Probability & Partners: DORA, the final (cybersecurity) frontier

July 30, 2024

Risk Management Rules and Legislation Technology

Maurits van den Oever (foto archief Probability & Partners) 980x600.jpg

_{This column was originally written in Dutch. This is an English translation.}

By Maurits van den Oever, Quantitative Consultant at Probability & Partners

Today's society is vulnerable to cyber incidents. This became apparent again after the incident with the software error of the American CrowdStrike on July 18 last. The incident resulted in chaos at airports, transhipment facilities and other places. It is therefore good that regulators and supervisors pay attention to this.

De Nederlandsche Bank (DNB) has always played a pioneering role in the field of IT risk management for the financial sector. With the 'Good Practice Information Security' (GPIB) guideline, DNB has offered financial institutions a valuable tool to limit cyber risks.

Legislation has now been introduced at a European level in the form of the Digital Operational Resilience Act (DORA). The question is how these regulations relate to the GPIB. Two weeks ago, DNB provided an answer: DORA will become the legal framework for operational resilience from January 17, 2025.

It can be concluded from this that the Good Practice Information Security (GPIB) will no longer be updated to further align with DORA. It also becomes clear that the supervisory activities of the GPIB will be stopped in Q4 2024. After all, they are switching to DORA. For companies that have not yet started implementing DORA, the signal is clear.

However, most companies are already well advanced with the GPIB 2019/2020. This guideline was updated in 2023 to encourage organizations to take further steps towards the implementation of DORA. Although the layout of the document has remained identical, things have changed for most controls from GPIB 2019/2020 to GPIB 2023. The most important changes are:

Including the digital operational resilience strategy in the risk management framework.
Risk-based implementation per control for further customization.
Business Impact Analysis forms the basis for ensuring the continuity of business operations.
Further elaboration of the role of the board, both in general and with specific controls.
Various bodies now have the responsibility to develop and maintain knowledge in the field of cyber threats.
Filling an independent information security position with a clearly defined range of tasks that reports directly to the board.
Finally, attention is also paid to opportunities and risks associated with technological developments. Examples of this are quantum computing and AI.

So it is a good step to first arrange the implementation of GPIB 2023 to get closer to DORA. To organizations that must comply with DORA, but have not yet implemented GPIB, I recommend skipping the 'intermediate step' GPIB 2023. This is because DORA is now becoming the standard for managing IT and cyber risks, and because its requirements go further than the current GPIB.

What are the gaps?

Most organizations will be at a reasonable level of maturity with GPIB. For them it is obvious to start with a gap analysis to see where most of the work is involved. The main difference is that GPIB is principle-based, while DORA is rule-based. GPIB sets out guidelines for implementing the controls, while DORA comes with predetermined requirements. There is therefore less room for your own interpretation within the DORA regulations.

Other differences lie in the requirements themselves. For example, GPIB has no specific requirements for critical third parties. DORA does define specific parties that are considered critical digital service providers. The requirements have also been further specified in various areas. Examples of this are third-party risk management and various forms of resilience testing, but also the registration of all contractual relationships in the field of IT in a specific format.

In addition, GPIB remains a good practice, while DORA is a regulation. Although failure to comply with GPIB can lead to legal consequences, these are formulated in a much more concrete manner with DORA. In fact, there are hefty fines for non-compliance with DORA for the organizations that are in scope. The DORA regulations themselves call these fines 'proportionate and dissuasive'.

Customization

The mechanism that does offer some customization is DORA's 'proportionality principle'. It is not entirely clear how exactly this will be applied. The precise criteria to qualify for a contained implementation are not defined, and what it means for the implementation of the controls is also not clear. This is somewhat more in line with the risk-based approach to the controls under GPIB, so that makes the gaps more manageable for smaller organizations.

Third parties

DORA also has plenty of implications for organizations that have (largely) outsourced their IT services. Managing third-party IT risks receives attention in GPIB, but is further elaborated in the lower levels of DORA. Specific templates are also prescribed for mapping all IT-related contractual agreements in the information register.

Furthermore, there must also be sufficient certainty about the operational resilience of the service providers. In concrete terms, addenda must be written for the contracts or SLAs of third parties to demonstrate the operation of the controls.

Supervisory Activities and the Final Frontier

The Q&A of the latest GPIB update outlines the regulator's timeline. In the second half of 2024, DNB will continue to supervise on the basis of GPIB 2023, but after that we will switch to European regulations. The message is clear: DORA is the Final Frontier in the field of cybersecurity.