DORA, the Digital Operational Resilience Act, is draft legislation designed to improve the cybersecurity and operational resiliency of the financial services sector. It complements existing laws such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR). While DORA is still working its way through the legislative process, it is expected to be approved in 2022.
Digital Operational Resilience Act defines criticality thresholds for services provided to financial institutions. If an organization is a direct service provider to a financial institution and its services meet these thresholds, then the company is subject to DORA. This means that the organization will be directly supervised by the relevant financial regulator.
For organizations whose services do not meet the DORA thresholds, the regulation still applies, but direct supervision is not required. Instead, the organization’s customers will be required to demand certain contractual terms to achieve compliance with DORA’s requirements.
For example, the Digital Operational Resilience Act (DORA) requires financial institutions to report data breaches to regulators within a certain window of discovery. Financial institutions will be required to impose the same breach reporting requirements on their suppliers and service providers as well as part of their contractual obligations. If an organization is not willing to accept these terms, then DORA prohibits the financial institution from doing business with them.
Digital Operational Resilience Act dictates the terms that financial institutions will require of their suppliers and the security controls that these suppliers must have in place. Since DORA is geared toward improving the resiliency of the entire financial industry, these obligations and requirements are likely to be passed on through the entire supply chain.
The primary goal of DORA is to ensure the operational resilience of the financial sector. As part of this, organizations covered by Digital Operational Resilience Act need to implement risk management processes that help to identify potential vulnerabilities to plausible cyber threats and put policies and security controls into place to protect against these risks.
DORA creates a framework of rules that financial institutions and their suppliers need to follow for operational resilience. Some of the key goals and requirements include:
The exact requirements of Digital Operational Resilience Act are unknown as it is still in draft status. However, starting the process to meet these requirements today will simplify compliance once the law is approved.
DORA has not yet been passed, but it is expected to become law in 2022. This means that organizations that may be impacted by DORA should start working towards compliance today.
To prepare for the Digital Operational Resilience Act, one of the most important steps that an organization can take is to simplify and streamline its security architecture. DORA requires rapid reporting of cybersecurity incidents, visibility into an organization’s third-party dependencies, and the ability to respond to audit requests from regulators or customers.
Check Point Harmony Suite provides consolidated protection across all of an organization’s IT infrastructure, including support for endpoints, mobile, cloud, and email. By simplifying and streamlining an organization’s security infrastructure, Harmony Suite makes it easier to protect against cyber threats and meet the reporting requirements of DORA. To learn more about how Check Point solutions can help with compliance and other regulations, contact us.