Blogs

Your DORA Questions Answered

Back

Stryve’s CISO and DORA-certified compliance specialist, Paul Delahunty, answers the top questions asked at our recent DORA event.

Earlier this year, we hosted a webinar where we discussed all things DORA, from how to comply with it to why the legislation is being introduced. Hosted by our CISO and DORA-certified compliance specialist, Paul Delahunty, and cyber-governance expert, Róis Ní Thuama, we were joined by over 200 attendees to discuss the new piece of legislation on everyone’s lips.

With the countdown on, our clients and attendees had questions. In this blog, Paul breaks down some of the most common questions and offers his insights.

Q: What is the likelihood of DORA being extended beyond the FS supply chain to e.g. retail, B2B, e-commerce etc and how soon do you think it will apply to all sectors?

Paul: While there is no guarantee that it will apply to all sectors, this is the most logical next step for the EU. The purpose of this act is to ensure that there is operational resilience across the EU, and it is easy to see how this same approach will be rolled out across different industries. DORA is conceived in a way that would make it easy to expand its reach which will mean that rolling it across other sectors shouldn’t require the EU to go back to the drawing board.

Part of the reason behind its inception was to address the risk of a liquidity crisis across the EU. Leaders were worried about the snowball effect that a large-scale attack could have on the financial sector. Given the current geopolitical climate, it is easy to see how certain actors would benefit from weakening the EU in this way. However, this is not a risk that is confined to the financial sector alone.

Regarding when it will be rolled out, that is a more difficult question to answer. It could be within the next 2 or 3 years or the next 10 years. The EU won’t wait around forever but certain factors, such as a large-scale attack on a particular industry, may accelerate its expansion. Although it is almost impossible to say exactly when DORA will be expanded, I am confident that its remit will eventually move beyond the financial sector.

 Q: What are the technical functional requirements for IT infrastructure environments? I see references to a lot of existing practices that organisations in the financial sector already are carrying out, will this change with DORA?

Paul: Something that is critical to understand about DORA is that it is not trying to overhaul current practices within the financial sector. It does introduce some new elements, for example, reporting, and ensuring that financial institutions can talk to each other without having regulatory precautions preventing this, but from a technical perspective, it is certainly not reinventing the wheel.

At its core, DORA is about operational resilience and requires companies to do what they can to mitigate reasonably identifiable risks. This is the same stuff most of us have been doing for years and will continue to do. One of the key things to understand is that what is reasonably identifiable may change over time. For example, some of the threats posed by AI may now be considered reasonably identifiable despite the fact that nobody was talking about them three years ago.

At the end of the day, DORA is not trying to catch you out. Its aim is simply to ensure that if there is a major coordinated attack, our financial institutions don’t just fall over. The question is then, as a critical ICT provider, what do you need to do to prevent and mitigate this? It may be backups, a pen test, or both. Maybe it’s something else. However, one thing that’s certain is it will be the same stuff we have been pedalling for a long time.

Q: I understand upwards of 6 – 8 Regulatory Technical Standards (RTS) won’t be published until mid-year. How worried should we be?

Paul: Not very worried! The main takeaway when it comes to DORA is that EU leaders and legislators want to ensure that companies are getting the basic stuff right. There is a big emphasis in DORA on taking reasonable precautions and ensuring that you are addressing risks that can be reasonably identified.

Practically speaking, this means that any RTS that are published will likely only offer more detail on what we already know. There really is not much to worry about because these RTS will only enhance your understanding of the measures you should already be taking. They certainly won’t take you off 180 degrees in the opposite direction!

Q: With DORA is there going to be a reliance on third-party cloud providers to be more actively involved (read: responsible) in the ICT incident management of their customers, which could negatively impact a provider’s operational costs?

Paul: Yes, there could be if they are they are a critical ICT supplier to a financial institution. If this is the case, they do fall under the remit of DORA, and they will be legally obligated to comply with it.

Q: Is DORA applicable to a UK entity?

Paul: DORA is applicable to all critical ICT suppliers to EU financial institutions. Regardless of whether the company is based in the EU or not, if it meets these criteria, it will be bound by DORA.

The follow-up question to this is often “is it better to choose a critical ICT supplier that is based in the EU”? There is no regulatory necessity to do so – because, assuming you are an EU financial institution, your ICT supplier will be bound by the legislation regardless – but practically, it is often easier to opt for an EU supplier.

This is because they will likely be more familiar with the legislation which in turn will likely make ensuring compliance simpler.

Q: Is there a compliance or certification path for DORA? Does this align with current frameworks such as ISO 27001 or SOC 2 etc?

Paul: No, there is not. Like the GDPR, DORA does not come with a compliance or certification path. However, if you are following other compliance paths or adhering to another standard, for example, ISO 27001, there will be a crossover in what is required there and what DORA requires. DORA will likely have additional requirements, but any compliance or certification paths you are already following may help you comply with your obligations under DORA.

Eager to learn more? Check out our guide to understanding DORA here.

Please note that this blog is for educational purposes only and should not be considered legal advice.

author avatar
keith-stryve

Do you have 5 minutes for a quick chat?