The European Union passed the Digital Operational Resilience Act (DORA) in 2022 to strengthen the security posture of financial institutions operating in the EU. Financial institutions were singled out because they regularly handle high-stakes confidential consumer data via information and communications technology (ICT). DORA specifically addresses financial risks in terms of ICT incidents and operational resilience, as opposed to traditional risk-mitigation strategies that focus on capital allocation.
Although many nations in the EU already have ICT risk management regulations, DORA is an overarching measure designed to address the concern that a significant ICT incident could jeopardize the stability of the entire financial system.
The new law will go into effect on January 17th of next year. DORA dictates technical standards that financial institutions and third-party ICT service providers must meet. It applies to all traditional and non-traditional financial institutions and vendors that provide services to financial institutions, such as data centers and cloud service companies.
DORA outlines technical requirements in five areas, although only four are mandatory:
To achieve these objectives, covered entities must take a holistic approach to cybersecurity, which includes conducting comprehensive risk assessments, deploying risk management frameworks, establishing a governance structure, and incorporating ICT risk into their overall risk management strategy.
DORA will undoubtedly lead to strategic approaches to application security, with tools and technologies to bolster security and detect and respond to threats. Application security posture management (APSM) will play a significant role in DORA compliance, given how heavily applications are incorporated into financial institutions’ daily operations.
DORA is the latest evolution of the constantly expanding data protection and consumer privacy regulatory landscape. As governments struggle to keep up with tech advancements and malicious actors, we expect to see more legislation in the future — particularly as artificial intelligence (AI) applications continue to flood the market.
Unlike some cybersecurity frameworks, DORA doesn’t take a granular approach to AppSec, but it does include articles that address the need for strict security protocols in applications. This is a logical approach, given DORA’s intent to move cybersecurity responsibility up to the highest executive levels, much like the Sarbanes-Oxley Act did with financial reporting. However, despite the top-down approach, there’s no getting around the fact that financial institutions heavily use applications and present a comprehensive and attractive attack surface for cybercriminals. As a result, DORA compliance can’t be accomplished without ASPM solutions.
The specific ways ASPM can help with DORA compliance include the following.
By emphasizing a holistic approach to cybersecurity, DORA recognizes that tools and technology can quickly become outdated — and hackers are always on the cutting edge. So, a scripted approach to application security can quickly become inadequate. Instead, financial institutions must implement ASPM to keep up with known and evolving threats and continuously monitor and secure applications at the code level in all states.
Third-party risk management is a significant element of DORA. The massive outage caused by a CrowdStrike bug in July 2024 demonstrated how extensive third-party complications can be. However, the danger is limited to service providers. Third-party code, dependencies, and libraries are often included in proprietary databases. If this code isn’t tracked and remediated appropriately, it can offer an exploitable opportunity for hackers.
Application security testing solutions like software composition analysis (SCA) tools scan codebases to identify third-party and open-source code. A software bill of materials (SBOM) is an essential requirement of a comprehensive cybersecurity posture because securing code without knowing its composition is impossible.
Once vulnerabilities are discovered, they need to be addressed. While this seems obvious, some of history’s most significant security breaches resulted from known but unpatched vulnerabilities.
To prevent such incidents, companies must deeply understand their entire security posture. Using ASPM, they can examine code integrity, software composition analysis, API security, and all other granular aspects of their application security.
DORA requires regular testing so vulnerabilities can be identified and remediated quickly. Many organizations that perform periodic testing don’t do it often enough. It’s almost impossible to over-test applications. Static application software testing (SAST) can test code before it’s run, scanning code in the IDE before changes are committed to the codebase. Dynamic application security testing (DAST) tests code while it’s running. Automated tools make it simple to continuously test code and catch vulnerabilities or flaws before they become exploitable.
At Kiuwan, we’ve been preaching the virtues of taking an end-to-end approach to application security since our inception. We believe the increasing scrutiny around application security and firming up the critical infrastructure involved in financial services with the enforcement of DORA — along with other regulations such as Switzerland’s Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks (EMBAG) — is creating a cybersecurity culture that will be good for all of the countries and verticals involved. It’s also likely to spread awareness about application security that will benefit markets not directly included under these regulations.
We’re seeing application security scanning become more of a default expectation than a measure going above and beyond. Many new laws are simply shifting security practices that we’ve known to be effective from option to required. Almost all of the measures outlined in DORA — at least those directly related to application security — are well-known cybersecurity best practices and have been for years. The biggest lesson of new regulations is that companies may as well shift left and incorporate security from the beginning because, eventually, such an approach will be mandatory rather than suggested. Making the switch now will save time and effort in the long run. Reach out today to discuss how we can help.
