IT Brief UK - Technology news for CIOs & IT decision-makers
Story image

EU to enforce DORA resilience act from 17 January 2025

Today

Perforce has developed a DORA Fact Sheet highlighting 10 key facts that every organisation should be aware of regarding the Digital Operations Resilience Act (DORA) enforced by the European Union.

The European Union is set to begin enforcing DORA on 17 January 2025, aiming to enhance the resilience of the financial sector against cyber threats and other disruptions. Though DORA specifically targets the EU, its implications are expected to extend to companies based in the United Kingdom and internationally, particularly those operating within the EU.

One of the primary considerations is that DORA is not solely a technological issue but a broader corporate matter necessitating attention from business leaders. Oversight for creating, delivering, and continuously executing risk management frameworks falls upon C-suite executives or other business leaders. Hence, organisational leaders bear direct accountability for compliance failures.

DORA affects a wide spectrum of organisations beyond traditional banks, including technology firms and cryptocurrency companies within the financial sector in the EU. Third-party entities providing technology-related services must also comply, ensuring that their financial services clients meet DORA regulations.

The global reach of DORA means that organisations, such as those based in the United States, offering services in the EU must adhere to the law. This necessitates reporting incidents within four hours of detection, detailing the incident and subsequent actions to all affected parties.

Compliance with DORA demands a continuous and sustainable effort rather than a one-time setup, requiring ICT risk management frameworks capable of evolving over time. In this regard, DORA is akin to the General Data Protection Regulation (GDPR) in terms of its breadth, implications, and potential consequences for non-compliance.

DORA is structured around five central pillars: risk management, incident management and reporting, third-party risk management, digital operations resilience testing, and information assurance testing. Each pillar underlines the robust measures needed for comprehensive digital operational resilience.

Organisations are required to establish plans that adequately protect sensitive data, such as personally identifiable information and payment data. Much of this sensitive data resides in non-production environments, making it vulnerable without stringent protective processes.

There is a renewed emphasis on third-party risk management. Organisations must now consider their entire supply chain in light of these new guidelines established in 2023.

DORA underscores the importance of resilience, focusing on an organisation's capacity to recover rapidly from incidents, differentiating it from other legislative frameworks like NIS2.

Starting with a strong DevOps foundation is suggested as a pivotal step towards successful DORA compliance. Perforce recommends several best practices based on its experience and customer feedback.

Creating sustainable risk management frameworks with automated, repeatable processes is essential for fast responses to regulatory changes and threats. Protecting sensitive data in non-production environments is critical, as these often contain more sensitive information than production environments.

Static data masking is advised to ensure privacy in non-production settings, allowing realistic data without divulging confidential information. Organisations should prioritise rapid recovery capability from cyberattacks or outages, scaling up recovery efforts efficiently without extensive manual intervention.

Perforce also suggests implementing an agent-based approach for continuous compliance, facilitating rapid infrastructure updates. The adoption of a shift left strategy incorporating security and compliance into early processes and team practices across the entire software lifecycle is encouraged.

Examining the entire supply chain is crucial, ensuring that all parties within the chain adhere to the DORA framework to prevent downstream issues, exemplified by cases such as Crowdstrike. Organisations are reminded that achieving DORA compliance requires collective effort and strategic planning across all involved entities.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X