AI in banking: from data to revenue
Watch our free webinar, “AI in Banking: From Data to Revenue,” to explore how AI is transforming the BFSI industry.
Discussing the complexities of DORA compliance: key data challenges and strategic solutions.
In 2024, data breaches have cost businesses an average of $4.45 million, emphasizing the critical need for robust cybersecurity measures. As of January 17, 2025, the Digital Operational Resilience Act (DORA) will come into effect, creating a unified framework to ensure financial entities within the EU can withstand, respond to, and recover from all ICT-related disruptions and threats.
As financial institutions prepare for the January 2025 compliance deadline, they face numerous data-related challenges. These challenges span various domains, including ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. Understanding and addressing these pain points is crucial for achieving compliance and safeguarding against emerging cyber threats.
This article explores the main data pain points in achieving DORA compliance. It also offers strategies to overcome them. These strategies ensure strong operational resilience in a more digital world.
DORA is a regulation established by the European supervisory authorities to enhance financial entities’ digital operational resilience. Its primary goal is to ensure these entities can effectively manage and mitigate risks associated with Information and Communication Technology (ICT) systems.
EU member states present DORA and set a comprehensive framework to safeguard financial institutions from ICT-related disruptions, including cyber-attacks, system failures, and data breaches. This is particularly important considering the financial sector suffered more than 20,000 cyberattacks totaling $12 billion in losses over the past two decades (see Fig. 1).
Figure 1. Financial sector cyber incidents and losses 2004-2023
DORA requirements apply to various EU financial institutions and their critical ICT third-party service providers. These are the most important ones to mention:
DORA aims to standardize ICT risk management across these diverse entities. It will ensure a consistent and strong approach to cyber resilience and digital finance.
DORA sets forth a unified framework designed to strengthen the digital operational resilience of financial institutions within the EU financial sector. This regulation mandates comprehensive measures across several key pillars, ensuring financial entities can effectively manage and mitigate ICT-related risks, enhancing their ability to withstand and recover from disruptions and prevent cyber risks.
Such an EU regulation like DORA mandates that financial institutions establish a comprehensive ICT risk management framework. This framework should cover all aspects of identifying, assessing, and mitigating ICT risks. The regulation requires entities to:
For example, a bank might deploy advanced intrusion detection systems to monitor for unauthorized access attempts and have protocols in place for immediate response and mitigation.
Effective incident management is an aspect of DORA proposal that tries to make EU financial services as secure as possible. Financial entities must establish robust systems to detect, report, and respond to ICT-related incidents. This includes:
For example, if a payment service provider experiences a data breach, they must quickly identify, contain, notify affected parties, and report the incident to regulatory bodies.
DORA legislation requires regular digital operational resilience testing to ensure financial entities can withstand and recover from ICT disruptions. Such a digital finance strategy involves:
For example, an insurance company might simulate a ransomware attack to test its ability to restore data from backups and maintain operations without significant downtime.
Given the reliance on external ICT service providers, DORA emphasizes the need for stringent third-party risk management when offering digital services. As a result, financial entities must:
For example, a hedge fund working with a cloud service provider would regularly audit the provider’s security practices and have clear terms in the contract regarding incident response and data protection.
DORA encourages financial entities to share information about cyber threats and vulnerabilities to enhance collective security. This includes:
For example, a consortium of banks might share details about a new phishing attack they encountered, allowing others to update their defenses accordingly.
Financial institutions can significantly enhance their ICT risk management, incident response, resilience testing, third-party risk management, and information-sharing capabilities by adhering to the key pillars above. Ultimately, these comprehensive measures ensure robust operational resilience, safeguarding against various ICT-related disruptions and threats.
As financial entities strive to meet the January 2025 compliance deadline, they encounter numerous data-related challenges. These challenges span across the key pillars explored earlier and are vital in the race to comply with DORA. Understanding and addressing these pain points is essential for achieving compliance and safeguarding against ICT-related disruptions. Let’s look at the ins and outs of central data pain points in achieving DORA compliance and setting the foundation for the secure digital transformation.
As indicated, ICT risk management is a key part of DORA compliance. It requires financial institutions to find, judge, and lessen risks from their ICT systems. Yet, when doing so, financial entities face some major obstacles.
Identifying and assessing ICT risks is a fundamental requirement of DORA. But, it presents significant challenges. Financial institutions must conduct thorough risk assessments to uncover all potential vulnerabilities within their ICT systems.
Thoroughly identifying and assessing ICT risks helps financial institutions. It lets them proactively address potential weaknesses. This forms the foundation for robust ICT risk management.
The rapid evolution of cyber threats and technological advancements adds another layer of complexity to risk identification and assessment. As a part of this pain point, one should focus on these aspects:
Keeping pace with evolving cyber threats and new technology is critical. It is key for accurate risk assessment and strong cybersecurity.
Implementing new ICT risk management frameworks that comply with DORA can be challenging, especially when integrating them with existing systems. In this matter, financial entities face several difficulties:
Doing new risk management requires planning. One must consider old systems and potential disruptions. As an outcome, the process takes more time and relies on additional resources.
Managing ICT risks under DORA presents financial entities with significant challenges. These tasks require substantial effort and resources, from identifying and assessing a broad spectrum of risks to integrating new frameworks with existing systems.
Incident management and reporting are crucial components of DORA compliance. Financial institutions must establish robust systems to detect, report, and respond to ICT-related incidents promptly and effectively. Here, let’s explore the challenges of building these systems.
One of the primary requirements of DORA is the timely and accurate reporting of ICT-related incidents. In a nutshell, it must these aspects should be in play:
Robust incident reporting systems let banks respond quickly to incidents. The speed of response often depends on the quality of detection and precision of documentation.
Detecting threats in real time and reporting them promptly is not a small feat. Naturally, it comes with several key pain points:
Managing incident reporting and response under DORA presents significant challenges for financial institutions. These tasks require substantial effort and coordination, from establishing systems for timely and accurate reporting to coordinating across various teams for faster incident response.
Digital operational resilience testing is essential for ensuring financial institutions can withstand and recover from ICT-related disruptions.
Regular and comprehensive resilience testing is crucial for maintaining a robust security posture. The overall process must include these activities:
Essentially, regular resilience testing ensures financial institutions can keep strong defenses. It also helps them respond fast to threats.
To anticipate threats, companies often need to simulate incidents and cyberattacks. Yet, simulating realistic cyber-attack scenarios presents several challenges.
Addressing the complexity and resource intensity of simulating realistic cyber-attacks is crucial for effective resilience testing.
A key pain point is balancing thorough testing and minimizing operational disruptions. In such a context, the
Digital operational resilience testing is essential for ensuring DORA compliance and maintaining robust cybersecurity defenses. While conducting regular and comprehensive tests, financial institutions must navigate challenges such as simulating realistic cyber-attacks and balancing thorough testing with operational continuity.
With DORA, financial institutions must ensure that their ICT service providers meet stringent security and resilience standards. Doing that can be a challenging task in itself. Here is why:
Conducting thorough due diligence and risk assessments of third-party ICT providers is vital to ensure they meet required security standards.
Thorough due diligence and risk assessments help third-party providers meet security standards and mitigate potential risks.
Managing relationships with multiple third-party providers can be complex and resource-intensive. It definitely requires more attention and resources.
Effective coordination and resource allocation are essential for managing multiple third-party provider relationships. Otherwise, one can face a situation when DORA noncompliance of a third-party provider affects everyone involved. Overall, effective third-party risk management is essential for maintaining compliance with DORA and ensuring the security and resilience of financial institutions.
Information sharing is a key component of DORA compliance. Financial institutions must collaborate to enhance collective security while balancing data privacy needs.
Collaborative cybersecurity efforts are crucial for staying ahead of emerging threats. This involves:
Establishing secure information-sharing channels enables financial institutions to stay ahead of emerging threats and enhance collective security.
Several barriers can hinder secure and efficient information sharing, including:
Addressing data sensitivity and building trust is essential for effective and secure information sharing. Financial institutions can collaborate effectively while safeguarding data privacy by establishing secure information-sharing channels and implementing robust data protection measures.
With years of experience in setting and maintaining robust security infrastructures for Europe’s leading financial companies Avenga’s experts can guide you on your way toward DORA compliance.
After reviewing the key data pain points, it is time to look at the brighter side. Overcoming the data pain points in achieving DORA compliance requires implementing effective strategies across various aspects of ICT risk management, incident response, resilience testing, third-party risk management, and information sharing. Let’s outline practical approaches to enhance these areas and ensure robust compliance with DORA.
A comprehensive ICT risk management framework is essential for identifying, assessing, and mitigating risks. Developing a holistic approach that covers all aspects of ICT risk, including cyber threats, system failures, and data breaches, is crucial.
This framework should integrate seamlessly with existing risk management processes to be effective. Continuous improvement is also vital, which means regularly updating the framework to address new threats and vulnerabilities as they emerge. A well-rounded and continuously improving ICT risk management framework is crucial for maintaining robust security.
Effective incident management requires well-defined response teams and protocols. This involves forming dedicated incident response teams with clearly defined roles and responsibilities.
Developing standardized protocols for different incidents also ensures a coordinated and effective response. Clear roles and standardized protocols enhance the efficiency and effectiveness of incident management.
Automation can significantly enhance the speed and efficiency of incident detection and reporting. Deploying automated systems to monitor for signs of incidents and trigger alerts continuously is essential.
Furthermore, using automated tools to generate and submit incident reports to regulatory authorities quickly and accurately streamlines the reporting process. Here are some of the instruments to consider:
Automation improves incident detection and reporting speed and accuracy, enhancing overall incident management.
Frequent and varied resilience tests are crucial for ensuring operational robustness. Scheduling regular resilience tests, including penetration testing, disaster recovery drills, and tabletop exercises, is vital.
Test against many scenarios. Ensure preparedness for different disruptions. Regular and varied testing offers comprehensive preparedness and identifies potential vulnerabilities.
Integrating findings from resilience tests into operational improvements is essential for continuous enhancement. Analyze test results to identify weaknesses and areas for improvement to get actionable insights.
Based on these findings, implement necessary changes to policies, procedures, and technologies. Using test results to inform operational improvements provides continuous enhancement of security measures.
Effective third-party risk management starts with rigorous vetting and continuous monitoring. Conducting thorough due diligence before engaging third-party providers ensures they meet security standards.
Monitoring third-party performance and compliance through regular audits and assessments is also crucial. Rigorous vetting and continuous monitoring are key to managing third-party risks effectively.
Strong contractual agreements are essential for managing third-party risks. Include specific clauses defining security requirements, performance metrics, and incident response protocols in contracts with third-party providers.
In addition, establishing clear exit strategies ensures a smooth transition if a third-party provider fails to meet security standards. Clear and detailed contractual agreements help mitigate third-party risks and ensure smooth transitions if needed.
Secure platforms for information sharing enhance collective cybersecurity efforts. Developing or using existing secure platforms for exchanging threat intelligence and best practices is fundamental. Implementing robust access controls ensures that only authorized personnel can share and access information.
Promoting a culture of transparency and collaboration is vital for effective information sharing. Encourage all stakeholders to participate actively in information-sharing initiatives to foster a collaborative environment. Establish trust among institutions to ensure shared information is used responsibly and securely. A culture of transparency and trust equals effective collaboration in cybersecurity.
Financial institutions can address data challenges and meet DORA compliance by following these strategies. This includes enhancing risk management practices, improving incident response capabilities, strengthening resilience testing programs, optimizing third-party risk management, and facilitating effective information sharing to build a more resilient and secure operational framework.
Remember, being proactive about following the rules and preparing for potential issues to benefit from DORA is important. Make sure to comply with regulations early and thoroughly to improve overall security. Keep up with regular reviews and updates to maintain operational resilience. Taking a proactive approach will help institutions better prepare for threats and minimize the impact of disruptions in ICT.
Understanding and addressing key data pain points in achieving DORA compliance can help build a resilient and secure operational framework. Embracing advanced technologies, fostering transparency and collaboration, and prioritizing continuous learning will be crucial for navigating future regulatory developments.
For expert assistance in achieving DORA compliance, contact Avenga. Our team can help you navigate the complexities and ensure your institution is fully prepared.
* US and Canada, exceptions apply
Ready to innovate your business?
We are! Let’s kick-off our journey to success!