What is DORA? The application security and reliability implications of the Digital Operational Resilience Act

The European Union has adopted the Digital Operational Resilience Act (DORA) to safeguard the cybersecurity and operational resilience of the European financial sector. In effect since January 2023, DORA requires compliance from all financial institutions operating in the EU by January 2025. But what is DORA? And how do DORA security requirements affect application security and reliability?

What is DORA?

The Digital Operational Resilience Act (DORA) is a regulation that addresses the digital and cybersecurity resilience of financial institutions in the European Union. The regulation comprehensively addresses Information Communication Technology (ICT) risk management, harmonizing cybersecurity guidelines across the financial sector while considering the ever-evolving threat landscape.

DORA came into effect on January 16, 2023. Financial entities are expected to be DORA-compliant by January 17, 2025.

As the implementation date draws closer, it's imperative for financial institutions to acquaint themselves with the DORA regulation and take the essential measures for compliance.

DORA seeks to strengthen the cybersecurity resilience of the EU's banking and financial institutions by requiring them to possess the requisite processes, systems, and controls to prevent, manage, and recover from cybersecurity incidents.

Who needs to be DORA compliant?

DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU and to the ICT infrastructure supporting them from outside the EU.

The regulation affects Banking, Financial Services, and Insurance (BFSI) services within the EU. This includes not only banks, insurers, and investment firms, but also payment processors, exchanges, market infrastructure entities, rating agencies, and other financial organizations.

DORA also applies to critical ICT providers that service the financial sector. Therefore, financial institutions need to map their critical third-party ICT dependencies and diversify suppliers, so they're not overly dependent upon a single provider or small group of providers.

The DORA five pillars and implications for application security and reliability

The DORA regulation establishes uniform requirements regarding the security and reliability of network and information systems that support the business processes of financial entities. Application security and reliability are important to meeting these requirements.

DORA compliance initiatives can help drive a risk-based approach to application security, including exposure management, security testing, threat detection and response, and software supply chain security.

In the experience of Dynatrace customers, continuously monitoring, identifying, and addressing exposures-along with implementing more precise protection from exploit attempts-is crucial for maintaining a resilient IT environment. This proactive approach will ultimately make applications more secure and resilient to cyberattacks, which increases their overall reliability.

The following are Dynatrace's perspective on the DORA five pillars and why application security and reliability are important to complying with DORA.

Pillar 1: ICT risk management

Organizations must document a framework to identify and thoroughly assess potential ICT risks that could have operational effects on financial services. This involves analyzing the likelihood and potential effect of various threats, such as cyberattacks, natural disasters, and human error.

Automating processes to find, prioritize, and address exposure risk will enable compliance with this pillar. Based upon best practices in cybersecurity, Dynatrace suggests that organizations implementing its ICT risk framework consider the following factors in the context of application security and reliability:

• Design and automate processes to address ICT risks quickly, efficiently, and comprehensively to ensure a high level of digital operational resilience. These processes should include processes to identify and respond to vulnerabilities and infrastructure misconfigurations, as exploits of exposures can impact application resilience and disrupt operations.
• Select, use, and maintain tools that scale and have capabilities appropriate to the magnitude of operations that support their activities.
• Design and automate processes that will continuously identify sources of ICT risk and assess cyber threats (including vulnerabilities, exposures, and misconfigurations) relevant to CT-supported business functions, information assets, and ICT assets.

Pillar 2: ICT incident management

Organizations will need a solid incident management program to meet incident reporting timeframes. Tools, processes, and policies that will enable monitoring, identifying, resolving, managing, and reporting incidents-internally to senior management and externally to regulatory authorities-are critical to meeting this requirement.

Some of the key DORA governance requirements to consider when selecting application reliability and security incident management tools, implementing processes, and developing policies to support a company's ability to meet the mandate include the following:

• Report major ICT-related incidents to competent authorities, including incidents with significant impact on business continuity or financial stability.
• Classify ICT-related incidents and cyber threats based on criteria including the number of affected clients, the number of transactions affected, the duration of the incident, and data losses incurred.
• Inform clients potentially affected by significant cyber threats (such as exposures), including any appropriate protection measures they should consider. Reporting such exposures to authorities is voluntary.
• Meet incident reporting timeframes for all of the required reports:
  • An initial notification.
  • An intermediate report after the initial notification.
  • A final report, when the root cause analysis has been completed.
• Practice response procedures to ensure organizations can react faster and more effectively to real incidents, minimizing damage as much as possible.

Pillar 3: Digital operational resilience testing

DORA requires organizations to assess their preparedness for handling ICT-related incidents and identify weaknesses, deficiencies, and gaps in digital operational resilience. To address this requirement, organizations will need a comprehensive digital operational resilience testing program with a range of assessments, tests, methodologies, and tools, approached in a risk-based manner.

From an application security and reliability perspective, DORA provides examples of appropriate tests that include open-source analysis, source code reviews, scenario tests, compatibility tests, performance tests, end-to-end tests, and penetration testing.

Key DORA governance requirements to consider when implementing digital operational resilience testing are the following:

• Operational resilience testing. Conduct digital operational resilience testing to simulate various scenarios. This helps assess the ability of systems and processes to withstand disruptions and recover quickly.
• Critical systems testing. Run basic tests of critical/important systems at least annually to assess the resilience of critical operations against common threats. This testing involves a yearly assessment of the security posture of all applications that support critical functions. This type of testing aims to identify vulnerabilities that could be exploited in a cyber-attack, potentially disrupting financial services.
• Penetration testing. At least every three years, conduct advanced threat-led penetration testing for more complex scenarios and higher-risk institutions.

Pillar 4: Managing ICT third-party risk

Financial institutions rely on third-party vendors for various critical ICT services such as applications and cloud infrastructure. DORA emphasizes the importance of managing risks associated with some of these third parties. Managing risk includes evaluating the resilience of third-party providers and having appropriate risk mitigation strategies in place.

DORA encourages a more holistic approach to security. The regulation ensures that vulnerabilities in third-party applications do not become a weak link in the overall security posture. The following are some key governance requirements relevant for application security:

• Assessing third-party provider risk. Monitor and assess risks associated with critical third-party providers, including cloud platforms, data analytics companies, and other critical service providers.
• Establishing DORA contractual requirements. Implement contractual clauses with critical third-party providers that are aligned with DORA requirements and provide information sharing and incident reporting.

Pillar 5: Information sharing arrangements

The Digital Operational Resilience Act requires that organizations share information and intelligence on cyber threats and vulnerabilities. By encouraging information sharing among financial institutions and authorities regarding cyber threats and incidents, DORA fosters collaboration and enhances collective understanding of the evolving threat landscape. This collaboration helps to improve overall preparedness and response capabilities across the financial sector.

DORA best practices for application security and reliability

DORA emphasizes that management is accountable for ensuring an organization's digital operational stability. It mandates that management guarantees the company's sufficient protection against ICT disruptions and cyber-attacks.

To maintain effective and reliable business operations, consider adopting the following application security best practices:

1. Automate to avoid material incidents. Weave automated incident management and reporting into SRE practices to prevent outages before they occur. Continuously improve DevSecOps, user experience, and productivity by identifying and implementing opportunities for automation. Wherever possible, adopt solutions that automatically check for potential violations of DORA compliance requirements and industry benchmarks (such as the Center for Internet Security critical security controls).
2. Proactively deal with exposure risk. Don't assume that scan-based application security testing and posture management are sufficient. Continuously monitor runtime environments for exposures and assess their scope and potential impact. Exposure management improves prioritization and prevents vulnerabilities and misconfigurations from turning into a major cybersecurity incident.
3. Conduct threat hunts for critical application exposures, especially zero-days. It's important to defend against exploit attempts on critical exposures while they are in remediation. Proactive threat detection allows for timely remediation and prevents potential breaches and disruptions. Insights from a threat hunt will also help teams quickly remediate and prepare reports to relevant authorities within tight timeframes.
4. Establish a "zero-trust" policy for exposures via third-party software. Continuously verify third-party software at runtime for exposures and inform the vendor as soon as possible.
5. Adopt a "defense in depth" approach. Modern application environments are continuously growing more complex and harder to secure. This complexity makes it important to identify potential gaps and address them with a multi-layered approach that provides visibility and context so teams can prioritize the most impactful action.

Achieving DORA compliance

To assist you in complying with the Digital Operational Resilience Act, Dynatrace leverages its observability and security platform powered by the Davis AI engine, which combines causal, predictive, and generative AI. In supported environments, the Dynatrace Security Posture Management (SPM) solution automatically generates an analytic structure forthe compliance framework to identify and verify the regulation's technical compliance requirements.

Public link

Please use the above public link if you want to share this noodl on another website.