DORA - PATECCO GmbH

How PATECCO Supports Digital Operational Resilience in the Financial Sector: Expert-Interview with PATECCO’s special advisor Albert Harz

With the rapid digital transformation of the financial sector, operational resilience is no longer optional – it’s mission-critical. With the rise of cyber threats, complex regulatory requirements, and heightened reliance on Information and Communication Technology, financial institutions must ensure continuity, integrity, and security across all services and systems. To provide deeper insight into this critical issue Dr. Ina Nikolova sat down with Albert Harz who is PATECCO’s special advisor and ISO 27001 Lead Auditor, to discuss what digital operational resilience means under the new EU regulatory landscape and how financial institutions can prepare to meet these evolving demands. His expertise provides practical guidance on the scope, responsibilities, and key challenges introduced by the Digital Operational Resilience Act (DORA). Ina: Albert: Digital operational resilience refers to the ability of a financial entity to maintain its operational integrity and reliability, even in the face of ICT risks such as cyber threats or even a cyber-attack. This entails guaranteeing the quality and security of the information and network systems used to provide financial services, even in the event of disruptions. It involves having the ICT-related skills required to handle possible problems either directly or through outside service providers in order to guarantee the ongoing availability of financial services. Ina: Albert: The financial industry relies heavily on information and communication technology (ICT) to support daily operations and complex structures. ICT risk is greatly increased by growing digitization and connectivity, which makes the financial system especially vulnerable to cyberattacks and ICT disruptions. Financial organizations, particularly those that operate internationally, face difficulties in effectively managing ICT risk and reducing the effects of incidents due to gaps, overlaps, and inconsistencies in the Union’s current regulations. Maintaining the integrity and stability of the financial industry as well as the ongoing operation of the internal market depend heavily on ensuring digital operational resilience. Ina: Albert: The regulation applies to a wide range of financial entities. This includes, but is not limited to, credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, credit rating agencies, and crowdfunding service providers. Importantly, it also applies to ICT third-party service providers that supply services to these financial entities. Ina: Albert: A complete and documented ICT risk management framework must be established and maintained by financial entities. Mechanisms and steps for effectively and understandably managing ICT risk as well as safeguarding infrastructure and physical components should be part of this framework. In order to reduce the impact of ICT risk, entities must constantly monitor the security and functionality of all ICT systems, use robust tools and systems, and periodically review and update their risk scenarios. Additionally, they must keep track of and update inventories of relevant ICT assets on a regular basis. Ina: Albert: The regulation mandates a coordinated testing regime for digital operational resilience. All ICT systems and applications supporting critical or important functions must undergo appropriate testing at least once a year, according to financial entities other than micro-enterprises. These tests may consist of scenario-based testing, penetration testing, vulnerability assessments, and more. Additionally, at least every three years, specific financial entities that have been identified must perform advanced testing that simulates actual cyberthreats using threat-led penetration testing (TLPT). Ina: Albert: The regulation establishes a framework for managing ICT third-party risk. A strategy on ICT third-party risk, including a policy on the use of ICT services to support critical or important functions, must be adopted and reviewed on a regular basis by financial entities. They are required to keep a record of the terms of their contracts with these suppliers. In order to address possible systemic risks resulting from concentration and dependencies, the regulation also establishes an oversight framework for critical ICT third-party service providers. Contractual arrangements with critical or important functions must include specific elements to ensure oversight and resilience, including exit strategies. Ina: Albert: The Oversight Framework is a mechanism for continuous monitoring of the activities of ICT third-party service providers that are deemed critical to financial entities. Through the Joint Committee, the European Supervisory Authorities (ESAs) identify critical ICT third-party service providers according to standards pertaining to their degree of substitutability, systemic impact, and the significance of the financial entities they serve. For each designated critical provider, a Lead Overseer is assigned to carry out evaluations and offer suggestions regarding ICT risk mitigation and management. The objective of this framework is to guarantee the stability and integrity of the Union financial system while addressing the systemic effects of ICT third-party concentration risk. Ina: Albert: For violations of the rule, competent authorities have the authority to administer administrative fines and corrective actions. The degree of responsibility, the entity’s financial stability, the materiality and severity of the breach, and any prior breaches are some of the factors that determine the kind and extent of these measures. Violations of national laws may also result in criminal penalties for member states. If critical ICT third-party service providers disregard the Lead Overseer’s recommendations, they may also be subject to penalty payments. Ina: Albert: Thank you, Ina, for having me. Key Takeaways At PATECCO, we understand that digital operational resilience is not just about compliance – it’s about securing trust, stability, and long-term value for both financial institutions and their clients. With deep expertise in IAM, governance, and regulatory frameworks, we help organizations not only meet the technical demands of DORA, but also implement sustainable security strategies that strengthen business resilience. Stay tuned as we continue to share insights, success stories, and best practices on securing digital transformation in the financial sector. If your organization is seeking a reliable IAM partner with the capability to act decisively and scale effectively, feel free to reach us out at info@patecco.com or call +49 (0) 23 23 – 9 87 97 96 .

Which functionalities of PAM help organizations meet NIS2 and DORA requirements?

Uncategorized / Von Ina Nikolova

In an era where cyber threats are increasingly sophisticated and frequent, robust regulatory frameworks are essential to ensure the security and resilience of critical infrastructures. The Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) are two pivotal regulations in the European Union aimed at bolstering cybersecurity and operational resilience across various sectors, particularly financial services. Central to achieving compliance with these regulations is the implementation of effective Privileged Access Management (PAM) solutions. PAM solutions are designed to secure, manage, and monitor privileged access, addressing some of the most critical security challenges organizations face today. By providing advanced functionalities such as secure credential storage, granular access controls, real-time monitoring, and comprehensive auditing, PAM solutions help organizations meet the stringent requirements set by NIS2 and DORA. This article delves into the specific functionalities of PAM that align with and fulfill the requirements of NIS2 and DORA, illustrating how these tools not only enhance security, but also ensure regulatory compliance, thereby contributing to a robust and resilient cybersecurity framework. The Network and Information Systems Directive 2 (NIS2) The Network and Information Systems Directive 2 (NIS2) is an updated and enhanced version of the original NIS Directive, which was the first comprehensive piece of EU-wide legislation, focused on improving cybersecurity across member states. The NIS2 Regulation represents a significant advancement in the EU’s approach to cybersecurity, aiming to build a more resilient and secure digital landscape across member states. NIS2 aims to address the evolving landscape of cyber threats by expanding the scope of its predecessor, introducing more stringent requirements, and ensuring a higher level of security and resilience for network and information systems within the European Union. The Digital Operational Resilience Act (DORA) The Digital Operational Resilience Act (DORA) is a comprehensive regulatory framework proposed by the European Commission to enhance the cybersecurity and operational resilience of the financial sector within the European Union. DORA aims to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats effectively. Compliance with DORA requires financial entities to adopt proactive measures to identify, assess, and manage ICT risks effectively, ensuring they can continue to operate and safeguard financial stability in an increasingly digital economy. Specific PAM functionalities that align with the requirements of NIS2 and DORA 1. Secure Credential Storage and Management NIS2 and DORA mandate the protection of sensitive information and access credentials. PAM solutions provide secure storage for privileged credentials through encryption and secure vaulting mechanisms. This ensures that credentials are protected from unauthorized access, reducing the risk of credential theft and subsequent security breaches. Key functionalities include: encrypted vaulting of passwords and keys, automated password rotation to minimize exposure, secure access to credentials based on role and necessity 2. Granular Access Controls To comply with NIS2 and DORA, organizations must implement strict access control measures. PAM solutions offer granular access controls that enforce the principle of least privilege. This means users are granted only the access necessary for their roles, reducing the risk of unauthorized access to critical systems. The essential functionalities refer to: Role-based access control (RBAC) to define and enforce access policies, fine-grained access permissions tailored to specific tasks, approval workflows for elevated access requests. 3. Multi-Factor Authentication (MFA) MFA is essential for securing privileged access and is a requirement under NIS2 and DORA. PAM solutions integrate MFA to add an extra layer of security, ensuring that only authorized users can access privileged accounts. This reduces the risk of unauthorized access even if credentials are compromised. The core functionalities are as follows: Integration with various MFA methods (enforcement of MFA for all privileged access attempts, contextual MFA, adjusting the level of authentication required based on the risk associated with the access request). 4. Real-Time Monitoring and Auditing Continuous monitoring and auditing are critical for detecting and responding to security incidents, as required by NIS2 and DORA. PAM solutions provide real-time monitoring of all privileged activities and generate detailed audit logs. These logs help organizations detect suspicious behavior, respond to incidents promptly, and provide evidence for regulatory audits. Key functionalities include: Real-time session monitoring and recording, comprehensive audit trails of all privileged access and activities, alerts and notifications for anomalous or suspicious behavior. 5. Automated Privileged Session Management Effective session management is crucial for securing privileged access. PAM solutions offer automated session management to control and monitor privileged access sessions. This includes initiating, monitoring, and terminating sessions automatically, ensuring that all activities are tracked and secured. Important features comprise: automated session initiation and termination, session recording and playback for audit and forensic purposes and contextual session controls, such as limiting commands or actions based on policy. 6. Risk Assessment and Reporting NIS2 and DORA require organizations to continuously assess and manage risks associated with privileged access. PAM solutions include risk assessment tools that analyze the security posture of privileged accounts and identify potential vulnerabilities. These tools help organizations implement risk mitigation strategies and ensure ongoing compliance. Essential features encompass: Risk scoring and assessment for privileged accounts, automated reporting on compliance status and security posture, tools for continuous monitoring and risk assessment. 7. Incident Response and Forensics Rapid response and forensic analysis are crucial in the event of a security incident. PAM solutions facilitate quick incident response by providing detailed logs and real-time monitoring data that can be used to investigate and address security breaches. This capability helps organizations meet NIS2 and DORA requirements for incident response and recovery. Critical functionalities involve: detailed logging and forensic data collection, tools for quick analysis and response to security incidents, integration with incident response workflows and teams Why you should be NIS2 and DORA compliant? Adherence to the Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) is imperative for organizations seeking to fortify their cybersecurity defenses and ensure operational resilience in today’s digital landscape. By embracing NIS2 and DORA compliance, organizations not only fulfill legal obligations, but also proactively protect critical infrastructure, sensitive data, and customer trust. Compliance

DORA Regulation as an important step towards strengthening digital resilience

Uncategorized / Von Ina Nikolova

In the context of increasing cyber threats, strict adherence to and implementation of corresponding compliance regulations is becoming increasingly important. As providers of critical infrastructure, it is particularly important for financial organisations to prevent IT outages and security incidents in order to ensure business continuity. With the Digital Operational Resilience Act (DORA), the EU has issued a set of regulations to ensure digital operational stability and prevent systemic risks in the financial sector. The new requirements harmonise and tighten the existing regulatory requirements for ICT management and interfere with IT operations and outsourcing to third parties. At the same time, the verification and reporting obligations are increasing, which means a considerable amount of additional work. Which organisations are affected? DORA affects a large number of organisations in the financial sector. These include not only banks and insurance companies, which are already familiar with such regulations through the EBA/EIOPA guidelines on ICT security and outsourcing, but also trading venues, occupational pension schemes, providers of crypto services, insurance intermediaries and many other financial companies. The categorisation of the service is important for ICT providers, including cloud service providers, in the financial sector. If the services provided are considered „critical“ for financial organisations, the scope of DORA is applied directly to the ICT provider. This requires compliance with high security standards to ensure the resilience of the financial market. In addition, some of these large ICT providers fall directly within the supervisory framework. Where should business leaders start? To successfully fulfil the requirements of DORA, a proactive approach is crucial. Companies should carry out a comprehensive analysis promptly in order to identify and prioritise the necessary measures. Close collaboration between IT and business units is essential. The implementation and operation of the measures require continuous monitoring and regular adjustments. The support of external experts can speed up the process and ensure that all requirements are met on time. Furthermore, it is important that companies not only fulfil the regulatory requirements, but also establish a culture of cyber security throughout the entire company. Awareness-raising and training for managers, key roles and all other employees are therefore essential to strengthen digital resilience at all levels. DORA requires further development of the risk management system The implementation of the Digital Operational Resilience Act (DORA), which will be mandatory from 2025, requires a comprehensive review and further development of various aspects of the risk management system. This includes in particular: Implement DORA with the help of PATECCO’s Risk-OptimAIzer Risk management is nothing new, but the risk view must be extended to the corporate ecosystem. In other words, the risks that exist or arise for the company through the procurement of services must be factored in. For this purpose, we have developed a tool to implement the requirements of DORA at PATECCO. The new tool Risk-OptimAIzer is able to perform the following functions: PATECCO can help your company implement the DORA requirement by setting up a comprehensible IT risk management system. As a first step we create a GAP analysis of the status of your risk management in comparison to the DORA requirements and based on the results, we create a customised implementation offer. By leveraging Risk-OptimAIzer, organizations can establish a structured approach to IT risk management that aligns with DORA regulations. The tool enables organizations to assess, monitor, and mitigate risks effectively, while also ensuring compliance with regulatory requirements and driving continuous improvement in software delivery performance. The DORA Regulation is an important step towards strengthening digital resilience in the financial sector. Cybercrime remains a constantly growing threat, regardless of DORA, which is why sustainable and cyclical cybersecurity planning is necessary. With an early and strategic approach, companies can strengthen their digital resilience and effectively protect themselves against cyberattacks. The implementation of DORA should not be seen as an obligation, but as an opportunity to sustainably strengthen security and resilience to digital risks.