DORA AND
AUTHENTICATION
Unlock DORA Compliance and Reinforce Operational Resilience with the MyID® Product Family - Your Key to a Secure Digital Transformation
The Digital Operational
Resilience Act (DORA) is a proposed regulatory framework designed to ensure
the operational resilience of digital systems and networks within the European
Union's financial sector. Developed by the European Commission, DORA aims to
manage and mitigate risks associated with ICT (information and communication)
systems, promoting a safe digital marketplace.
Currently in draft the act is likely to be implemented in
January 2025.
What you need to know to meet the new DORA Regulations?
DORA's primary focus is on three areas:
- ICT risk management
- ICT third-party risk
- Information sharing
Under DORA, firms are required to establish an ICT risk management
framework and carry out regular testing to identify vulnerabilities.
The Act also addresses the risk from third-party service
providers and insists on stringent contractual agreements, including the right
to audit and monitor these providers' activities.
Furthermore, DORA proposes the establishment of a digital
operational resilience testing framework that sets out the scope, frequency,
and methodology of ICT-related testing. It also seeks to enforce a more
harmonised approach across the EU to avoid fragmentation of rules and
regulations.
The third aspect of DORA revolves around information
sharing, with mechanisms put in place that oblige firms to notify and share
information about major ICT-related incidents within a firm or network.
The Act also highlights the importance of cooperation
between competent authorities and supports the sharing of intelligence and best
practices for enhancing digital operational resilience.
Who is Impacted?
DORA applies to the financial sector within the European Union, so mostly likely to include banks, insurance companies, and investment firms.
What are the authentication requirements?
The Digital Operational Resilience Act (DORA) outlines
requirements for financial institutions and service providers to increase the
operational resilience in the digital realm. While DORA doesn't explicitly
provide specific authentication requirements, it establishes principles that
indirectly refer to the implementation of strong access controls, which in turn
implies rigorous authentication procedures.
Some key areas related to authentication under DORA might
include:
- Risk Management: Firms should have proper risk management processes in place. This would include managing risks associated with authentication, such as password theft or phishing attacks.
- Operational Resilience: The ability of the system to absorb shocks, which would include ensuring that strong authentication is in place to prevent unauthorized access in the event of a cyber-attack.
- Incident Reporting: Any breaches in authentication leading to unauthorized access must be promptly reported.
- Testing: Firms would need to test the robustness of their authentication systems in extreme but plausible scenarios.
- ICT Risk: Firms need to identify, classify, and mitigate risks associated to their Information and Communication Technology (ICT) systems, which would include risks associated with authentication.
- Outsourcing: If any authentication services are outsourced, measures need to be taken to ensure that these services meet the required standards.
The European Commission is still working on regulatory technical standards detailing specific requirements under DORA, and these might provide additional clarity on authentication standards. Until then, firms should aim to follow best practices for strong authentication as part of their cybersecurity programme.
What's Next?
DORA is expected to significantly reshape the ICT risk
landscape for financial sector entities within the European Union. It aims to
harmonise rules across all EU member states, promote a safer digital market,
improve risk management, and mitigate the potential impact of ICT risks on
financial stability.
DORA presents an excellent opportunity for all organisations
to enhance their cybersecurity and resilience. Intercede is distinctively
positioned to help you fulfil the requirements of DORA, with tried-and-tested
and compliant authentication and credential management solutions ranging from
passwords to PKI.
Intercede: Your Partner in DORA Compliance
Intercede is a prominent provider of identity and access
management (IAM) solutions. With Intercede's proven and compliant
authentication solutions, you can confidently meet the requirements of DORA and
boost your organisation's overall security stance.
The MyID® product suite can be a key enabler for your
organisation in demonstrating compliance with the DORA requirements.
How can MyID enable Organizations to meet the requirements?
MyID Password Security Management (PSM), phishing-resistant Multi-Factor Authentication (MFA) and high-assurance PKI credential management (CMS) deliver:
- Secure policy-based cryptographic authentication for digital resources, in line with DORA's emphasis on solid access control.
- Protection for vital infrastructure against cyber threats like ransomware by offering secure phishing-resistant authentication at all endpoints, aligning with DORA's operational resilience principles.
- This not only secures user authentication but also mitigates the spread of ransomware and privilege escalation.
- Encryption of sensitive data based on PKI cryptography, with integrated key management, supporting DORA's mandate for protecting customer data.
- Robust and readily implementable password management conforming to the highest security standards, resonating with DORA's risk management provisions.
- Cryptographically-based PKI or FIDO MFA, key for DORA's focus on strong user authentication.
- Identity lifecycle management, which automates the creation, update, and deletion of user accounts and credentials, ensuring they are always matching the current status and needs of the users. This aligns well with DORA's governance of ICT and related resources.
The MyID product family is central to maintaining sound cyber hygiene practices, including enabling Zero Trust principles and identity and access Management, all key components of DORA's provisions for operational resilience.
Trusted by Governments and Enterprises Worldwide
Where protecting systems and information really matters, you will find Intercede. Whether its citizen data, aerospace and defence systems, high-value financial transactions, intellectual property or air traffic control, we are proud that many leading organisations around the world choose Intercede solutions to protect themselves against data breach, comply with regulations and ensure business continuity.
