In today’s world where everything is interconnected and the world is rapidly evolving around a digital landscape, resilience and security of digital service providers is a critical aspect to handle. The goal to enhance cybersecurity has been on the agenda of multiple global agencies and governments in recent years. As a matter of fact, DORA was introduced by the European Union. DORA stands for Digital Operational Resilience Act and is a legislation that deals with the strengthening of digital worlds.
So let us look into the DORA Malta regulation.
As introduced by the EU, the Digital Operational Resilience Act launched on the 17th of January 2023 and will come into affect on the 17th of January 2025.. This will be applicable to:
- Banks
- Payment institutions
- Investment firms
- Crypto assets service providers
- Credit institutions
- Fund management companies
- Data reporting service providers
- Insurance and insurance intermediaries
- Credit rating agencies
- Crowdfunding service providers
It is also good to note that the DORA regulation also caters for third-party ICT service providers that provide digital and data services to clients on an ongoing basis. This can include:
- Hardware and/or software as a service
- Technical support via software/firmware updates
Note that the Digital Operational Resilience Act is a regulation, not a directive and therefore all companies within the aforementioned industries have to abide by this regulation.
The ultimate aim of DORA is to promote Europe’s competitiveness and innovation in the financial sector. Financial entities hold and process various types of critical information and therefore they are particularly susceptible to IS attached.
This EU regulation will harmonize the rules and regulations of different member states – into a single, regulation to cover operational resilience and cybersecurity.
Chapter 2: Requirements of the Digital Operational Resilience Act and how these can be easily reached through ISO 27001 certification
Chapter 2 states that organizations have to have a risk-based approach in their digital operational activities. This is also the main pillar for ISO 27001:2022. As per the Digital Operational Resilience Act, the following elements have to be considered:
- Identification
- Protection and prevention
- Detection
- Response and recovery
- Learning and evolving
- Communication
The National Institute of Standards and Technology (NIST) has a standard that considered some of the above. The framework core of NIST covers 5 critical functions – which in turn talks about 23 categories, as follows:
- Identify
- Asset management
- Business environment
- Governance
- Risk assessment
- Risk management strategy
- Supply chain risk management
- Protect
- Identity management and access control
- Awareness and training
- Data security
- Information protection processes and procedures
- Maintenance
- Protective technology
- Detect
- Anomalies and events
- Security continuous monitoring
- Detection processes
- Respond
- Response planning
- Analysis
- Mitigation
- Improvements
- Recover
- Recovery planning
- Improvements
- Communications
The aforementioned categories were designed to cover as many of the cybersecurity threats as possible. However, there is not enough focus to cover all the requirements of DORA by following the NIST standards for IS.
Chapter 3: ICT risk management requirements
ICT risk management requirements revolve around:
- Identifying business functions and determining what type of information assets are needed to support these functions.
- Doing the best possible to ensure that such assets are protected.
- Given that this is a system for the prevention of incidents, there is also a focus on detecting anomalous activities – ideally before the incident occurs.
- Having systems and procedures in place, that include adequate communication with the relevant stakeholders, and including clients, should there be the need for recovery strategies.
Moreover, another important element of the Digital Operational Resilience Act relates to ICT-relates incidents management, classification and reporting. This element is strongly mentioned in ISO 27001:2022 in Clause 10, and referenced in other clauses. This is defined in Chapter 3 of the regulation.
Specific criteria for how incidents have to be classified will be made available. Possibly, the ENISA systems will be used – this is mentioned within the DORA Malta regulation– however other standards might be used. The classification of the incidents can be used in junction with the overarching requirements of ISO 27001.
Depending on the severity of the incident, organizations will need to communicate this with the regulator. Granted, for major incidents will only need to contact the national regulator – within a strict deadline. Going forward, a central platform might be created whereby all financial institutions will report all their ICT-related incidents on the same portal.