Posted: 05/08/2024
Cyberattacks are a growing threat to financial institutions. DORA’s streamlined reporting framework offers a critical defence strategy.
Introduction
Cyberattacks are a constant threat, and financial organisations need robust defences. Traditionally, reporting ICT incidents has been a cumbersome process, often involving multiple regulatory bodies. DORA (the Digital Operational Resilience Act) aims to streamline this process, offering a much-needed solution for financial organisations. The benefits are clear: a streamlined system for reporting simplifies the process for a more coordinated defence against increasingly sophisticated cyberattacks.
Reporting Requirements Under DORA
The EU recognises the burden of multiple reporting channels that financial institutions have traditionally faced. DORA establishes a consistent set of categories for classifying incidents across member states. This means clear and easy-to-understand reporting categories, eliminating confusion, and ensuring consistent information across jurisdictions. This streamlined system benefits entities already familiar with similar frameworks.
Focus on Impact
DORA prioritises reporting based on impact and potential spread (“contagion risk”). This ensures authorities receive critical information quickly, allowing for a swift response to contain widespread attacks. Tight deadlines for reporting further emphasise the importance of having clear procedures already in place for managing incidents.
Benefits of a Standardised Classification System
DORA’s standardised classification system offers several advantages for financial organisations:
Compliance Steps for Financial Organisations
To ensure compliance with DORA’s incident management requirements, financial organisations can take several steps:
Regulatory & Implementing Technical Standard
DORA establishes a framework for ICT incident management, but the specifics of reporting and classification are still under development. This section explores the upcoming Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that will provide further guidance for financial organisations.
Focus on Classification: Criteria for Major ICT Incidents
DORA mandates financial organisations to establish procedures for detecting, managing, and notifying ICT-related incidents. The proposed RTS on classification criteria provide a two-step approach to determine if an incident qualifies as “major” and requires mandatory reporting:
Step 1: Critical Services Impact: The first step assesses whether the incident affects critical services of the financial organisation. These are services that support critical or essential functions, authorised financial services, or involve successful unauthorised access to the organisation’s network.
Step 2: Additional Thresholds: If critical services are impacted, the financial organisation considers two additional criteria:
If any malicious access is identified or two of the additional criteria are triggered, the incident is classified as major. Financial organisations must then submit an initial notification to the relevant competent authority. Intermediate and final reports are also required throughout the incident’s lifecycle.
Recurring Incidents and Significant Cyber Threats
The standards also address recurring incidents and significant cyber threats:
Next Steps: Templates and Third-Party Services
The remaining sections of the ESAs’ first batch of technical standards address:
Based on feedback received in the public consultation, the second batch of technical standards will be finalised and submitted to the European Commission by 17 July 2024. This is exactly six months before DORA will become directly effective across the EU, on 17 January 2025.
Conclusion
DORA represents a significant step forward in strengthening the cyber resilience of the financial sector. While some aspects of DORA are still under development, understanding its core principles can significantly benefit financial organisations. By taking proactive steps to improve incident management and communication protocols, organisations can enhance their overall cyber security posture.
Remember, a cyberattack can happen at any time, and being prepared is crucial. DORA provides a clear roadmap for achieving this goal. Don’t wait until the regulations are finalised – act today to protect your business and your customers’ information.