Get familiar with the new regulatory demands on financial institutions based in the EU
Enacted on November 22, 2022 and enforceable by January 17, 2025, the EU’s Digital Operations Resilience Act (DORA) introduces critical regulatory requirements that apply to all traditional and non-traditional financial institutions based in the EU including banks, new fintech players, insurance companies, and critical ICT service providers.
What is the objective of DORA?
DORA focuses on strengthening the financial sector’s digital resilience and ability to withstand and recover from information and communications technology (ICT) incidents. It lays down precise rules applicable to EU member states covering four domains:
- ICT risk management and governance
- Incident response and reporting
- Digital operational resilience testing
- Third-party risk monitoring
The new regulation also extends its reach to critical ICT service providers providing services to financial institutions, including public cloud platforms, SaaS applications, data analytics, and audit services.
The primary objective is to ensure organisations can endure, react, and recover from ICT incidents, ensuring the smooth continuation of essential functions, while minimising disruptions for customers and financial services systems. Achieving this requires implementing robust measures and controls on systems, tools, and third-party services, along with maintaining appropriate operational continuity plans and continuous monitoring.
Penalties for DORA non-compliance
Organisations deemed non-compliant by relevant regulatory bodies may be subject to a periodic penalty of 1% of the organisation’s worldwide turnover from the preceding business year. This fine can be levied for up to six months until the financial entity is found to have achieved compliance. Other consequences include reputational damage, potential criminal liability, and increased regulatory scrutiny.
How AppOmni can help with DORA requirements
| ICT RISK MANAGEMENT | |
| DORA Requirement | How AppOmni can help |
| Set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk. | SaaS Security Posture Management (SSPM) products are designed to enhance the security posture of Software-as-a-Service applications. They help organisations identify and manage security risks, continuously monitoring their SaaS for misconfigurations, detect and address non-compliance with security best practices, and other risky misconfiguration vulnerabilities that can lead to a data compromise. SSPM products play a crucial role In the context of DORA. They help organisations meet DORA requirements by providing tools for continuous monitoring, incident response, and compliance reporting. By improving the security posture of SaaS applications, SSPM products enhance an organisation’s overall digital operational resilience in relation to SaaS, ensuring they can detect, prevent, and remediate SaaS cybersecurity vulnerabilities and threats. |
| All sources of ICT risks should be continuously identified in order to set-up protection and prevention measures. | AppOmni’s SaaS-to-SaaS discovery functionality offers comprehensive visibility into all connected fourth-party applications within the SaaS ecosystem. Additionally, it provides historical data on potential security vulnerabilities and excessive permission grants associated with these applications, aiding informed decision-making regarding remediating potentially risky integrations. |
| A prompt detection of anomalous activities should be established | AppOmni safeguards SaaS environments by continuously monitoring for configuration changes and drifts. It identifies deviations from your organisation’s SaaS security baselines and provides clear and guided remediation to address improper configuration vulnerabilities and threats. Additionally, AppOmni’s versatile threat detection system empowers organisations to leverage both pre-built rules and custom threat detection rules to effectively detect malicious and anomalous activity within the SaaS applications related to user behaviour. |
| Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents. | AppOmni facilitates proactive SaaS security management by automatically identifying risky configurations and events within the environment, providing clear explanations of the potential security threats associated with each finding. This actionable intelligence empowers organisations to prioritise remediation efforts and implement measures to continuously improve its overall SaaS security posture. |
| ICT-RELATED INCIDENT REPORTING | |
| Establish and implement a management process to monitor and log ICT-related incidents. | AppOmni has a unique ability of ingesting event logs from multiple applications and presenting a unified picture of SaaS risk in an organisation from a single pane of glass. AppOmni continuously scans all deployments, identifying misconfigurations as and when they occur. Upon detection, organisations will receive immediate notifications with contextual details explaining the risks involved along with guided steps to remediate the vulnerabilities and threats. This information can be used to inform the response to the given misconfiguration and help you assign a level of risk to the event. AppOmni’s threat detection allows organisations to leverage both pre-defined rules and custom configurations to identify malicious activity within the SaaS applications. This combined approach helps to address both common threats and those specific to the organisation’s unique needs. For “out of the box” detection rules, AppOmni defined risk levels will be provided along with supporting information and guided steps to remediate the risks. |
| Submit initial, intermediate and final reports on ICT-related incidents to the firm’s users and clients. | Leveraging AppOmni’s tooling, organisations can harness valuable data to generate comprehensive reports on ICT incidents related to SaaS. The visibility AppOmni provides offers deeper insights, empowering organisations to make informed decisions about SaaS incident response and prevention. |
| DIGITAL OPERATIONAL RESILIENCE TESTING | |
| Elements within the ICT risk management framework should be periodically tested for preparedness. | AppOmni offers another useful tool in the belt of business continuity professionals. Without a solution like AppOmni, cyber risk visibility into SaaS would be incomplete. |
| Any weaknesses, deficiencies or gaps must be identified and promptly eliminated or mitigated with the implementation of counteractive measures. | AppOmni continuously scans all SaaS deployments, identifying misconfigurations as and when they occur. Upon detection, the organisation will receive immediate notifications with contextual details explaining the risks involved. Additionally, AppOmni provides guided steps to remediate vulnerabilities and threats to bolster your security posture. |
| ICT THIRD-PARTY RISK | |
| Ensure sound monitoring of risks emanating from the reliance on ICT third-party providers. | AppOmni secures the top leveraged business critical SaaS apps that most financial services rely on. AppOmni’s critical role in securing this critical ICT stack enables organisations to optimise their functionality while maintaining a robust SaaS security posture. |
| Harmonising key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring. | AppOmni centralises critical SaaS security management. It functions as a single platform, enabling organisations to: • Continuously monitor configurations: Gain comprehensive visibility into the configuration of your critical SaaS applications • Identify risks and threats: Proactively identify potential security vulnerabilities and threats within your SaaS environment such as data access exposure •Assign security baselines: Establish and enforce consistent security standards across your entire SaaS landscape •Remediate: Guided remediation for security vulnerabilities and threats •Governance, Risk and Compliance: On-demand compliance and risk reporting by specific framework |
| INFORMATION-SHARING ARRANGEMENTS | |
| The regulation allows financial organisations to share cyber threat information and intelligence. | • Normalised Logs & Sharing: Normalised and consistent SaaS logs simplifies the identification of IOCs, making it much easier to share such information with trusted partners. • Threat Detection Rule and Policy Sharing: AppOmni allows customers to share their custom threat detection rules and policies with trusted partners across the AppOmni customer base. This community-driven approach to security allows industry peers to benefit from shared knowledge and proven defence strategies. • AppOmni Insights: AppOmni Insights can automatically detect misconfigurations, indicators, or other objects associated with known security events, allowing AppOmni to proactively push out automated detections in response to real world events. • Active Participation in ISACs: AppOmni actively participates in various Information Sharing and Analysis Centers (ISACs), both by sharing our own expertise and by receiving intelligence about cyber threats and incidents from the wider community. |
| The supervisory authority will offer anonymised data and intelligence on cyber threats to financial organisations. Organisations should therefore establish systems to review and act upon the information provided by the authorities. | |