DORA Security Requirements: Navigating the Challenges for Financial Institutions

The Digital Operational Resilience Act (DORA) represents a significant step forward in regulating the operational resilience of financial institutions within the European Union. However, conducting a DORA security requirements gap assessment can be complex, with associated challenges and potential dependencies. One of the key issues lies in the differing interpretations of individual DORA security requirements and the potential discrepancy between documented compliance evidence and effective material compliance.

Understanding the Ambiguity of DORA Security Requirements

DORA provides a framework for assessing and managing operational resilience risks. However, the DORA's security requirements language can be open to interpretation, leading to varying strategies among financial institutions. As a non-exhaustive list of examples:

• RTS 86 p.11.1 b) “the identification and implementation of security measures” these security measures could vary depending on the individual financial institution’s risk appetite, infrastructure, business model and data security requirements.
• RTS 86 p.13 c) “the design of networks in accordance with ICT security requirements and taking into account leading practices” this can be subjective, depending on which best practice standards are used based on the size, geographical locations, nature, and complexity of a financial institution’s business units and entities.
• RTS 86 p.13 k) "the implementation of a secure configuration baseline of all network components and hardening the network": Implementing a "secure configuration baseline of all network components" can be challenging, as this would require a deep-level configuration baseline at resource level infrastructure of which there are none publicly available. Therefore, this would require the creation of a bespoke resource by resource baseline and the implementation of a sophisticated Cloud Security Posture Management (CSPM) or a Cloud Native Application Protection Platform (CNAPP). This is an area where Airwalk Reply has significant expertise and may be able to assist financial institutions.
• RTS 86 p.13 j) “measures to temporarily isolate, where necessary, subnetworks and network components” This could be interpreted in several different ways to include components such as, Zero Trust architecture, firewalls, IDPS solutions, security groups, route tables. All of these controls must be appropriately documented with detailed diagrams as required in RTS 86p.13 b) “the documentation of all of the financial entity’s network connections and data flows”.

There are many other examples of where DORA requirements are open to interpretation. If your financial institution needs clarity with this requirement interpretation and/or assessing your current compliance with DORA security requirements, Airwalk Reply can provide appropriate expertise.

The Gap Between Documented Evidence and Effective Compliance

While financial institutions may have policies, standards, and procedures to address DORA requirements, this does not necessarily equate to effective material compliance. The gap between evidence of compliance and actual practice can arise due to several factors:

• Lack of Enforcement: Policies may not be consistently enforced, leading to deviations from established procedures.
• Insufficient Resources: Financial institutions may lack the necessary resources, such as appropriately worded documentation or advanced technology, to implement and maintain effective controls.
• Cultural Barriers: A culture of compliance without a corresponding focus on operational resilience can hinder the effectiveness of the implementation of DORA requirements.
• Complexity of the Environment: Financial services institutions operate in a complex and rapidly evolving environment, making it difficult to anticipate and address all potential risks.

Mitigating the Challenges

To effectively navigate the challenges of a DORA security gap assessment, financial institutions should consider the following strategies:

• Engage with Regulators: Proactively engage with regulators, i.e. one of the three European Supervisory Authorities (ESAs), to seek clarification on ambiguous requirements and ensure a shared understanding of expectations. However, this clarity may not be readily available.
• Conduct a Risk and Gap Assessment: Conduct a comprehensive risk assessment to identify critical functions, potential disruptions, and the impact on the business as well as a gap assessment of how the current state of documented and material compliance measures against DORA requirements and design a plan to achieve compliance where gaps are identified.
• Develop a Robust Governance Framework: Establish a robust governance framework to oversee the implementation and effectiveness of DORA compliance and the implementation of any new controls or documents that may be required.
• Invest in Training and Awareness: Provide training and awareness programs to ensure that staff understand their roles and responsibilities in relation to DORA requirements and operational resilience more generally.
• Leverage Technology and Expertise: Utilise advanced technologies, such as automation, and security experts to enhance security controls, risk management and incident response capabilities.
• Continuously Monitor and Improve: Conduct regular monitoring and testing to assess the effectiveness of material DORA compliance that can be measured to identify areas for improvement.

Careful consideration of these factors should be undertaken when implementing appropriate strategies for financial institutions to mitigate the risks associated with DORA compliance to enhance operational resilience.

If you require advice or assistance with navigating any aspect of DORA, please do not hesitate to contact us, and we will share the knowledge and experience we have gained from working with our other financial services clients.

Get in touch