BEYOND THE EU: DORA AND NIS 2 DIRECTIVE’S GLOBAL IMPACT
The global implications of the Digital Operational Resilience Act (DORA) and the NIS 2 Directive extend well beyond the European Union, reshaping the cybersecurity landscape worldwide. This webinar explored the profound impact of DORA and NIS 2 on organizations and how they can be leveraged not just for compliance, but as powerful tools for marketing and competitive advantage.
Additionally, the speakers discussed strategies for utilizing these new regulatory frameworks to secure additional budgets, ensuring your organization stays ahead in the ever-evolving digital terrain. In the article below, the speakers, Christophe Mazzola and Malcolm Xavier, address some questions on the topic:
Q: Is there a DORA Lead Manager certification available for professionals?
A: Yes, the DORA Lead Manager certification is now available and has been officially launched by PECB. This certification is accessible online, providing professionals with the opportunity to enhance their expertise in managing digital operational resilience under the DORA framework.
Q: Should all internal communications between network assets be encrypted?
A: Yes, encrypting all internal communications between network assets is essential. This practice is a fundamental security measure that helps protect sensitive data and communications from unauthorized access and ensures compliance with various cybersecurity standards and regulations.
Q: Who is eligible to assess the three criteria for determining if financial services fall within the scope of DORA?
A: The assessment of whether financial entities meet the criteria to fall within its scope is primarily the responsibility of National Competent Authorities (NCAs) within each EU member state.
These authorities play a crucial role in the oversight and enforcement of DORA, ensuring that entities adhere to the necessary standards to uphold digital operational resilience across the financial sector.
B: In addition to NCAs, the European Supervisory Authorities (ESAs) — including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — also play a supportive role.
Q: Is there a preferred Risk Management framework for DORA or NIS 2?
A: DORA does not prescribe a specific risk management framework that must be adopted by financial entities. It is generally advantageous to continue utilizing your existing risk management framework to integrate DORA’s requirements. This approach leverages your current systems and practices, facilitating a more efficient and cost-effective implementation.
B: By building on the established risk management framework, you not only save time and resources but also enhance your existing procedures without the complexity of introducing a new framework. This continuity allows for a smoother transition and adaptation to meet DORA’s regulatory requirements, ensuring compliance while maintaining operational consistency.
Q: Can you share the practical steps for implementing DORA?
A: Implementing the Digital Operational Resilience Act (DORA) in an organization can be structured similarly to how one might approach implementing ISO/IEC 27001, focusing on structure, governance, and a continuous improvement cycle. Here are practical steps for implementing DORA:
1. Context and Scope
- Define the Context: Understand the external and internal factors that can impact the organization’s resilience, such as regulatory requirements, market conditions, and technological advancements.
- Establish Scope: Clearly define the scope of the DORA implementation. This should include all systems, processes, and departments that are crucial for the operational resilience of the organization, especially those that are directly involved in the financial sector, if applicable.
2. Leadership and Commitment
- Top Management Involvement: Ensure that top management is actively involved in establishing, maintaining, and improving digital resilience.
- Policy Development: Develop a set of policies that align with the organization’s overall business objectives and regulatory requirements.
3. Planning
- Risk Assessment: Identify risks related to digital operations, including cyber threats, data breaches, system outages, and third-party risks. Assess their likelihood and impact to prioritize them.
- Objectives and Planning to Achieve Them: Set clear resilience objectives based on the risk assessment. Plan actions to address these risks and integrate them into the organization’s overall risk management process.
4. Support
- Resources: Allocate appropriate resources for implementing and maintaining operational resilience. This includes staffing, technology, information, and financial resources.
- Competence: Ensure that all personnel involved in critical digital operations are competent and understand their roles in maintaining resilience.
- Awareness and Communication: Promote awareness about digital operational resilience across the organization. Communicate policies and procedures to relevant parties both internally and externally.
5. Operation
- Operational Planning and Control: Implement the planned actions and controls to manage and mitigate identified risks. This includes deploying cybersecurity measures, business continuity management, and incident response capabilities.
- Change Management: Manage changes to digital operations systematically to avoid introducing new vulnerabilities.
6. Performance Evaluation
- Monitoring, Measurement, Analysis, and Evaluation: Regularly monitor and measure the efficiency of the resilience measures. Analyze data collected from monitoring and audits to evaluate the effectiveness of the digital operational resilience framework.
- Internal Audit: Conduct internal audits to independently assess whether the resilience processes conform to planned arrangements and are effectively implemented and maintained.
- Management Review: Hold management reviews at planned intervals to ensure the continuing suitability, adequacy, and effectiveness of the operational resilience management system.
7. Improvement
- Nonconformity and Corrective Action: When nonconformities occur, react to them appropriately, and take corrective actions without delay. Modify the resilience management system if necessary.
- Continual Improvement: Continuously improve the suitability, adequacy, and effectiveness of the digital operational resilience management system.
Q: Do DORA and NIS 2 affect SBOMs?
A: DORA does not directly address software composition (like SBOMs do) but mandates that financial entities must manage and mitigate risks related to their digital operations, which could indirectly involve understanding the components of their software for security purposes.
B: You can use a set of metrics to measure software development performance, including deployment frequency, lead time for changes, time to restore service, and change failure rate. While DORA metrics help organizations assess their DevOps practices, they do not specifically impact or dictate the use of SBOMs. However, good DevOps practices could include the use of SBOMs for better visibility into the components that make up software applications.
Q: Can you provide additional guidelines for secure development? What should developers be mindful of?
A: I have decided to share with you what I consider “golden rules” when working with developers, this is my personal template on guidelines I implement when I start a mission with a client:
- Minimize Risks: Always consult experts, monitor closely, and test thoroughly when in doubt.
- Notification: Inform your manager and security representative immediately if you cannot follow the rules.
- Impact Assessment: Evaluate the effects of code changes on application features, customers, security, and performance.
- Prioritize Security: Keep security and privacy at the forefront to protect user access and data.
- Data Protection: Obtain permission to handle real customer data and avoid storing sensitive information in code.
- Optimize Performance: Consider performance implications and plan for capacity testing.
- User-Centric Approach: Focus on the end-user experience to ensure application quality.
- Data Model Validation: Validate any changes to the data model with the database lead.
- Align with Business Needs: Collaborate to ensure business requirements are met without compromising technical standards.
- Modular Development: Break down changes into manageable parts to streamline development and testing.
- Documentation: Record all changes clearly in an issue tracking system like JIRA for transparency.
- Management Approval: Secure management approval before implementing changes to align with organizational goals.
- Code Reviews: Conduct independent code reviews to ensure proper coding practices and maintain quality.
Q: Under DORA, which entity can determine if they are not within the scope of financial services?
A: Individual entities do not have the autonomy to decide whether they are within the scope of the regulation. Instead, this determination is primarily the responsibility of the national competent authorities (NCAs) within each EU member state. These authorities assess whether financial entities meet the criteria set out in DORA based on the nature, scale, and complexity of their services, as well as their significance to the financial system.
Q: What are the specific criteria for a company to be considered an “essential service operator” under the NIS 2 Directive or a “financial entity” under DORA?
A: This comprehensive legislation, as outlined in Article 2, applies to a diverse array of 21 types of financial entities.
It is imperative for these entities to discern whether they fall under DORA’s scope to ensure appropriate compliance strategies are in place. The entities encompassed are:
- Credit Institutions: These are traditional banks and similar financial institutions that offer credit facilities.
- Payment Institutions: This category includes all institutions engaged in payment processing, including those exempted under Directive (EU) 2015/2366 (PSD2).
- Account Information Service Providers: Entities that provide consolidated information on one or more payment accounts.
- Electronic Money Institutions: Including those exempted under Directive 2009/110/EC (EMD2), these institutions issue and manage electronic money.
- Investment Firms: Firms involved in securities trading and related services.
- Crypto-Asset Service Providers and Issuers of Asset-Referenced Tokens: Entities dealing with cryptocurrencies and related financial products.
- Central Securities Depositories: Institutions that hold and administer securities and enable securities transactions to be processed.
- Central Counterparties: Entities that facilitate transactions between various entities in the financial markets.
- Trading Venues: This includes stock exchanges and other platforms where financial instruments are traded.
- Trade Repositories: Entities that maintain records of derivatives contracts. Managers of Alternative Investment Funds: Entities managing investments in alternative assets.
- Management Companies: Companies that manage investment funds.
- Data Reporting Service Providers: Entities providing data and reporting services in financial markets.
- Insurance and Reinsurance Undertakings: Companies involved in insurance and reinsurance businesses. Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Agents and brokers in the insurance market.
- Institutions for Occupational Retirement Provision: Entities managing occupational pension schemes.
- Credit Rating Agencies: Agencies that provide credit ratings for various financial entities.
- Administrators of Critical Benchmarks: Entities responsible for setting benchmarks that are critical to financial markets.
- Crowdfunding Service Providers: Platforms that facilitate crowdfunding for various purposes.
- Securitization Repositories: Entities dealing with the documentation and reporting of securitizations.
- ICT Third-Party Service Providers: Providers of information and communication technology services to financial entities.