Are you ready for the EU’s Digital Operational Resilience Act (DORA)?
Financial services make the world go round. So it’s important that we keep them up and running, meeting customers’ needs even when we’re dealing with cyber attacks. Read about a new act meant to protect them, and how email archiving can help you comply with the law.
What is DORA?
DORA is the EU’s Digital Operational Resilience Act, legislation designed to safeguard the financial services (FS) sector against the growing numbers and severity of cyber threats.
If you manage ICT for an FS provider, then DORA is important.
The act also applies to companies delivering digital services to FS clients, as Cryoserver does, so we’re taking a keen interest in it.
DORA came into force in the EU in early 2023 and, according to what we hear, will likely become UK law in the future.
Importantly, this is not a directive but rather a regulation that FS organisations and third-party digital service suppliers must comply with.
Below is an outline of the basic things you need to know about DORA, and how our email archiving solution can help you meet your obligations.
Why is DORA necessary?
Across the EU, the approach to dealing with ICT risk has been inconsistent. Various financial authorities in different countries have taken their own regulatory initiatives and these don’t align.
DORA is designed to:
- Address growing risk resulting from the increasing connectivity in the FS sector
- Acknowledge and address financial institutions’ reliance on third-party providers
- Harmonise ICT risk management across the EU financial sector. DORA stipulates consistent requirements for third-party risk management in all financial entities. The intention is to safeguard the entire sector and mitigate cyber attacks.
Who does DORA impact?
It affects most regulated financial institutions in the European Union, including:
- Banks
- Insurance companies and intermediaries
- Payment service providers and electronic money institutions
- Investment firms
- Pension funds
- Crypto-asset service providers
- Crowdfunding service providers
- Fund managers
Importantly, it also applies to all firms providing digital services to the above organisations; that is, ICT third-party infrastructure and service providers (e.g. us), including contractual arrangements those institutions might have with counterparties inside or outside the EU.
When does DORA apply?
The new act applies from 17 January 2025, by which time affected businesses must be compliant.
The European Council adopted the act on 28 November 2022 and the EU published it 27 December 2022. You can read the text here.
What you must do
FS entities and third-party providers must follow DORA rules to protect against, detect, contain, and recover from ICT-related threats and attacks. These rules cover the following five areas.
DORA’s five pillars
- ICT risk management – looking at the maturity of your risk management framework (risk assessments)
- ICT incident reporting – examining how your organisation identifies and communicates about incidents
- Digital operational resilience testing – questioning how mature your penetration testing program is (for simulation of cyber attacks)
- Information and intelligence sharing – checking how you communicate about your cyber security
- ICT third-party risk management – looking at how mature your management program is. Your cyber security experts will need to show that you have communicated with your vendors under contract, informing them that they must comply with DORA. Vendors will need to provide evidence that they are indeed complying.
ICT providers (Cryoserver, for example) will be regulated by one of the European Supervisory Authorities (ESAs). These can request information, issue recommendations, conduct inspections and even impose penalties for non-compliance.
Penalties
Organisations that fail to comply with DORA could face financial or even criminal penalties.
Are your ITC providers compliant with DORA?
In future, when your cyber security experts carry out risk assessments, they’ll need to check that your third-party infrastructure and service providers comply with DORA.
A key aspect of your firm’s cyber resilience is how you manage and store your emails. The threats and incidents that have driven DORA’s development include:
- Ransomware
- Phishing
- Identity theft
Criminals often carry out such attacks via email, resulting in breaches that leak and expose huge amounts of confidential data.
This is where an archiving solution can make a big difference to your data security and, in the event of a data breach, your operational resilience..
Is your email archiving compliant?
DORA means that financial institutions are now putting their ITC vendors under greater scrutiny than ever.
We are experiencing this ourselves at Cryoserver as clients increasingly require us to complete cyber security questionnaires.
Typically, clients might ask us how we protect customer data. Or they want to see evidence that we have a business continuity plan.
Like other vendors, we must show them that we pose no risks to their business – confirming, for example, that we haven’t suffered a data breach.
Here’s how we can help you minimise cyber risks and be resilient so that your business complies with DORA.
Minimising risk
Suppose your organisation experiences a cyber attack: some of your users’ Outlook mailboxes are hacked and email records are released into the public domain.
To comply with DORA, you would need to report to regulators exactly how many records were exposed.
Cryoserver can give you that information.
More importantly, our solution can limit the extent of the breach by minimising the numbers of emails kept in users’ mailboxes.
We enable you to keep as little as a few hours’ or days’ worth of email in Microsoft Outlook mailboxes.
As for the emails users don’t need in their mailboxes – that is, the vast majority – Cryoserver moves them into a secure, encrypted repository, thereby reducing risk.
It means cyber criminals are unable to hold your email archive to ransom.
Not only does this help you comply with DORA; it also makes adopting a solution like ours mission-critical for your organisation.
Boosting operational resilience
We hope your mail server never fails, but suppose it did. How would your business manage?
If you have Cryoserver Cloud, you could reroute your email traffic to us. We could receive a live feed of inbound emails and enable your end users to reply or even compose new messages.
An intelligence tool
Cryoserver also functions as an intelligence tool that helps you prevent problems and keep your email system secure.
It can quickly identify all the people in your organisation who received a specific email.
And it can spot patterns in email users' behaviour and alert you to anything unusual – for example, a sudden increase in emails being forwarded to an unfamiliar address, which could indicate a breach.
If you’d like to know more about how Cryoserver can help your organisation comply with DORA, get in touch.