DORA & Thales: Help your financial services customers turn compliance into competitive advantage

Are you (and your customers) ready for DORA?

The Digital Operational Resilience Act, or DORA, is due to apply across all EU member states from January 17th 2025. It aims to enhance the resilience of organisations in the financial services sector to the ever-evolving threat of cyber attacks by harmonising digital operational resilience and cybersecurity requirements across the EU, instead of each member country setting its own regulations.

DORA impacts all financial services organisations in the EU and EEA, but it’s also likely that organisations from outside this area will need to comply with DORA’s requirements in order to trade in Europe. In addition, as GDPR created a precedent for data privacy that the rest of the world followed, experts expect DORA to have the same global effect.

Organisations in the financial services arena need to understand the new rules and ensure they’re prepared. However, it’s never a bad idea for you to support your customers to enhance their cybersecurity posture. In fact, it can be what sets them apart from their competitors – and you apart from yours.

Thales offers a suite of products to help organisations comply with DORA and gain significant strategic benefits. In this article, we’ll tell more about DORA and how you can help your customers be in the best position to reap those rewards.

DORA compliance requirements

  • DORA applies to a broad range of organisations in the financial services industry, including those in:
  • Banking and credit
  • Insurance
  • Payments
  • Information and Communication Technology (ICT) for financial services
  • Financial markets
  • Asset management
  • Crypto-assets service providers

DORA is a wide-ranging set of requirements to which organisations in its scope must demonstrate compliance by January 17th, 2025. DORA’s regulations are focused around five key pillars:

  • ICT risk management and governance – Organisations must define, implement and maintain a framework to manage cybersecurity risk and boost resilience.
  • Incident reporting – If a cybersecurity incident arises, DORA requires organisations to report it to the relevant authorities within strict timeframes.
  • Digital operational resilience testing – Organisations must conduct an annual testing program to ensure that disruption is minimal in the event of an incident.
  • ICT third-party risk – Financial services organisations rely on external tech vendors (some based outside the EU) for much of their IT environment. They must factor these third-party risks into their cybersecurity risk management strategy.
  • Information sharing – DORA promotes sharing knowledge on cyber threats between organisations to enhance resilience across the industry.

If an organisation is found in violation of DORA, it could face fines of up to 2% of annual global turnover.

You can now see how critical it is that financial services organisations covered by DORA have their bases covered by January 2025. Download the latest DORA white paper from Thales to get a more detailed list of the new requirements.

DOWNLOAD WHITE PAPER

Job roles and responsibilities for DORA compliance

DORA is a Regulation, which means that it is the Law, not “simply” a technical certification like PCI or ISO27k. Complying with DORA is not something leaders can just leave to their IT security team. It requires a coordinated effort across the organisation with input from several functions, including:

  • Board of Directors – Directors must take a personal interest in cybersecurity and make the right decisions on policies, processes and resource allocation.
  • Cybersecurity – Cybersecurity teams are on the frontline, upholding policies and controls, and dealing with incidents daily.
  • Risk Management – This team is responsible for identifying and implementing measures to minimise cyber risks, as well as planning for continuity in the event of a disruptive cyber incident.
  • Compliance – The organisation’s compliance team must establish processes for timely reporting cybersecurity incidents to meet DORA reporting obligations.
  • Human Resources – HR plays a critical role in delivering cybersecurity training for the workforce and ensuring a culture of cybersecurity awareness.
  • IT – This team is responsible for implementing many of DORA’s rules, including mandatory multi-factor authentication and data confidentiality.

Complying with DORA needs to be a company-wide effort. However, there’s some great technology available to support the transition.

Introducing Thales Technologies for Compliance

Thales has an extensive portfolio of application security, data security, and identity and access management solutions that can help your customers as they work towards DORA compliance.

Thales offers a range of application security solutions that protect applications and APIs at scale, whether in the cloud, on-premises, or in a hybrid model. Thales Imperva’s Application Security is positioned as Leader by Gartner in the Web Application and API Protection (WAAP) segment. Key tools in the portfolio include Web Application Firewall, solutions to protect against Distributed Denial of Service (DDoS) and malicious bot attacks, and API security.

In data security, Thales offers solutions for data discovery and classification, data risk analytics, and vulnerability management. They help identify structured and unstructured sensitive data at risk on-premises and in the cloud. In identity and access management, Thales provides solutions to managing access control, including delineating who has access to specific resources inside an organisation.

In the cryptography and encryption space, Cipher Trust Manager is Thales’ industry-leading key management system, helping even the largest organisations manage encryption keys and access policies from a central location, with comprehensive reporting capabilities. Thales Luna Hardware Security Modules (HSMs) help secure business-critical applications and sensitive data by managing cryptographic keys inside the network, while Thales Data Protection on Demand (DPoD) is a cloud-based key management system with no hardware needed.

These products could directly help your customers comply with DORA by addressing essential cybersecurity risk management requirements and delivering complete, accurate and timely reports in accordance with Articles 8, 9, 10, 11, 19 and 28.

In particular, DORA explicitly mandates financial entities to define and implement policies for data encryption, as well as managing cryptographic keys, including cryptographic agility (aka Post Quantum Crypto). In the case of ICT incidents, DORA requires financial entities to react to a major incident within four hours, and provide early forensics such as data activity analytics within 72 hours. Thales’ Data Security reports and portals make compliance with these rules simple, providing 12-months of retained records, easily accessible for detailed search and investigation. Audit data is automatically archived, but remains accessible in seconds for queries and reporting.

Turning Compliance into an Advantage

Utilising Thales’ technologies to achieve DORA compliance, you can support your customers as they enhance their security posture, giving you and them a competitive advantage.

Of course, the primary advantage of complying with DORA is that your clients stay out of legal trouble and avoid potentially devastating fines. However, in the ultra-competitive financial services space, putting cybersecurity at the heart of your operations can deliver significant strategic benefits:

  • Cyber incidents can significantly damage an organisation’s reputation, especially in finance. What investors would want to put their money with an institution that can’t guarantee its safety?
  • Downtime caused by cyber incidents is disruptive to employees and customers alike, especially if people aren’t able to manage their money. Protecting your environment from cyber attacks helps deliver a higher quality service.
  • A smooth-running IT system, free of cyber threats but also free of cumbersome access control measures, makes employees more productive.

Complying with DORA requires a coordinated, company-wide effort. But in today’s world of ever-more sophisticated cyber threats, it is essential. However, when you support your customers with the right expertise and the best technology, it doesn’t have to be too big a challenge. Instead of merely complying with DORA, why not go beyond compliance and begin to truly grab those business benefits?

Find out more

Download Thales’ latest white paper to learn more about DORA compliance (including detailed explanations of the requirements) – and how Thales’ suite of solutions can help get there.

DOWNLOAD WHITE PAPER

If you’re looking for expert support and guidance along your DORA compliance journey, it’s time to talk to Exclusive Networks. We’ll help you seize the opportunities that DORA presents, so compliance becomes your competitive advantage.

GET IN TOUCH