top of page
christian-lue-8Yw6tsB8tnc-unsplash.jpg

Nemesis Breach and Attack Simulation
for DORA compliance

WHAT IS DORA?

The Digital Operations Resiliency Act (DORA), Regulation (EU) 2022/2554, seeks to enhance the resilience, reliability and continuity of financial services across the EU. Published in the Official Journal of the European Union on December 27, 2022, DORA mandates compliance by January 17th, 2025.
 

DORA introduces new obligations for service providers and their critical service suppliers to mitigate disruptions in digital operational services. The framework emphasizes risk management, incident detection and reporting to regulatory authorities, and regular testing of resilience capabilities across five pillars.

​

Find out how the Nemesis Breach and Attack Simulation platform can assist you in your journey to DORA compliancy.

THE IMPORTANCE OF DORA

The Digital Operational Resilience Act addresses a significant gap in EU financial regulation. Prior to the implementation of DORA, financial institutions primarily managed operational risk through capital allocation, overlooking critical components of operational resilience.

​

Following the enactment of DORA, financial institutions are required to adhere to stringent regulations governing the protection, detection, containment, recovery, and remediation of ICT-related incidents. DORA explicitly outlines rules pertaining to ICT risk management, incident reporting, operational resilience testing, and monitoring of ICT third-party risks.

​

This Regulation acknowledges the potential of ICT incidents and operational resilience shortcomings to undermine the stability of the entire financial system, even in the presence of "adequate" capital reserves for traditional risk categories.

WHAT HAPPENS TO NON-COMPLIANT ORGANIZATIONS?

In the event of non-compliance with the Digital Operational Resilience Act (DORA), financial institutions may face significant penalties and regulatory actions. These consequences can include:
 

Regulatory authorities have the authority to impose fines and monetary penalties on non-compliant organizations. The amount of the fines can vary depending on the severity of the breach and the impact on the financial system but can be as high as 2% of annual worldwide turnover for financial firms. Failure to report threats and critical incidents will also result in penalties.

 

Non-compliant ICT 3rd party vendors failing compliance will be penalized 1% per day of annual worldwide turnover up to 6 months. Individuals can be penalized between 500,000 - 1 million euro.

THE FIVE DORA PILLARS 
 and what to expect from Nemesis Breach and Attack Simulation

guillaume-perigois-0NRkVddA2fw-unsplash.jpg

ICT INCIDENT REPORTING

PILLAR 1

Group.png

ICT RISK MANAGEMENT

PILLAR 2

Group.png

DIGITAL OPERATIONAL RESILIENCE TESTING

PILLAR 3

ICT THIRD-
PARTY RISK MANAGEMENT

PILLAR 4

INFORMATION AND INTELLIGENCE SHARING

PILLAR 5

Nemesis Breach and Attack Simulation

PILLAR 2: ICT RISK MANAGEMENT 

​

Nemesis is a Breach and Attack Simulation software which allows you to simulate the scenarios commonly used by Threat Actors and scenarios based on threat intelligence in accordance with Articles 9, 10 and 16. For more information see the sources at the bottom of the page.

​

As written in Article 9 of DORA: Protection and Prevention
 

"For the purposes of adequately protecting ICT systems and with a view to organizing response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimize the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures."

​

As written in Article 10 of DORA: Detection 
 

"To detect anomalous activities, ICT network performance issues and ICT-related incidents, financial entities shall implement detection mechanisms allowing them to collect, monitor and analyze all of the following:

(i) internal and external factors
(ii) potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity
(iii) ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and which may affect the financial entity.

​

As written in the ESA Guidelines Article 36 in accordance to DORA Article 16 : Simplified ICT risk management framework

 

"Financial entities shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures and ensure that this plan considers threats and vulnerabilities identified as part of the ICT risk management framework. Financial entities shall ensure that reviews, assessments and tests of ICT security measures are conducted taking into consideration the overall risk profile of the financial entity.  Financial entities shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions."
 

​

PILLAR 3: DIGITAL OPERATIONAL RESILIENCE TESTING 

​

Nemesis allows organizations to continually test scenarios that can impact their cyber security posture, and assist in their vulnerability assessments in accordance with Articles 24 and 25. Persistent Security Industries covers articles 26 and 27 as part of the consulting branch. For more information see sources at the bottom of the page. 

​

As written in Article 24 of DORA: General requirements for the performance of digital operational resilience testing 

​

"For the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities shall establish, maintain and review, with due consideration to their size, business and risk profiles, a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework referred to in Article 5."


"The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with the provisions of Articles 22 and 23."

​

As written in Article 25 of DORA: Testing of ICT tools and systems
 

"The digital operational resilience testing programme shall provide the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing."

​

SOURCES

  1. JC 2023 86 - Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework (europa.eu) - Article 23.2 in accordance with article 10 of EU 2022/2554

  2. Digital Operational Resilience Act (DORA), Article 9 (digital-operational-resilience-act.com) 

  3. Digital Operational Resilience Act (DORA), Article 10 (digital-operational-resilience-act.com)

  4. JC 2023 86 - Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework (europa.eu) - Article 36 in accordance with article 16 of EU 2022/2554

  5. JC 2023 86 - Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework (europa.eu) -  Article 16 of EU 2022/2554

  6. Digital Operational Resilience Act (DORA), Article 25 (digital-operational-resilience-act.com) 

bottom of page