DORA: Building Operational Resilience Through ICT Incident Management

Introduction 

Cyberattacks are a constant threat, and financial organisations need robust defences. Traditionally, reporting ICT incidents has been a cumbersome process, often involving multiple regulatory bodies. DORA (the Digital Operational Resilience Act) aims to streamline this process, offering a much-needed solution for financial organisations. The benefits are clear: a streamlined system for reporting simplifies the process for a more coordinated defence against increasingly sophisticated cyberattacks. 

Reporting Requirements Under DORA 

The EU recognises the burden of multiple reporting channels that financial institutions have traditionally faced. DORA establishes a consistent set of categories for classifying incidents across member states. This means clear and easy-to-understand reporting categories, eliminating confusion, and ensuring consistent information across jurisdictions. This streamlined system benefits entities already familiar with similar frameworks. 

Focus on Impact 

DORA prioritises reporting based on impact and potential spread (“contagion risk”). This ensures authorities receive critical information quickly, allowing for a swift response to contain widespread attacks. Tight deadlines for reporting further emphasise the importance of having clear procedures already in place for managing incidents. 

Benefits of a Standardised Classification System 

DORA’s standardised classification system offers several advantages for financial organisations: 

• Improved Trend Analysis: Consistent categorisation of incidents allows for better identification of emerging threats and trends. This enables financial organisations to proactively address vulnerabilities and refine their cyber defences. 

• Enhanced Resource Allocation: By understanding the severity and impact of incidents, organisations can allocate resources more effectively during incident response. Prioritise resources towards major incidents with the potential for widespread disruption.

• Benchmarking and Collaboration: Standardised classification facilitates industry-wide data sharing and benchmarking. This allows organisations to compare their incident experience with peers and learn from each other’s response strategies. 

Compliance Steps for Financial Organisations 

To ensure compliance with DORA’s incident management requirements, financial organisations can take several steps: 

• Define Roles and Responsibilities: Establish a clear chain of command for incident response, assigning roles and responsibilities for detection, investigation, containment, and recovery activities. 

• Develop Communication Procedures: Implement clear communication protocols for internal and external stakeholders during an incident. This ensures timely notification of relevant parties and minimises confusion. 

• Document Processes: Document all aspects of the incident management process, including detection procedures, classification criteria, escalation protocols, and reporting templates. This ensures consistency and facilitates training. 

• Regular Testing and Training: Regularly test incident response procedures to identify weaknesses and ensure they are effective in practice. Train staff on incident identification, reporting procedures, and their roles in the response plan. 

Regulatory & Implementing Technical Standards 

DORA establishes a framework for ICT incident management, but the specifics of reporting and classification are still under development. This section explores the upcoming Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that will provide further guidance for financial organisations. 

Focus on Classification: Criteria for Major ICT Incidents 

DORA mandates financial organisations to establish procedures for detecting, managing, and notifying ICT-related incidents. The proposed RTS on classification criteria provide a two-step approach to determine if an incident qualifies as “major” and requires mandatory reporting: 

Step 1: Critical Services Impact: The first step assesses whether the incident affects critical services of the financial organisation. These are services that support critical or essential functions, authorised financial services, or involve successful unauthorised access to the organisation’s network. 

Step 2: Additional Thresholds: If critical services are impacted, the financial organisation considers two additional criteria: 

• Malicious Access: Was there any malicious unauthorised access to network and information systems? 

• Thresholds Met: Do at least two of the following additional criteria reach specific thresholds set by the European Supervisory Authorities (ESAs)? 

• Clients, Counterparts, and Transactions: A significant number of clients, financial counterparts, or transactions are affected (e.g., 10% of clients or transactions, 30% of counterparts, or over 100,000 clients impacted) 

• Data Losses: Any impact on data availability, authenticity, integrity, or confidentiality that could harm business objectives or regulatory compliance 

• Reputational Impact: Damage to reputation due to media attention, complaints, regulatory failures, or client/counterpart loss (no quantitative thresholds) 

• Duration and Service Downtime: The incident lasts more than 24 hours, or critical service downtime exceeds two hours 

• Geographical Spread: The incident significantly impacts clients, counterparts, branches, financial organisations, or third-party providers in at least two EU member states 

• Economic Impact: The incident incurs (or is likely to incur) direct and indirect costs exceeding EUR 100,000 

If any malicious access is identified or two of the additional criteria are triggered, the incident is classified as major. Financial organisations must then submit an initial notification to the relevant competent authority. Intermediate and final reports are also required throughout the incident’s lifecycle. 

Recurring Incidents and Significant Cyber Threats 

The standards also address recurring incidents and significant cyber threats: 

• Recurring Incidents: Incidents that individually wouldn’t be classified as major can still be considered major if they occur at least twice within six months, share the same root cause, and collectively meet major incident criteria. Smaller financial organisations are exempt from reporting recurring incidents. 

• Significant Cyber Threats: DORA requires classifying cyber threats as significant based on their potential risk to critical services. Financial organisations can voluntarily notify relevant authorities about significant cyber threats they believe could impact the financial system, service users, or clients. 

Next Steps: Templates and Third-Party Services 

The remaining sections of the ESAs’ first batch of technical standards address: 

• Templates for the Register of Information: DORA requires financial organisations to maintain a register of information for all contractual arrangements with third-party ICT service providers. The draft ITS proposes standard templates to make data collection and reporting consistent and straightforward. 

• Policy on ICT Services Performed by Third Parties: DORA emphasises managing ICT third-party risks. The proposed RTS specifies that financial institutions must establish a clear policy governing the use of ICT services supporting critical or essential functions by third-party providers. This policy ensures financial entities retain control over operational risks, information security, and business continuity throughout the life cycle of such arrangements. 

Based on feedback received in the public consultation, the second batch of technical standards will be finalised and submitted to the European Commission by 17 July 2024. This is exactly six months before DORA will become directly effective across the EU, on 17 January 2025. 

Conclusion 

DORA represents a significant step forward in strengthening the cyber resilience of the financial sector. While some aspects of DORA are still under development, understanding its core principles can significantly benefit financial organisations. By taking proactive steps to improve incident management and communication protocols, organisations can enhance their overall cyber security posture. 

Remember, a cyberattack can happen at any time, and being prepared is crucial. DORA provides a clear roadmap for achieving this goal. Don’t wait until the regulations are finalised – act today to protect your business and your customers’ information. 

Explore our resources for further guidance: 

• Series 1: Let’s Chat About DORA – Understanding the Key Requirements  
• Series 2: Building Long-Term Resilience: A Guide for Financial Services Beyond DORA Compliance 
• Series 3: Building Resilience with DORA: 5 Pillars and Actions for Financial Services