How to achieve DORA compliance?

Lockbit: from Genesis to the Last Judgment

How to Achieve DORA Compliance?

A Guide for Cybersecurity Professionals

In the financial sector, cyberattacks have surged dramatically. Between Q2 2022 and Q2 2023, cyberattacks against financial services companies in Europe more than doubled, increasing by 119%. This alarming trend underscores the urgency of complying with the Digital Operational Resilience Act (DORA). DORA aims to ensure high digital operational resilience for all regulated financial entities. Published in the Official Journal of the EU in November 2022, DORA mandates that financial entities report major ICT-related incidents promptly and comprehensively to supervisory authorities and market participants, enabling a swift and appropriate response within the EU financial system. DORA comes into effect on January 17, 2025, across all EU member states, complementing existing laws such as the Network and Information Security Directive (NISD), NIS2, and the General Data Protection Regulation (GDPR).

DORA introduces a paradigm shift with its focus on “resilience.” Financial sector companies must organize from the outset to manage failures and cyberattacks effectively.

DORA applies to nearly all types of financial entities within the European Union. While banks and insurance companies are the most obvious, many other organizations are also covered under Article 2 of DORA. Furthermore, DORA requires financial entities to manage risks associated with third-party providers, necessitating that these providers also comply with DORA regulations.

Benefits of integrating cybersecurity standards into DORA

Security standards offer globally recognized best practices. Aligning DORA with these standards ensures consistent management of cybersecurity and compliance. Key standards to consider include:

  • NIST Cybersecurity Framework (NIST CSF)
  • CIS Controls
  • ISO 27001 and 27002

Organizations can simplify their management processes by leveraging existing infrastructure and resources. This management can be facilitated through user-friendly tools, allowing for streamlined operations.

Clear guidelines provided by these standards facilitate the prioritization of efforts and the allocation of resources based on the importance and impact of each control.

Standards can be selected and adapted according to the size, activity, and challenges of the organization. By aligning with DORA, cybersecurity measures remain flexible in the face of regulatory and technological changes.

Cybersecurity standards inherently include the concept of continuous improvement. By aligning these standards with DORA, organizations can keep their cybersecurity measures up to date against new threats.

Comply to DORA by implementing ISO 27001

ISO 27001, along with its companion Information Security Management System (ISMS), provides organizations with a structured framework to comply with DORA. However, certification alone is not a guarantee of compliance; it depends on how the ISO standard is implemented. Not all DORA requirements are fully covered by ISO 27001/27002, so additional or modified controls will be necessary.

Key areas where ISO 27001 supports DORA compliance:

  • ICT Risk Management: ISO 27001 requires an information security risk assessment and implementation of appropriate controls, aligning with DORA’s systematic risk management processes.
  • Incident Response and Reporting: ISO 27001 defines controls for managing security incidents, corresponding with DORA’s incident reporting requirements.
  • Digital Operational Resilience Testing: ISO 27001 includes controls for business continuity planning, aligning with DORA’s resilience testing requirements.
  • Third-Party ICT Risk Management: ISO 27001 sets controls for managing information security with third parties, supporting DORA’s third-party risk management requirements.
  • Information Sharing: ISO 27001 includes controls for information sharing and threat intelligence, supporting DORA’s external information-sharing mechanisms

Relevant controls mapping from the ISO 27001 frameworks to the 5 main pillars of the DORA.

Beyond the Bridge: Achieving Full DORA Compliance

While ISO 27001 provides a robust foundation, achieving full compliance with DORA requires additional measures. Organizations must:

  • Identify specific DORA requirements not fully covered by ISO 27001, such as incident reporting obligations, third-party risk management procedures, and operational recovery testing.
  • Conduct gap analyses and assessments to evaluate their current state against DORA’s requirements.
  • Tailor their Information Security Management System (ISMS) to incorporate DORA-specific controls and processes.
  • Develop and implement additional documentation mandated by DORA, including incident reporting procedures and recovery plans.

How NIST CSF Compliance Paves the Way for DORA Success

The NIST Cybersecurity Framework (NIST CSF) provides a structured approach to managing and reducing cybersecurity risks, improving communication on risk management and cybersecurity between internal and external stakeholders.

  • ICT Risk Management: NIST CSF provides a comprehensive approach to identifying, assessing, and managing cybersecurity risks, aligning with DORA’s risk management pillar.
  • Incident Response and Reporting: The “Respond” and “Recover” functions of NIST CSF support response planning, communications, and analysis, aligning with DORA’s incident reporting requirements.
  • Digital Operational Resilience Testing: The “Identify” and “Protect” functions of NIST CSF support resilience planning activities, aiding in the identification of vulnerabilities and enhancement of cybersecurity measures.
  • Third-Party ICT Risk Management: The “Govern,” “Identify,” and “Protect” functions of NIST CSF support supply chain risk management, aligning with DORA’s supply chain risk management requirements.
  • Information Sharing: NIST CSF documents information-sharing subcategories to improve cybersecurity practices, aligning with DORA’s information-sharing pillar.

Here is how the NIST CSF controls can be mapped to DORA’s third-party risk management.

GV.SC-01: A cybersecurity supply chain risk management program, including strategy, objectives, policies, and processes, is established and approved by the organization’s stakeholders.

GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.

GV.SC-03: Cybersecurity supply chain risk management is integrated into enterprise cybersecurity risk management, risk assessment, and improvement processes.

GV.SC-04: Suppliers are identified and prioritized based on their criticality.

GV.SC-05: Requirements for addressing cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other agreements with suppliers and relevant third parties.

GV.SC-06: Planning and due diligence are performed to mitigate risks before entering formal relationships with suppliers or other third parties.

GV.SC-07: Risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, addressed, and monitored throughout the relationship.

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, with performance monitored throughout the lifecycle of technology products and services.

GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities following the conclusion of a partnership or service agreement.

ID.AM-03: Representations of the organization’s authorized network communication and internal and external data flows are maintained.

ID.AM-04: Inventories of services provided by suppliers are maintained.

ID.AM-05: Assets are prioritized based on their classification, criticality, resources, and impact on the mission.

ID.RA-09: The authenticity and integrity of hardware and software are evaluated before acquisition and use.

ID.RA-10: Critical suppliers are assessed before acquisition.

PR.AA-01: Identities and credentials of authorized users, services, and devices are managed by the organization.

PR.AA-02: Identities are verified and linked to credentials based on the context of interactions.

PR.AA-03: Users, services, and devices are authenticated.

PR.AA-05: Access permissions, rights, and privileges are defined in a policy, managed, enforced, and reviewed, incorporating principles of least privilege and separation of duties.

PR.AA-06: Physical access to assets is managed, monitored, and enforced proportionally to risks.

Integrating CIS Controls with DORA

In the evolving landscape of global cybersecurity, operational resilience and regulatory compliance are paramount.

The importance of the challenges posed by cybersecurity necessitates a strategic approach by correlating proven frameworks with regulatory requirements.

The CIS Controls are a set of recommended best practices designed to prevent the most common cyberattacks. Developed by cybersecurity experts from the CIS, these controls provide organizations with a structured approach to securing their IT systems and data.

The Critical Security Controls from the Center for Internet Security (CIS Controls v8), with 18 controls, offer concrete recommendations for organizations of all sizes to prevent cyberattacks.

The CIS Controls integrate more than a dozen major international cybersecurity standards, such as SOC 2, HIPAA, MITRE ATT&CK, NIST, and PCI DSS.

Integrating CIS Controls with DORA provides organizations with a comprehensive approach to managing cybersecurity risks and regulatory compliance. It offers a practical methodology to achieve the resilience required by DORA through the proven security practices detailed in the CIS Controls.

Here is how the CIS Controls can be mapped to DORA’s third-party risk management.

CIS Control 12: Network Infrastructure Management

• Identify and assess risks associated with third-party ICT providers, establish contractual requirements for third-party providers to meet security standards, and monitor third- party providers for compliance with contractual obligations.

CIS Control 15: Service Provider Management

• Establish a formal process for evaluating and selecting third-party ICT providers, conduct due diligence assessments to evaluate the security posture of potential providers, and establish contractual agreements that include provisions for security requirements and oversight.

CIS Control 17: Incident Response Management

• Include third-party providers in incident response planning and coordination efforts, establish communication channels for reporting and responding to security incidents involving third-party providers, and conduct regular reviews of third-party provider performance and compliance.

As the frequency and sophistication of cyberattacks in the financial sector continue to rise, compliance with DORA is more critical than ever. By aligning with internationally recognized cybersecurity standards such as ISO 27001, NIST CSF, and CIS Controls, financial institutions can not only meet DORA’s stringent requirements but also enhance their overall cybersecurity posture, ensuring trust and business continuity in an increasingly volatile digital landscape.

By taking a proactive and structured approach to compliance, financial institutions can effectively manage the complex landscape of cybersecurity risks and regulatory demands.

CEO & founder Stroople
Désiré YAPI
Senior Cybersecurity Consultant

Need help?

Stroople provides compliance mapping against DORA through NIST CSF and ISO 27001 for your organization. Assess your DORA compliance with our experts.

Book an appointment