Article 8 Digital Operational Resilience Act (DORA), Protection and Prevention

Article 8 of the Digital Operational Resilience Act (DORA) is focused on the protection and prevention strategies that financial entities must implement to safeguard their ICT (Information and Communication Technology) systems. This article outlines the comprehensive measures financial entities need to take to ensure their ICT systems are resilient, secure, and able to withstand potential cyber threats and operational disruptions.

Continuous Monitoring and Control of ICT Systems

To effectively protect ICT systems, financial entities must continuously monitor and control the functioning of their ICT systems and tools. This ongoing surveillance is crucial for identifying and mitigating potential risks before they can escalate into significant issues. By deploying appropriate ICT security tools, policies, and procedures, financial entities can minimize the impact of any identified risks. This proactive approach to monitoring allows for the swift identification of vulnerabilities, enabling financial entities to respond promptly and effectively to any threats or anomalies that may arise.

Designing Robust ICT Security Strategies

Financial entities are required to design, procure, and implement comprehensive ICT security strategies that prioritize resilience, continuity, and the availability of ICT systems. These strategies must also maintain high standards of security, confidentiality, and data integrity, regardless of whether the data is at rest, in use, or in transit. To achieve these objectives, financial entities must adopt state-of-the-art ICT technology and processes that provide robust protection against various threats.

Key Objectives of ICT Security Strategies

The ICT security strategies implemented by financial entities must achieve several critical objectives:

• Security of Information Transfer: Financial entities must ensure that the means of transferring information are secure, preventing unauthorized access or interception of data during transmission.

• Minimization of Data Corruption and Unauthorized Access: The strategies must include measures to minimize the risk of data corruption, loss, and unauthorized access. This includes implementing safeguards against technical flaws that could disrupt business operations.

• Prevention of Information Leakage: Financial entities must put in place stringent controls to prevent information leakage, ensuring that sensitive data remains secure and confidential.

• Protection Against Poor Administration: The strategies should also address risks related to poor administration or inadequate processing of data. This includes implementing robust record-keeping practices to ensure data integrity and accuracy.

ICT Risk Management Framework

As part of their broader ICT risk management framework, financial entities must develop and document an information security policy that outlines the rules for protecting the confidentiality, integrity, and availability of their ICT resources, data, and information assets. This policy should be designed with a risk-based approach, focusing on identifying and mitigating the most significant threats to the entity's ICT infrastructure.

Network and Infrastructure Management

Financial entities are required to establish sound network and infrastructure management practices. This includes using appropriate techniques, methods, and protocols to manage their ICT systems. A key aspect of this is the implementation of automated mechanisms that can isolate affected information assets in the event of a cyber-attack. Additionally, financial entities must design their network connection infrastructure in a way that allows it to be severed instantaneously if necessary. Compartmentalisation and segmentation of the network are also critical to prevent the spread of threats, especially in interconnected financial processes.

Access Control Policies

To further protect ICT systems, financial entities must implement policies that strictly limit both physical and virtual access to ICT resources and data. Access should only be granted for legitimate and approved functions and activities. To achieve this, financial entities should establish comprehensive policies, procedures, and controls that govern access privileges. These controls ensure that access to ICT systems is appropriately managed and that only authorized individuals can access sensitive information.

Strong Authentication Mechanisms

Financial entities must implement strong authentication mechanisms based on relevant standards and control systems. These mechanisms are crucial for preventing unauthorized access to cryptographic keys and ensuring that data encryption is based on results from approved data classification and risk assessment processes.

ICT Change Management

Effective change management is another critical component of the ICT risk management framework. Financial entities must implement policies, procedures, and controls for managing changes to ICT systems, including software, hardware, firmware components, and security settings. These changes must be based on a risk-assessment approach and integrated into the entity's overall change management process. This ensures that all changes are recorded, tested, assessed, approved, implemented, and verified in a controlled manner. Specific protocols must also be in place for managing emergency changes, with the ICT change management process approved by the appropriate lines of management.

Patch Management and Updates

Finally, financial entities must have comprehensive policies in place for managing patches and updates. Regularly updating software and applying patches is essential for addressing vulnerabilities and ensuring that ICT systems remain secure against emerging threats.

In conclusion, Article 8 of DORA outlines the critical steps financial entities must take to protect their ICT systems and prevent operational disruptions. By implementing robust monitoring, security strategies, and risk management practices, financial entities can enhance their resilience against cyber threats and ensure the continuity of their operations in an increasingly digital landscape.