Content type
Pill

DORA Regulation: Strengthening Cybersecurity for SMEs in the Financial Sector

04 Dec 2024. 13:17
Tiempo lectura
5 min. de reading
Published by
Imagen colaborador
Logo Acelera pyme
Acelera pyme

Términos de uso

You can use the resource for personal or informative use with attribution to the entity red.es following our terms of use.

Tags

  • SME maturity
    Middle
    Topic
    1. Ciberseguridad
    Scope to digitize
    1. Cybersecurity

Compartir píldora

Entradilla

The DORA Regulation, which will become mandatory in 2025, establishes key measures to protect the cybersecurity of financial entities, including SMEs. This framework regulates ICT risk management, resilience testing, and incident reporting protocols. 

Keep Reading to discover its importance for SMEs in the financial sector! 

Imagen o video destacado
Image
Reglamento DORA
Descripción

Cybersecurity is becoming increasingly relevant in the financial world. Cyberattacks, security breaches, and the integrity of digital communications pose constant threats to financial entities of all sizes. 

SMEs often lack the resources of their larger counterparts to protect both their operations and the integrity of their customers' data, whether facing a direct attack on their company or to an essential software for their business. 

The Digital Operational Resilience Act (DORA) is a response to this need, providing a robust framework to protect financial entities from cyber threats. 

What is DORA? 

The Digital Operational Resilience Act (DORA) is a European regulation designed to strengthen the security of networks and information systems within financial entities. Its primary objective is to ensure that these entities can withstand, respond to, and recover from any type of operational disruption, particularly those caused by cyberattacks. 

DORA came into effect on January 16, 2023, but includes a two-year extension until January 2025. From that date, affected financial entities must comply with the regulation, with supervisory activities beginning soon after. These may range from information requests to simulated cyberattacks. 

Which financial entities are affected by DORA? 

DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, payment service providers, and SMEs in the financial sector, such as advisory firms or exchange houses.  

The regulation covers both traditional financial institutions and fintech companies, ensuring that all organizations operating within the financial sector adhere to the same cybersecurity standards.  

What are the requirements of DORA? 

 

The DORA Regulation establishes several key requirements for financial entities to ensure strong digital operational resilience: 

 

  1. ICT risk management: Entities must develop and implement specific policies and procedures to manage ICT-related risks. This involves identifying, assessing, and mitigating potential risks that could impact daily operations. 

 

To achieve this, stakeholders should: 

  • Identify and classify critical assets. 

  • Develop comprehensive frameworks that ensure risk management and business security. 

  • Create contingency plans for potential risks. 

  • Conduct continuous risk assessments. 

 

  1. ICT incident reporting: A simplified reporting channel will be set up to report ICT-related incidents, unifying the current reporting requirements. This will reduce the number of reportable events and standardize templates, moving towards a single reporting center in the EU instead of multiple national authorities. 

 

In this case, institutions will be required to: 

  • Establish systems for monitoring, managing, and recording incidents. 

  • Inform relevant authorities and stakeholders. 

  • Submit initial, intermediate, and final reports. 

 

  1. Operational resilience testing: Periodic operational resilience testing is mandatory, simulating different cyberattack scenarios and other operational disruptions. The results will be compiled in a Digital Resilience Testing Program, including: 

  • Testing methodologies. 

  • Testing procedures and tools. 

  • Frequency of resilience tests. 

  • Prioritazion strategies for testing policies. 

 

  1. Threat intelligence sharing: DORA promotes information sharing among trusted financial entities to raise awareness about new threats, data protection solutions, and resilience tactics.  

 

  1. Third-Party Risk Management: DORA requires entities to actively manage the ICT risks of their external providers through audits, due diligence, and contracts that include security, incident notification, and exit plans. Service providers classified as "critical" will be subject to direct supervision. 

These requirements are designed to create a more secure and resilient environment, protecting both financial entities and their clients from rising cyber threats. Complying with the DORA Regulation is not only a legal obligation but also an essential strategy for maintaining trust and stability in the financial sector. 

How and when can financial SMEs report an incident? 

Financial SMEs must notify any significant cybersecurity incident to the relevant authorities immediately and no later than 24 hours after the incident is detected. The notification should include details about the nature of the incident, the measures taken to mitigate its effects, and any potential impact on the entity's clients and operations.  

 

Remember that starting January 17, 2025, it will be mandatory for financial entities to comply with the DORA regulation. 

 

If you own an SME in the financial sector and detect a potential threat, here are the steps you should follow to report it: 

  1. Identifying the problem using internal procedures intended to detect and assess incidents. 

  1. Assessing the severity by following certain reference values, such as the number of affected clients or the duration of the disruption. 

  1. Notifying the competent authority within the timeframe specified by the regulation. This notification must include the following sections: 

  • Nature of the incident. 

  • Expected impact. 

  • Mitigation measures 

  • Additional information requested by the competent authority. 

In summary, cybersecurity is essential for SMEs in the financial sector, and the DORA Regulation provides a framework for protection against growing digital threats. Adhering to its guidelines ensures that companies can withstand and recover from incidents, reinforcing customer trust. 

For more content on cybersecurity and protecting your business, visit our content section! 

¿Te ha gustado este contenido?
3
( 1 )
Continúa leyendo