Getting ready for the EU Digital Operational Resilience Act (DORA)
Europe’s policymakers are increasingly concerned about cyberattacks on the region’s critical digital infrastructure.
To ensure the financial sector can better cope with shifting threats, the EU has drawn up the Digital Operational Resilience Act (DORA) Regulation, which will apply from January 2025.
DORA’s reach is significant, encompassing more than 22,000 financial entities and their ICT service providers operating within the EU. It will also affect those based outside of the EU that are interacting with these organizations.
In essence, compliance with DORA is the foundation on which financial services players can build a more robust and holistic security strategy that reflects the risks they have to contend with.
While most banks have long had rigorous security measures in place, DORA is designed to shore up the defenses throughout the financial ecosystem by involving more specialist players, including credit and payment institutions, crypto-asset service providers, central securities depositories and credit rating companies. It requires financial entities to minimize the risk of corruption or loss of data, prevent unauthorized access and technical flaws that may hinder business activity, and ensure their ICT systems remain available.
Ensuring compliance
For financial entities, and indeed most other businesses today, apps and data are now mission critical. Fully protecting these assets with technology such as a robust web application firewall (WAF) is vital, both to comply with DORA and to ensure continued operations during a distributed denial of service (DDoS) assault and other attacks.
DORA also requires financial entities to promptly detect anomalous activities, including ICT network performance issues and related incidents, as well as the identification of potential material, single points of failure. In the case of a serious incident, the financial entity must notify regulators, affected clients and partners. They’ll then have to report on progress towards resolving the incident and produce a final report analyzing the root causes.
To meet those requirements, financial entities need full visibility of the performance and security status of their apps. This is where the F5 Distributed Cloud Console can play a big role. Designed to provide consolidated end-to-end visibility of the entire app estate, it ticks most of the boxes for DORA’s digital resilience compliance.
The F5 Distributed Cloud Console also helps with some of DORA’s more nuanced demands. For example, financial entities must test their ICT tools, systems and processes at least every three years using penetration tests.
Until recently, this type of activity was the domain of expert, and often expensive, “white hat” hackers. This is no longer the case, and it is now feasible to automate the entire process.
Earlier this year, F5 launched its Distributed Cloud Web App Scanning solution, which enables organizations to continuously monitor the Internet, public repositories, exposed servers, and other sources to consolidate external-facing app services, data, and vulnerabilities. On top of that, they can also conduct automated penetration tests, identify potential vulnerabilities, get evidence of issues, and receive remediation guidance to improve security and ensure compliance.
Greater automation means it is for more cost-effective to run continuous penetration testing, rather than on a project-by-project basis, to ensure the timely release of new products and services.
Designing security into the ICT estate
All businesses should be aiming for a holistic approach to digital security, rather than trying to deploy specific point solutions to comply with DORA. Increased automation, enabled by advances in AI, makes it far easier to build security into the design, development and deployment of ICT infrastructure, components, apps and the accompanying application programming interfaces (APIs).
APIs, which are now essentially the digital economy’s central nervous system, are particularly important. Organizations should be pulling out the stops to build vulnerability detection into application development processes, ensuring that risks are identified, and policies implemented before APIs enter production.
As a direct response to this growing need, F5 Distributed Cloud Services offers the industry’s most comprehensive, AI-ready API security solution. Gone are the days when companies were forced to use disparate tool sets and capabilities to secure their APIs while they are built and during runtime. F5 enables vulnerability detection and observability in the application development process, ensuring that risks are identified, and policies implemented before APIs enter production. At a time when API security has never been more important or complex, F5 is eliminating the need for customers to pay for, and manage, separate API security solutions. API discovery, testing, posture management, and runtime protection—all in a single platform—can be a big advantage for anticipating DORA’s imminent complexities.
Ultimately, DORA shouldn’t be seen as a headache. Rather, it is a big opportunity to refine and reinforce essential security measures across organizations. Nevertheless, it is journey and some will likely need to change their perceptions of what security actually means and how it is articulated.
Fortunately for everyone grappling with the challenges ahead, F5 has many of the tools needed to both comply with DORA’s monitoring and reporting requirements—not to mention substantially lower the risks of crippling cybersecurity attacks.