The Digital Operational Resilience Act (DORA) Financial Regulation and DMARC

Financial organizations have always been at the center of attention for bad actors. Hackers just love exploring the “ample resources” banks, investment organizations, and loan companies provide. They not only leech on personal details but also go after financial gain.

With the digitization of finance and the rise of cryptocurrencies, the financial sector has become even more vulnerable to cyberattacks. Moving to digital also brings third-party companies— Information Communication Technologies (ICT)—into the mix, making security issues more visible and unpredictable.

These changes are happening faster than legislative processes and government adoption allow which makes the situation more prone to manipulation. As a result, some systems and mechanisms fall into the legal gray area.

This article covers the Digital Operational Resilience Act (DORA): Scope, goals, and requirements. We also discuss what’s next on the timeline for DORA and how to prepare for its implementation.

But before that, let’s find out when and how it came about.

How DORA Started

The Digital Operational Resilience Act is part of a larger legislation package on digital finance, including markets in crypto assets and distributed ledger technology. The European Commission developed these legislative changes to protect citizens and minimize risk.

The European Council proposed the regulation on September 24, 2020, crossed it into the negotiation stage on November 24, 2021, and adopted the provisional document on May 10, 2022.

The Scope: Who Does DORA Impact?

DORA covers financial institutions operating in the EU, including banks, loan organizations, insurance companies, and auditors. According to the proposed legislation, even overseas organizations should open European subsidiaries for more convenient oversight and faster responses.

The Digital Operational Resilience Act (DORA) aims to assert control over the ability of financial institutions to respond to, report on, and manage cybersecurity risks. As financial institutions depend on third-party Information Communication Technologies (ICTs), the risk scope also spreads. Therefore, one of DORA’s goals is to regulate such services and their response capabilities.

What are the DORA Rules?

DORA focuses on a few cybersecurity aspects for financial entities, including incident reporting, penetration testing, and information sharing. It aims to equalize the playing field with proportional requirements for all organizations.

Let’s dive into each requirement for a more detailed review.

Governance Requirements

ICT risk management stems from how the company aligns its business and cybersecurity strategies. The focus of this section is to provide organizations with a set of rules regarding ICT-related issues:

• Clear roles and responsibilities (who deals with what)
• Continuous risk monitoring and management
• Allocation of investment and training resources

Third-Party Risk Management

This section of the Digital Operational Resilience Act covers the usual third-party risk management best practices like:

• Keeping up with accepted prevention and protection measures
• Detecting anomalies
• Updating systems and protocols
• Setting up proper business continuity and disaster management practices

Incident Reporting

Incident reporting is an integral part of all cybersecurity practices. The Digital Operational Resilience Act (DORA) aims to establish simple and efficient procedures for all reports. Here are some objectives of this section:

• Streamline templates for initial, intermediate, and final reports
• Start a conversation between authorities and financial organizations for fast and efficient responses
• Centralize the reporting system under an EU Hub, which will handle all significant cyberattack reports by financial institutions

Resilience Testing

Periodic penetration tests on digital operations are one of the essential components mentioned in DORA. All financial organizations must frequently test their systems to identify weaknesses and find improvement opportunities. The regulation sets:

• Proportional testing mechanisms (depending on the company size and the level of business risk)
• Tester requirements across the EU

Information Sharing

This directive touches on the significance of information sharing among financial organizations. It’s crucial for a few reasons:

• Raises awareness about cyber risks and threats
• Due to the awareness component, mitigates the spread of mentioned threats
• Supporting each other in creating and conducting more resilient threat detection practices

DORA and DMARC

What does DORA have to do with DMARC?

It’s simple—cyber threats are everywhere, and email is one of the most targeted infrastructures of financial institutions worldwide. 

Business Email Compromise (BEC) is a targeted phishing attack that can leave most businesses in ruin. In the case of financial organizations, this attack type threatens their clients, too.

While there’s much more to cover in the Digital Operational Resilience Act (DORA), DMARC compliance is among the crucial antidotes against phishing and spoofing.

What’s Next for DORA?

The current state of the Digital Operational Resilience Act (DORA) document is set to be approved by the European Council and European Parliament by the end of Summer 2022.

After that, the package will tour Europe, being integrated into law in each member state. Once this happens, the European Supervisory Authorities, including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), will develop further technical requirements in the DORA scope.

The mentioned authorities will also act as the oversight and enforcement bodies for the law.

How to Prepare for DORA Adoption

New regulation adoption puts pressure on organizations, and DORA isn’t an exception. Understanding and implementing the change takes a lot of time and resources, especially for non-EU financial organizations with clients in the Union.

It’s likely that once DORA is official, small and medium companies will have about a year to meet all the requirements. Depending on a few other factors like cyber risk exposure and business profile, larger organizations might have up to 36 months before full adoption.

We’ve identified a few steps businesses can take toward painless transition:

• Follow cybersecurity best practices: There are countless guides and operational frameworks to get familiar with. Follow guidelines on ICT risk management and outsourcing arrangements.
• Improve system defenses: Installing firewalls, adopting security measures, enforcing good password hygiene, and offering cyber awareness training programs to your personnel will work. Also, it’s a good idea to tap into the world of email security protocols if you haven’t already.
• Conduct tests to identify security issues: Penetration testing can be a potent tool for discovering gaps in your systems and day-to-day operations.
• Identify your core assets for better management: When you know what assets you have, you’ll be able to appoint the right roles for their management and provide constant monitoring.
• Set up the mindset for fast reporting practices: Having the roles and processes at hand will make it much easier to produce the relevant incident reports promptly.

Final Thoughts

DORA implementation is closer than you think. Although it’ll bring new and specific reporting and information-sharing regulations, having proper cybersecurity practices from the start will speed up integration. Find out how our hosted DMARC service can help you achieve just that while keeping your email secure.