors or the use of external resources, such as the cloud.
- Sharing information and intelligence: to enable everyone to better understand the risks and threats.
DORA in Europe, a framework for implementing best practice
Through DORA, the regulator will align best practice and introduce new requirements for financial players. "For most players, we are fortunately not starting from scratch. We need to consider what is already in place and the means of effectively strengthening its resilience on the basis of refined risk management," comments Christophe Ruppert. With this in mind, DEEP uses a standardised approach to help players meet these challenges. We provide our customers with the expertise and framework they need to implement best practice in resilience and service continuity. This starts with an assessment of the maturity of players with regard to standards such as ISO 22301, relating to business continuity, or ISO 27001, which concerns information security management". . This approach is complemented by a cross-functional analysis," adds Aline Moyret. The aim is to ensure that, for an identified threat, the continuity and cybersecurity systems in place are complete and consistent, from risk analysis to operational response.
DORA: Strengthening the entire ecosystem based on a common foundation
DORA secures data at financial institutions and subcontractors
The approach involves identifying the various risks, assessing their impact on the business and implementing appropriate responses. One example is the formalisation of crisis management procedures," says Christophe Ruppert. It's not unusual for these procedures to already exist within the company, but formalising them is essential". Everything must take account of the business issues at stake, in accordance with the principle of proportionality that prevails in the context of these regulations. "DORA requires companies to better supervise and manage their risks, with a view to preserving their business. While these regulations aim to limit systematic risks, they also support the long-term viability of each player," comments Aline Moyret. By indirectly extending to subcontractors, where regulated entities must ensure that their continuity is guaranteed, DORA is helping to strengthen the entire ecosystem.
Provisions in line with DORA guidelines
In addition to the support offered to help organisations strengthen their resilience, DEEP has also developed a range of services and tools with a view to industrialising the process. The Cyber-Resilience Portal, for example, facilitates the management and sharing of information relating to risks and responses, in order to assess the various impacts on the organisation's business continuity (regulation, operations, image & reputation, turnover), with a view to the continuous improvement of business continuity issues.
DEEP supports companies in the financial sector
Finally, DEEP offers services that provide an operational response to the requirements or certain risks raised by the directive. The Cybersecurity Business Line, via the SOC (Security Operations Centre) and CSIRT services, offers an operational response for detecting and responding to cyber incidents. The COS (Cybersecurity Offensive Security) team offers Red Team-type services to test resilience. Finally, through its managed services and cloud service provider capabilities, capable of managing multi-cloud environments, DEEP supports its customers in designing resilient environments that take account of these compliance requirements.
