DORA: Building Resilience through ICT incident management

Reporting an ICT incident is all about being able to contain an attack, to mitigate the damage, to warn others to be on their guard, and to recover from the damage.

The advantages of a harmonised ICT incident management system under DORA are immediately obvious.?With cyberattacks becoming more sophisticated, and with the impact of those attacks affecting entities in multiple jurisdictions, companies welcome all the help they can get.

Reporting requirements under DORA

The EU is doing what it can to make reporting under the Digital Operational Resilience Act (DORA) as streamlined as possible, creating a harmonised matrix that categorises contagion risk and criticality across all Member States. The notification procedures ensure that information about breaches – or even the mere suspicion of one – is shared, therefore controlling the risk that their impact will spread.?The procedures laid down by DORA will not be as cumbersome for licensed entities in Malta, which have an advantage in that they already need to report ICT incidents, in accordance with a matrix created by the financial services regulator, the Malta Financial Services Authority (MFSA). This streamlined the categories of criticality, leaving no doubt as into what level of severity an incident should be classified.

ICT Incident Management

The classification triggers various reactions, from reporting requirements all the way to escalation in case of a major incident or crisis. It also sets the clock ticking, with tight deadlines for reporting. This makes even more sense when seen in the context of business continuity and disaster recovery plans?imposed by DORA, which ensures that each scenario has been thought through, allowing a much faster reaction to be triggered, and therefore for a much faster recovery, limiting the damage – creating a pre-planned series of recovery?procedures in a time of great confusion and pressure.

The existence of the MFSA mandatory reporting framework is, however, no excuse for complacency. Companies need to ensure that they have all the appropriate incident management procedures in place, that they are regularly updated, and that they are rigorously tested.

DORA Regulatory and Implementing Technical Standards

The first wave of Draft RTS (Regulatory Technical Standards) and ITS (Implementing Technical Standard) was published by the European Supervisory Authorities last year. The objective is to provide detailed specifications and guidelines on how certain provisions in the basic legislative Act should be implemented across the EU.?The first batch of Policy Products consists of:

• RTS to specify the policy on ICT services performed by ICT third-party providers (Article 28(10))
• RTS on criteria for the classification of ICT-related incidents (Article 18(3))
• ITS to establish the templates for the register of information (Art.28(9))
• RTS on ICT risk management framework (Article 15) and RTS on simplified ICT risk management framework (Article 16(3))

DORA also emphasises the role of the supervisory authority and the inspections it will need to carry out. In Malta, this is the Malta Financial Services Authority, which already has mandatory Guidelines on ICT related arrangements with which licensed entities need to comply.

Importance of training

Prevention is always the best option: companies need to ensure that their staff are properly trained about cybercriminals who target the weakest link: human error is responsible for many ICT attacks.

Some of the most potent attacks have been inadvertently launched by a well-meaning employee clicking on a link in an email. Ongoing training will help employees to recognise likely scams and to know how to handle them, from reporting phishing emails or calls to disconnecting their workstations from the organisation networks to isolate any malware if malicious links are clicked.?In the end, reporting an ICT incident is all about being able to contain an attack, to mitigate the damage, to warn others to be on their guard, and to recover from the damage. It is also about doing so without delay, in spite of the uncertainty and panic that such an attack could cause. DORA is there to ensure that companies are prepared, creating certainty at the most critical times.

How can BDO help with DORA Compliance by the end of 2024?

At BDO Malta, we understand the profound impact that the journey towards DORA compliance has on the in-scope entities. Our team of regulatory and compliance technical experts is dedicated to helping your company navigate this complex environment.

Our comprehensive range of services includes the following:

• Board Directors (click to download our checklist for Board Directors) and Management Training on DORA
• Expert guidance on DORA compliance
• Performing gap analyses
• Conducting risk assessments
• Developing and implementing incident management and business continuity plans
• Providing continuous support and monitoring.

Want to know more?

Get in touch with our technology team at [email protected]