The Digital Operational Resilience Act (DORA) and Cohesity

What is DORA?

The Digital Operational Resilience Act (DORA) is a regulation that establishes technical standards and creates a risk management framework for the financial sector of the European Union (EU) and their third-party service providers.

According to the regulation, financial institutions must “…follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents.” ICT, of course, is information and communication technology. The emphasis is on ensuring operational resilience to disruptions—traditional business continuity events, or cyberattacks.

As an EU regulation—not law—financial services institutions within its scope will need to comply by a deadline of 17 January 2025, even if individual member states don’t pass laws to enforce it.

With any new regulation, questions pop up. What does DORA compliance mean for your organisation? What are the regulation requirements? Penalties for non-compliance? And how can Cohesity help? All good questions. The answers are below.

Five pillars of DORA

DORA focuses on five pillars:

1. Risk management
2. Incident management, including classification and reporting
3. Resilience testing
4. Management of third-party risk
5. Information sharing

Those who need to comply with DORA must ensure that their cyber resilience posture can deliver the required recovery points and timelines while continuing to support their in-flight digital transformation initiatives. Across the five DORA pillars are 40 detailed Articles (DORA itself has 64 articles), which form the meat of the regulations. These clearly articulate exactly what, why, and how to comply with the regulation. Articles include defining a risk framework, developing awareness and training programs, communication plans, third-party risk management and oversight teams, and cooperation with competent authorities, among others.

Key DORA regulation requirements

Article 1 of DORA clearly outlines the key requirements and is designed to bring financial entities to a high common level of digital operational resilience. These requirements are:

• ICT risk management
• Measures for the sound management of ICT third-party risk
• Reporting major ICT-related incidents
• Reporting of major operational or security payment-related incidents to the competent authorities
• Voluntarily notifying significant cyber threats to the competent authorities
• Digital operational resilience testing
• Sharing of information and intelligence about cyber threats and vulnerabilities to the trusted community
• Contractual arrangements concluded between ICT third-party service providers and financial entities
• Establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities
• Cooperation among competent authorities and rules on supervision and enforcement by competent authorities to all matters covered by the regulation

Penalties for non-compliance with DORA

Alongside existing regulatory penalties, DORA introduces measures to ensure that organisations attain and maintain compliance:

• One percent of average worldwide turnover the previous year, applied daily until compliance is achieved for six months
• Potential for criminal sanctions
• Potential for personal (individual) fines

Add to that the financial losses suffered through service outages and ongoing brand damage, it quickly becomes clear that a lack of data and cyber operational resilience can lead to disastrous consequences.

Designated regulators in each EU member state, known as “competent authorities” will ensure compliance, including requests that entities take specific security measures and remediate gaps and/or vulnerabilities identified.

One clear difference with DORA when compared to other financial services regulations? DORA applies to the institution’s third-party service providers. Good examples of this are hyperscalers, cloud service providers, hosted data centers, and more. All must also be compliant with DORA requirements.

How Cohesity can help with DORA

Risk management

Financial entities under DORA are required to have a governance framework in place to manage ICT risk and achieve digital operational resilience. This framework ensures organisations maintain data availability, authenticity, integrity, and confidentiality by:

• Establishing roles for users.
• Reviewing and approving business continuity plans and internal audit plans.
• Allocating the correct budgets.
• Approving arrangements with third parties.
• Reporting and training.

Cohesity provides comprehensive data indexing and classification to help ensure adherence to DORA. Having the ability to locate and classify data correctly delivers operational resilience regardless of how a disruption manifests itself. This also enables organisations to quickly identify and report the details of a cyber event to authorities where information may have been compromised, stolen, or deleted.

With the rise of attackers targeting backup and recovery infrastructure, protecting your backups from deletion or corruption by bad actors is critical. This is true whether it’s criminal ransomware gangs or nation-state actors looking to wipe financial services institutions systems and cripple an economy.

Data protection platforms require immutability and Cohesity’s DataLock functionality prevents tampering and overwriting—and helps protect against accidental or malicious deletion of snapshots before the retention policy expires. Additionally, data can be secured automatically in virtually air-gapped vaults to ensure there is always a copy to be recovered.

The platform architecture must also be based on zero-trust principles and support multifactor authentication as well as capabilities to support the security principles of least privilege through granular access controls. Segregation of duties and flexible deployment options are needed to allow the data to be air-gapped, whether on-premises or utilizing public clouds.

Modern data security and management platforms can extend an organisation’s cyber incident detection capabilities beyond the network and the end device by using data contained in the backups. This provides passive ways to detect adversaries that they cannot evade or monitor. Cohesity’s advanced anomaly detection can provide high fidelity and high confidence signals to a security operations team about the encryption of file systems by ransomware or deletion of files by wiper malware or malicious actors. The threat-hunting capabilities in Cohesity DataHawk provide a curated feed of Indicators of Compromise (IoCs) related to ransomware and allow the security operations team to hunt for evidence of a historical attack without affecting operations.

Incident management: Including classification and reporting

Under DORA, financial entities are required to have a clearly defined incident management process. This process allows responders to manage their work and properly document the incident. Organisations should have many of the processes and procedures in place for incident management and reporting, especially if they have been organised around ITIL methodologies. Unlike traditional business continuity and disaster recovery scenarios, cyber incidents require extensive investigation and threat mitigation before systems can be recovered.

To understand the attack, the investigation must answer questions like:

• How did the attack happen?
• What vulnerabilities were exploited?
• Which controls were missing or were circumvented?
• Which accounts were created or compromised?
• What persistence mechanisms were used?

Every second of delayed response costs the organisation money, which is why Cohesity orchestrates the rapid recovery of an isolated response environment, or clean room, for investigations. This allows the investigation to get underway as soon as possible. In addition, snapshots can be used to provide a view of file systems across the incident timeline, allowing digital forensics teams to identify suspicious binaries and other changes to the file system.

Cohesity’s integration with our Data Security Alliance partners provides increased effectiveness and efficiency to the organisation’s existing security tooling, helping reduce the time required for response. Two examples of Data Security Alliance integrations include:

• The ability of Tenable’s vulnerability scanner to identify the vulnerabilities in a system under investigation at a specific point in time without the need to recover the backup.
• Cisco XDR’s ability to observe a suspicious event to trigger more frequent snapshots to achieve better recovery point objectives (RPOs) creates a more granular set of data to collect forensic evidence.

Cohesity can orchestrate the rapid recovery of systems, even with complex interdependencies. Cohesity’s indexing and classification capabilities allow financial entities to classify the impact of the data involved in the incident, allowing appropriate reporting to both the regulator and data subjects—all building up to a more complete and compliant business resilience.

Resilience testing

DORA brings an expanded requirement to traditional BC/DR methods with an expectation that organisations will continually evaluate their protection and actively work to identify and address vulnerabilities and weaknesses. Organisations will also report their findings to the relevant authority. This continuous process goes beyond the yearly DR testing and prioritizes critical systems to be included in threat-led penetration testing.

Cohesity provides end-to-end automated non-disruptive disaster recovery testing to ensure the data can be recovered in a crisis. During this process, gaps in protection can be identified. The response and recovery processes can be improved using complete audit trail reporting.

Also, Cohesity provides a compliance view of business resilience by continuously monitoring the protection of systems. It can actively and passively hunt security threats, detect anomalies, and automatically feed into SOC systems to give you visibility into the vulnerabilities DORA requires.

These insights can also provide automated reporting on the data itself: what has been restored, with appropriate indexing and classification, comprehensive reporting on content that you can confidently hand to authorities to provide both compliance statements, and security statements if you’re reporting on a security compromise. For example regulatory reporting of cyber events within a set period, and what (exactly) has been touched/deleted/taken.

Management of third-party risk

To be compliant with DORA, organisations must manage third-party risk as an integral component of their risk management framework. As part of this requirement, regular reviews will be conducted to ensure both the financial institution and the supplier are aligned and don’t have any outstanding findings that could lead to fines. 

Organisations must also:

• Maintain a register of information on contractual arrangements for their use of third-party services.
• Have a published policy on the use of these services supporting critical functions.
• Review the management of third-party risk.
• Have appropriate remediation plans in place for adverse risk findings.

In addition to the outline in risk management above, Cohesity supports protected copies of all your third-party risk data, which in addition to your day-to-day DORA compliance requirements, you would be required to provide if there was a material impact to your business following a critical event. 

Competent authorities would look to this information when assessing you for penalties, which could potentially be far worse if you are unable to provide it, for example, vulnerability assessments, or your penetration testing results. 

These can be secured automatically, including holding them in operationally air-gapped vaults, to ensure the compliance position of the financial entity is not compromised, and with full reporting available for both the firm and any competent authority requesting information.

Information sharing

Under DORA, financial entities are able to safely exchange cyber threat information and intelligence. This aims to further enhance resilience across the whole financial ecosystem. Security is a team sport. There is no benefit to one organisation having threat intelligence and not sharing it within the trusted community of financial entities, even if their business competition occupies that community.

DORA exists to ensure that financial services do not cause local, country-level, or geographical material impact—and information sharing is a core component of compliance. In addition to sharing information and intelligence, it’s also expected that competent authorities are also notified. Sharing knowledge raises awareness of cyber threats. It limits or impedes the threat’s ability to spread, enhancing defense capabilities, threat detection techniques, mitigation strategies, and response and recovery strategies.

Conclusion

Cohesity’s platform capabilities and our integration with Data Security Alliance partners provide increased effectiveness and efficiency to existing Security Operations Center tooling—helping reduce the time required for response and reporting. The ability to orchestrate the rapid recovery of an isolated response environment provides a view of file systems across the incident timeline. It allows digital forensics teams to identify suspicious binaries and other changes to the file system.

Our advanced security features identify vulnerabilities in systems under investigation at a specific point in time without the need to recover the backup. This allows for observing suspicious events to trigger more frequent snapshots and achieve better RPOs for more granular forensic evidence.

In the face of growing risks, Cohesity accelerates DORA compliance by helping financial institutions prepare for, respond to, and recover from cyber threats. Cohesity protects critical data so that when a breach happens, organisations can identify the infection and ensure the data is clean during recovery.