Operational Resilience now mandated for EU Financial Institutions

The safety and resilience of financial and credit institutions will soon be enforced by the Digital Operational Resilience Act and applicable to any of the relevant institutions doing business in the European Union.

With the deadline less than a year away (enforcement begins on 17th January 2025), enterprises need a clear path to compliance that they can implement and maintain.

DORA outlines five critical areas where organizations must adhere to technical specifications:

Information and Communication Technology (ICT) risk management
ICT-related incident management, classification, and reporting
Digital operations resilience testing
ICT third-party risk
Information Sharing

The overarching goal is to maintain the resilience of the financial system as a whole, minimizing disruption, and downtime, and ensuring business continuity.

What does this mean for the IT network, in the context of large enterprises? Here's three things to keep in mind as you prepare for DORA.

1. The network in the spotlight; renewed focus, but also scrutiny

This regulation will bring renewed focus to identifying and classifying your critical business functions. In DORA, with respect to the financial industry, these are defined as areas where "the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity." (DORA Article 3).

Ultimately, a key goal of DORA is business continuity. While it may seem very clear to network operators how critical continued network services are to the health and success of the business, in the context of a large organization, business leaders may not understand just how reliant their business is on the operational resilience of the network. A network compliance issue can be the first domino in costly, reputation-damaging business interruptions.

They don't know the scale of change (planned, and unplanned) network operators are managing day to day; they don't understand the complexity of dealing with different technologies and vendors, to satisfy ever-changing business operations; they don't understand that securing a network against a growing threat landscape is a continuous activity.

That said, as DORA compliance escalates to top priority - there are, after all, criminal penalties for non-compliance (DORA Article 52) - the network will take the spotlight as key to understand, visualize, and report on.

This fresh attention to what might have been previously relegated to "plumbing" or a cost center in the minds of leadership will unlock resources network engineers have been desperately needing for years, but also scrutiny. And let's be clear, the first question will be "Where's your network documentation?"

This leads us to point 2...

2. Proving compliance is as important as being compliant

The regulations put forth in DORA make it clear that it's not enough to assume compliance - financial entities have a burden of proof, and must (both internally, and externally) continuously validate their compliance.

Exactly what this proof will look like might differ by organization (there is also a proportionality principle to note within DORA), but it includes, for example:

WIthin Pillar 1, ICT Risk Management: Mapping configuration of information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets. (DORA Article 8).
Within Pillar 3, Testing: Internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed. (DORA Article 24)
Also Within Pillar 3, Testing: Conduct network security assessments (DORA Article 25)

All this proof must be reported in the manner, and through the mechanisms specific in Pillar 2 - ICT-related incident management, classification, and reporting - and the Regulatory Technical Standards that will specify the harmonization and centralization of DORA compliance reporting.

That said, the appointed overseers and responsible parties might not be networking experts, so raw network data won't be of much use. Which brings us to point 3...

3. Network Data will (necessarily) become very interesting to non-experts

A lot of DORA is principles-based; not necessarily specifying exact policies or technologies to implement, but more so about having the right people, planning, and frameworks in place to provide continuous oversight.

Non-experts need key network information to ensure DORA compliance.

It's key to note that there's a lot that must be communicated to business leaders, clients, and stakeholders in the event of an ICT-related incident, for example "to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result" and to "clients about the major ICT-related incident and about the measures that have been taken to mitigate the adverse effects of such incident" (Article 17).

It's easy to imagine, then, in the event of a network-based ICT-related incident, that there is specific and complicated network information that must be made available and consumable for the above-mentioned parties.

Conclusion

These are just three threads to pull at as DORA crystallizes into clear specifications for financial entities and the IT networks that underpin them. As the scramble to assure and prove compliance starts, we'll keep an eye on the challenges and themes emerging for network teams.

For now, the best way to prepare is to ensure that your team has a comprehensive and accurate network understanding; an accurate inventory; clear and complete documentation; a mechanism to visualize the network and its interconnections and dependencies; and a realistic and feasible way to keep this all up-to-date and therefore, useful.

For more information on IP Fabric's network assurance platform, reach out to the team or try our self-guided online demo.

PCI Compliance is evolving. The payment card industry will see a new update to PCI DSS (Payment Card Industry Data Security Standard) enforced at the end of this month, with version 4.0 of the industry-wide regulations being applied from March 31st, 2024. We've shared how network assurance can assist in the PCI compliance processes before:

What are PCI Compliance, and PCI DSS?

PCI Compliance with IP Fabric; a man makes a online shopping transaction using a debit card.

We've discussed the 12 requirements PCI DSS compliance before, but as a quick overview, this regulation requires all businesses that process payment card data must adhere to the following:

Install and maintain a firewall configuration to protect Card Holder Data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored CHD
Encrypt transmission of CHD across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by “business need to know”
Assign a unique ID to each person with computer access
Restrict physical access to CHD
Track and monitor all access to network resources and CHD
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

What's changing with 4.0?

From March 31st, these requirements become stricter in the interest of treating data security as a continuous business activity, with more frequent testing, strengthened security, and streamlined compliance reporting. Additionally, more flexibility has also been introduced, with the acknowledgment and support of alternate methods of securing payment data, as long as security objectives are reached.

The full list of over 50 adjustments can be read in the PCI Council's Summary of Changes.

The spirit of proactivity and continuous assessment

Key themes emerging from the buzz around developing PCI DSS compliance standards are proactively taking measures to prevent, detect, and resolve security incidences, and continuous assessment is part of this proactive spirit.

The PCI Security Standards Council states that "doing the work" for PCI Compliance means documenting everything and avoiding recurring cycles of short-term compliance in favor of continuous practices.

When it comes to your IT network estate, automated assurance can help provide this continuous understanding of your end-to-end network state by automating your security audits, or providing daily network analysis reports for the teams that need them. Comprehensive and accurate historical understanding and documentation of your entire complex network estate will be part of a successful PCI-compliant organization.

For more detail on how IP Fabric can help, read our prior 4-part series on PCI compliance for your network linked above.

Want to try IP Fabric right now? Here's a self-guided, free online demo to see what automated network assurance is all about.

1. H2 with Paragraph and bullet points

Lorem ipsum dolor sit amet
Lorem ipsum dolor sit amet
Lorem ipsum dolor sit amet
Lorem ipsum dolor sit amet

2. All the things you can use/do

3. H3 with 3 column text

4. H3 with 2 column text

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec semper lorem nunc, vehicula placerat sapien mattis a. Nullam vulputate, sem sed interdum finibus, orci metus pellentesque ex, et vulputate enim dui vel eros. Sed quis augue tortor. Sed sed dui vel nisl consequat posuere a eu urna. Nunc cursus, odio a accumsan pellentesque, nisl mi imperdiet tellus, quis consectetur odio turpis non sem. Donec accumsan magna ut erat accumsan, tempor ornare diam accumsan. Phasellus purus turpis, mollis nec aliquam eget, mollis non dui. Nunc elementum ac lacus eget convallis.

5. H3 with 4 square paragraphs

6. H3 with 1 image

When adding an image it is necessary to use the Advanced image block which then will give you all the options for border settings, sizes and so on. You can also transform pasted images to the kadence image by selecting the image and selecting Advanced Image.

7. H3 with 6 image

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec quis est consequat, molestie erat in, commodo dui. Vivamus id dictum nulla. Cras sed urna sed sem semper efficitur ut vulputate urna. Donec vestibulum tincidunt cursus. Integer nunc ipsum, facilisis iaculis felis vel, mollis varius quam. Maecenas magna lacus, tincidunt vel cursus sit amet, dignissim id erat. Nullam imperdiet eleifend commodo. Curabitur imperdiet, lectus et venenatis pretium, ipsum est convallis ligula, sit amet porta sapien nisl et mi. Quisque vel nunc nunc. Pellentesque quis neque consectetur, dignissim mauris eu, porta nulla. Suspendisse ipsum tortor, vehicula id dictum id, gravida nec sem. Nulla finibus, diam quis porta luctus, dui nunc pulvinar quam, cursus maximus eros dolor sed nunc.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec quis est consequat, molestie erat in, commodo dui. Vivamus id dictum nulla. Cras sed urna sed sem semper efficitur ut vulputate urna. Donec vestibulum tincidunt cursus. Integer nunc ipsum, facilisis iaculis felis vel, mollis varius quam. Maecenas magna lacus, tincidunt vel cursus sit amet, dignissim id erat. Nullam imperdiet eleifend commodo. Curabitur imperdiet, lectus et venenatis pretium, ipsum est convallis ligula, sit amet porta sapien nisl et mi. Quisque vel nunc nunc. Pellentesque quis neque consectetur, dignissim mauris eu, porta nulla. Suspendisse ipsum tortor, vehicula id dictum id, gravida nec sem. Nulla finibus, diam quis porta luctus, dui nunc pulvinar quam, cursus maximus eros dolor sed nunc.

9. H3 with spacer

10. H3 with 6 images slider

If not already added, add border radius of 8px on all sides.

11. How do I use those features

Add a block by hovering in between sections

Click the "Browse all" button

Select one of the block in the "Kadence Blocks" section. Ideally, you should select only those listed here as some of the other elements are not setup correctly. Send me a request if you would like to have other features setup.

12. How do I edit Kadence blocks?

In order to modify Kadence blocks so that it fits your needs, you need to select a block as shown below (in this example we have row layout divided by 3.

And edit the options on the right side of your screen in the block section (as seen below).

And edit the options on the right side of your screen in the block section (as seen below).

13. How do chapters work?

In order for chapters to work properly, you need to add manually a headline block that is not coming from the cadence blocks. When you add a block, select the "Heading" block. Also please use the Headings in order meaning that if you have only titles after the blog's headline and no subtitles you'll be only using H2. If you have a subtitle of H2, you need to use H3. This is especially important for SEO.

14. I have issues and don't know what to do!

Send requests to [email protected]. I'll get back to you.

Are you affected by CVE-2024-3400?

DORA requires proving operational resilience in your network

PCI Compliance aided by Network Assurance; Conquer PCI DSS v4.0