On the back of the 2020 EU Cybersecurity Strategy, EU legislators enacted several regulations aimed at creating a more robust EU cybersecurity framework. This includes the Digital Operational Resilience Act (DORA), which aims to harmonize fragmented approaches to regulation around digital resilience across the EU. Financial institutions have until the end of 2024 to achieve […]
On the back of the 2020 EU Cybersecurity Strategy, EU legislators enacted several regulations aimed at creating a more robust EU cybersecurity framework. This includes the Digital Operational Resilience Act (DORA), which aims to harmonize fragmented approaches to regulation around digital resilience across the EU. Financial institutions have until the end of 2024 to achieve full compliance with DORA.
Under DORA, all sizable financial institutions must have measures in place to ensure that they can withstand, respond to, and recover from all ICT-related disruptions and threats. Supervisory authorities for DORA are:
Well-known financial consulting companies have identified five pillars of DORA, with some variations between the companies.
Senior management of financial institutions must oversee ICT governance, including resources, budgets, testing regimes, security measures, and other aspects of ICT. They need to stay abreast of existing arrangements with third-party ICT providers and monitor the impact of changes in terms of risk exposure. In addition, they are required to maintain a firm grasp of incident handling in their organizations, complying with rigorous asset identification and management requirements.
DORA requires harmonized incident handling systems across EU financial entities and their ICT providers. Substantial incidents around operational or security payments must be reported to competent authorities. Financial entities are advised to notify authorities of cyber threats.
All financial entities must maintain an incident handling playbook. They should also meticulously record all incidents, their effects, remediation measures, and associated costs. Additionally, financial entities must implement and test ICT disaster recovery, and communication & crisis management plans.
Competent authorities across member states must cooperate in supervising and enforcing DORA.
There are onerous system testing requirements under DORA. These are designed to secure business continuity in the face of disruptions. Resilience testing must encompass dependencies with other financial entities and third-party providers.
Testing should include switchovers between primary infrastructure and redundant capacity, backups, and redundant facilities. Another requirement is annual testing of business continuity and disaster recovery plans, as well as crisis communications. Financial institutions and their ICT providers should conduct threat-led penetration testing every three years at minimum.
Competent authorities have powers to conduct independent audits of tests at any time, so detailed reports and logs must be maintained of all testing activities.
ICT outsourcing is now the norm and contributes greatly to business efficiency. However, it has also created a web of dependencies in the financial system that could result in chaos if there is major disruption to the digital supply chain. For this reason, critical third-party ICT service providers are compelled to adhere to DORA. Financial institutions outsourcing ICT functions must notify supervisory authorities.
ICT service providers should have measures in place to ensure resilience. In introducing these measures, the EU aims to address concentration risk, which is the risk that disruption to a dominant ICT service provider could lead to a cross-border financial system collapse.
In relation to third-party ICT providers, financial entities must:
DORA facilitates the sharing of intelligence and best practices on ICT-related threats, vulnerabilities, and incidents among financial entities, competent authorities, and other stakeholders. This should include national cybersecurity authorities and ICT incident response teams. Organizations should use dedicated platforms or networks established by the ESA and ECB, and conduct information sharing with respect for privacy and data protection regulations, trade secrets, and competition law.
FileCloud Features that Enhance DORA Readiness
FileCloud's secure file sharing and remote access capabilities can help financial institutions adhere to many aspects of DORA. With FileCloud, you can securely share files from any device without using a VPN, facilitating information exchange even during disruptions or cyber-attacks.
Analytics and alerts from FileCloud allow you to track data through our business intelligence layer, gaining information on usage trends, user geography, storage, and content mix.
Our Admin dashboard lets administrators monitor suspicious activity. They can easily spot unauthorized sharing of sensitive information and unusual patterns. Further analytics features include:
A recent cybersecurity assessment of FileCloud stated:
While conducting the assessment CyberCX noticed that the FileCloud applications displayed several positive behaviours. The FileCloud applications did not allow users to upload files with malicious signatures. This behaviour shows that the applications perform a security scan to help prevent users or adversaries from uploading documents or executables with malicious payloads. CyberCX also noticed that the applications properly prevented captured requests from previous sessions from being reused. Applications that effectively manage user sessions can prevent adversaries from using previously captured cookies or sessions to interact with the application.
FileCloud Web Application Assessment Report, Prepared by CyberCX, April 2023.
SIEM integration enables the sending of logs in LEEF/CEF format to tools like Splunk for analysis.
Using the Admin dashboard, administrators can create a User Locks Report to view a list of locked files. Similarly, they can generate a User Shares Report, which includes information such as username, location, expiration, share type (private or public).
To find out how FileCloud can enhance digital resilience and readiness for the Digital Operational Resilience Act, you can read our case study about our capabilities in the financial sector: Global Banking Group Secures Sensitive Information with FileCloud.
We also have an in-depth white paper that you can download as a PDF at the following link: Preparing for the EU Digital Operational Resilience Act with FileCloud.
Alternatively, to see FileCloud's capabilities for yourself, simply book a free demo now.
Written by Deirdre Clancy, Technical Content and Communication Manager