Preparing for DORA: Guide to Timely Incident Reporting for Financial Firms

The Digital Operational Resilience Act (DORA), set to take effect on January 17, 2025, is a transformative regulatory framework that underscores the critical necessity for robust Information and Communications Technology (ICT) risk management within the European financial sector. Among other requirements, the European Union (EU) regulation tasks financial firms with establishing a comprehensive framework for managing and reporting ICT-related incidents, including incident response.

By understanding the incident reporting requirements of DORA, organizations can enhance their cybersecurity posture, safeguard stakeholder interests, and contribute to the stability of the broader financial ecosystem. This article explores essential best practices that enable firms to optimize their incident reporting under DORA, ensuring that they are not only compliant but also resilient in the face of inevitable digital challenges.

Understanding DORA Requirements

Before delving into the specifics of incident reporting under DORA, it is crucial to understand the overarching requirements of this regulatory framework. Broadly speaking, it demands financial entities adopt comprehensive measures that enhance their ICT risk management and incident reporting capabilities.

Key aspects of DORA compliance include:

1. Establishing a robust ICT risk management framework that identifies and addresses potential vulnerabilities and threats. This framework should be comprehensive, ensuring that all aspects of ICT systems are evaluated for weaknesses and potential risks are mitigated effectively.
2. Continuous monitoring and control of ICT systems for ongoing protection. This involves employing advanced technologies and strategies to detect and respond to potential threats in real-time. By maintaining a vigilant approach, financial entities can ensure their systems remain resilient against cyber threats and operational disruptions.
3. Advanced digital operational resilience testing is essential for evaluating the robustness of financial entities’ ICT systems. This includes threat-led penetration testing, which is a targeted approach that simulates real-world cyberattacks to identify vulnerabilities. Such rigorous testing ensures that entities are well-prepared to handle potential cyber threats and maintain operational continuity.
4. A third-party risk management function to oversee ICT service providers and manage risk concentration. This function is crucial for identifying and mitigating risks associated with outsourcing ICT services, ensuring that third-party dependencies do not compromise a firm’s operational resilience.
5. Business continuity and IT service continuity plans that help maintain operational stability during disruptions. These plans should include secure backup systems to safeguard critical data and ensure swift recovery in the event of a system failure.
6. Clear governance structures with top management accountability for ICT risk management, ensuring effective oversight and decision-making. Firms must assign specific roles and responsibilities to senior leaders, who then must ensure that ICT risk management practices are integrated into the overall strategic objectives of the organization.
7. And finally, an incident classification and reporting framework that ensures incidents are reported to authorities in a timely and accurate manner. This framework helps streamline the process of incident identification and notification, enabling financial entities to respond swiftly and effectively to potential threats.

As we continue, we will share more on the subject of creating an incident detection, classification and reporting framework. As PwC describes, the sum of all DORA requirements aims to “harmonize and upgrade ICT risk requirements throughout the EU financial sector,” allowing for more robust resilience on an industrywide scale.

Incident Classification and Detection

Timely incident reporting under DORA guidelines begins with robust measures for classifying and detecting ICT-related incidents. DORA requires financial entities to consider various incident types in their classification and detection processes, including traditional cybersecurity incidents and operational disruptions that affect critical services.

These measures are vital for quickly identifying and responding to potential threats, reducing the severity of an incident and ensuring accurate reporting to one or more of the three European Supervisory Authorities: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

Five Key Aspects of Incident Classification

Key aspects and details of incident classification under DORA include:

• Classification Criteria: Firms must determine the impact of any incident on financial services and operations, including the economic impact, the number of clients affected, and the geographic spread. They must classify any breaches in terms of integrity and confidentiality.
• Detection Methods: They must implement continuous monitoring of ICT systems and utilize automated alert systems, regular vulnerability scans, user-reported anomalies, and threat intelligence feeds to enhance their security measures.
• Materiality Thresholds: Firms must establish specific thresholds for identifying major ICT-related incidents, and lay down criteria for classifying the significance of cyber threats.
• Incident Types: Firms must address issues related to availability and continuity disruptions, integrity violations, confidentiality breaches, and authentication failures to ensure robust security.
• Response Time: Firms must ensure immediate detection and initial assessment of incidents, along with escalation procedures based on the severity of the situation.

A robust incident classification system that aligns with DORA’s requirements facilitates quick and accurate reporting of significant incidents. Firms can integrate incident classification and detection measures into their overall ICT risk management framework, enabling them to promptly inform relevant stakeholders should an incident occur.

A Broad and Layered Incident Detection Approach

DORA also mandates the implementation of advanced detection capabilities, including real-time monitoring and automated alerts, to identify anomalies, potential threats, and actual incidents across the organization’s ICT infrastructure. Comprehensive detection mechanisms should cover a wide range of potential incidents, including cyberattacks, system failures, and other operational disruptions.

Financial entities should adopt a layered approach to incident detection, leveraging automated tools, conducting regular vulnerability assessments, and maintaining open channels for user-reported issues. Additionally, organizations should integrate threat intelligence feeds to stay updated on emerging threats and adjust their detection capabilities accordingly.

Lastly, incident detection processes should be regularly tested and updated. DORA emphasizes the need for continuous improvement in ICT risk management practices, ensuring accurate and timely incident detection and classification.

Incident Reporting and Response

Once firms have established their incident classification methodologies and detection strategies, they can develop a robust incident response and reporting framework. This includes clear procedures for notifying relevant authorities, managing incidents, and initiating recovery processes.

For example, the regulation highlights the importance of clear materiality thresholds for incident classification, helping determine which incidents qualify as “major” and need reporting to authorities. Financial entities must regularly review and update these thresholds to remain relevant amid evolving cyber threats.

10 Critical ICT Incident Reporting Procedures

Financial entities must implement comprehensive procedures to effectively manage and report ICT-related incidents. Here are the key aspects of incident response and reporting under DORA:

1. Develop an incident response plan. Financial entities must develop and maintain detailed incident response plans that outline procedures for addressing various types of ICT-related incidents.
2. Determine the content of reports. Incident reports should include a description of the incident, its estimated impact, measures taken or planned to mitigate the impact, and potential cross-border effects.
3. Harmonize reporting with EU regulations. DORA’s incident reporting requirements are designed to harmonize with other EU regulations, reducing duplicative reporting obligations for financial entities.
4. Formalize internal communication methods. Incident response procedures should include clear protocols for internal communication and escalation to ensure timely and appropriate responses.
5. Establish clear reporting timeframes. DORA sets specific time limits for initial notification of incidents, subsequent update reports, and final incident reports.
6. Lay the groundwork for timely reporting. DORA mandates prompt reporting of major cyber incidents to relevant national and EU authorities.
7. Create criteria for aggregated cost estimations. Financial entities are required to estimate the aggregated costs and losses caused by major ICT-related incidents.
8. Prepare methods for post-incident analysis. After resolving an incident, financial entities should conduct thorough post-incident reviews to identify lessons learned and improve their response capabilities.
9. Track significant threats. DORA establishes criteria for classifying and reporting significant cyber threats, even if they haven’t resulted in an actual incident.
10. Commit to continuous improvement. Incident response and reporting processes should be regularly reviewed and updated based on experience and evolving threats. We will share more details about this procedure in the next section.

By implementing these incident response and reporting procedures, financial entities can ensure compliance with DORA and enhance their overall operational resilience in the face of ICT-related threats and disruptions.

Compliance and Continuous Improvement

Preparing for DORA isn’t a single effort. Ensuring ongoing compliance with DORA  means committing to continuous improvement in their ICT risk management practices. Financial firms must maintain robust operational resilience as they continue to do business and optimize their reporting as their ICT risk management methodologies evolve.

10 Ways Financial Firms Can Support Ongoing Compliance

Here we outline ten strategies financial firms can adopt to support ongoing compliance and continue to improve their risk management framework over time.

Conduct Regular Assessments and Audits

Financial firms should conduct periodic internal assessments and external audits of their ICT risk management frameworks. These evaluations help identify gaps in compliance and areas for improvement. The frequency and scope of these assessments should be proportionate to the entity’s size, complexity, and risk profile.

Update Policies and Procedures

As the threat landscape evolves, firms must regularly review and update their ICT policies, procedures, and controls. This includes revising incident response plans, business continuity strategies, and third-party risk management processes to align with emerging best practices and regulatory requirements.

Enhance Testing Programs

DORA mandates advanced digital operational resilience testing, including threat-led penetration testing for certain entities. Organizations should continuously refine their testing methodologies, incorporating lessons learned from previous exercises and emerging threat intelligence. This may involve expanding the scope of tests, increasing their frequency, or adopting new testing techniques.

Strengthen Governance Structures

Effective compliance requires clear governance structures with top management accountability. Organizations should regularly review and enhance their governance frameworks, ensuring that roles and responsibilities for ICT risk management are well-defined and aligned with DORA requirements.

Invest in Technology and Skills

To maintain compliance and improve resilience, financial entities must invest in up-to-date technologies and skills. This includes implementing advanced monitoring tools, adopting AI and machine learning for threat detection, and providing ongoing training for staff to keep their skills current.

Collaborate and Share Information

While not mandatory, DORA encourages information and intelligence sharing among financial entities. Participating in industry forums, threat intelligence exchanges, and collaborative exercises can significantly enhance an organization’s ability to detect and respond to emerging threats.

Monitor Regulatory Developments

As regulatory technical standards and guidelines continue to evolve, financial entities must stay informed about updates to DORA and related regulations. This involves monitoring communications from European Supervisory Authorities (ESAs) and adjusting compliance strategies accordingly.

Enhance Incident Reporting Capabilities

Organizations should continuously improve their incident detection, classification, and reporting processes. This includes refining materiality thresholds, enhancing automated detection systems, and streamlining reporting procedures to ensure timely and accurate notifications to authorities.

Adopt Third-Party Risk Management Capabilities

As DORA places significant emphasis on managing ICT third-party risks, financial entities should regularly review and enhance their third-party risk management practices. This includes updating due diligence processes, contract terms, and monitoring procedures for critical service providers.

Measure and Report on Resilience

Developing key performance indicators (KPIs) and metrics to measure digital operational resilience can help organizations track their progress and identify areas for improvement. Regular reporting on these metrics to senior management and the board ensures ongoing attention to resilience efforts.

By embracing these continuous improvement practices, financial entities can maintain compliance with DORA and significantly enhance their overall operational resilience. This proactive approach helps organizations stay ahead of evolving threats and regulatory expectations, fostering a culture of resilience throughout the organization.

Strengthening Resilience Across the Finance Industry

Ultimately, diligent adherence to DORA by every financial firm will significantly drive industry-wide improvements in operational resilience and risk management. As firms strengthen their practices, clients, and customers will benefit from heightened security and reliability in financial services. Together, these efforts will foster a more robust and resilient financial ecosystem for all stakeholders.

Prepare for DORA with Option One Technologies

Option One Technologies offers customized solutions that enhance ICT risk management and reporting, helping financial entities comply with DORA and adapt to the changing regulatory environment. Contact an expert today to learn how we can help you boost your compliance and operational resilience.