DORA’s public consultation period is over. If your organisation deals with the finances of people or other entities based in the EU or provides services to a firm that does, you will want to know how its rule set has changed.

We’ve read through the Digital Operational Resilience Act (DORA) documentation and kept up to speed with the latest EU FSI regulation memos. 

The bottom line is that DORA remains a very demanding regulation with a huge scope. It will cover 95% of FSI businesses with EU customers, including those based in the UK, to some extent.

Now that the public consultation period has ended, we wanted to bring these updated requirements to your attention.

Threat-Led “Penetration Testing” Defined

DORA brings the concept of “threat-led penetration testing” to financial entities. 

Confusingly, threat lead penetration testing (TLPT) is not the kind of “penetration testing” that most ICT teams are familiar with. 

We can now finally confirm that DORA’s TLPT is a version of the TIBER-EU framework. This means that the testing is wide in scope and black box in nature, but with prescribed testing scenarios. It is more similar to red teaming than penetration testing (which is typically limited in scope).

We also know that TLPT is now mandatory and that a potentially wider range of companies, such as those in a business group of a covered entity, will be required to do TLPT. 

Hard Reporting Deadlines

4 hours. That's how long covered entities now have to do initial incident classification following a major ICT incident.

We can confirm that this report will need to include a narrative description of what happened and how the incident was discovered, along with time stamps and other information.

Then, within 72 hours, another intermediate report, including data about threats and techniques used by the threat actor, is required. 

A month later, a final report with a detailed analysis of the event, its impact, and how it was remediated needs to be submitted. 

These are rapid reporting deadlines and, from our estimation, will apply to a wider range of companies than before. 

A “Simpler” Risk Management Framework

DORA requirements scale. Depending on how “important” an organisation is to the wider financial sector, DORA will have different levels of applicability. 

One thing we know is that there is a simpler level of risk management for “small and non-interconnected investment firms, payment institutions.”

This means less stringent requirements for testing, reporting, and risk management. 

However, there was one line that struck us as important. Something that companies covered by DORA, big and small, will need to be able to do. That is to have “mechanisms to promptly detect anomalous activities.”

The key word here is “promptly”. The core compliance obstacle that most FSI firms will struggle with is speed. If you want to increase your speed when it comes to threat detection and reporting, consider SenseOn.  

Speed Up Security for Faster and Easier DORA Compliance

SenseOn is a plug-and-play security platform that makes DORA compliance faster, easier and less costly. 

We do something no other security platform does: We collect unified security data (network telemetry, user behaviour, endpoint events, and more) from a single sensor and feed that data into one of the most advanced security AI models in operation.

The upshot for DORA compliance is that with SenseOn, you can reduce your MTTR to minutes, deploy a ready-made SOC (optionally managed by us) in days, have an LLM create incident narratives in seconds, and totally change your security posture from reactive tool maintenance to proactive in a short time frame.