Article 12 Digital Operational Resilience Act (DORA), Learning And Evolving

Article 12 of the Digital Operational Resilience Act (DORA) focuses on the protection and prevention measures financial entities must implement to ensure robust digital operational resilience. It outlines requirements for detecting ICT anomalies, monitoring user activities, and maintaining secure ICT environments to mitigate risks and enhance operational stability.

Capability to Gather and Analyze ICT Risks

To maintain robust digital operational resilience, financial entities must develop comprehensive capabilities to gather and analyze information related to ICT risks. This involves implementing systems and processes that can effectively identify vulnerabilities, monitor for cyber threats, and document ICT-related incidents, particularly those resulting from cyber-attacks. These capabilities should be tailored to the size, business scope, and specific risk profiles of the financial entities. By thoroughly analyzing the gathered data, entities can assess the potential impacts on their digital operational resilience and develop strategies to mitigate these risks effectively.

Post ICT-Related Incident Reviews

In the event of significant disruptions in core activities due to ICT incidents, financial entities are required to conduct thorough post-incident reviews. These reviews serve as a critical feedback mechanism to understand the root causes of the disruptions and identify necessary improvements in ICT operations. The reviews should cover:

• Analyzing the causes of the disruption to pinpoint weaknesses or failures in the ICT infrastructure.

• Identifying necessary improvements to ICT operations or within the ICT Business Continuity Policy as outlined in Article 10.

• Communicating the identified changes and improvements to the competent authorities, particularly for financial entities other than microenterprises.

Post-incident reviews should assess several key aspects, including:

• The promptness in responding to security alerts and assessing the severity of the incident.

• The quality and speed of forensic analysis conducted to understand the incident.

• The effectiveness of incident escalation procedures in ensuring timely response and resolution.

• The effectiveness of internal and external communication during and after the incident.

Incorporation of Lessons Learned

Financial entities must continuously integrate lessons learned from various sources into their ICT risk assessment process. This includes insights gained from digital operational resilience testing as per Articles 23 and 24, real-life ICT incidents (especially cyber-attacks), challenges encountered during the activation of business continuity or recovery plans, and supervisory reviews. Incorporating these lessons ensures that financial entities remain adaptive and improve their resilience strategies over time. Reviews of relevant components within the ICT risk management framework, as described in Article 5(1), should reflect these continuous improvements.

Monitoring and Analysis of ICT Risks

An essential aspect of maintaining digital operational resilience is the ongoing monitoring and analysis of ICT risks. Financial entities are required to track the effectiveness of their digital resilience strategy as outlined in Article 5(9). This involves:

• Monitoring the evolution of ICT risks over time to identify new threats and vulnerabilities.

• Analyzing the frequency, types, magnitude, and patterns of ICT-related incidents, particularly cyber-attacks.

• Understanding ICT risk exposure levels to enhance the entity’s cyber maturity and preparedness.

By analyzing these factors, financial entities can better comprehend their ICT risk landscape and develop more effective risk management strategies.

Reporting to Management Body

Senior ICT staff must regularly report their findings on ICT risks and resilience to the management body of the financial entity. This reporting should occur at least annually and include recommendations based on the findings. These reports ensure that the management body remains informed about the current ICT risk landscape and the effectiveness of the resilience strategies in place.

ICT Security Awareness and Resilience Training

To foster a culture of security and resilience, financial entities must develop and implement comprehensive ICT security awareness programs. These programs should include digital operational resilience training as mandatory modules in the staff training schemes. Ensuring that all employees, including senior management, participate in these programs is crucial. The training should cover:

• Understanding the importance of ICT security and resilience in the context of the entity’s operations.

• Recognizing potential cyber threats and how to respond to them effectively.

• Implementing best practices for maintaining digital operational resilience.

Additionally, financial entities must stay abreast of technological developments and assess their potential impacts on ICT security and digital operational resilience requirements. This involves continuously monitoring the latest ICT risk management practices to effectively mitigate current and emerging cyber threats.