SOC 2 + The Digital Operational Resilience Act

For a fintech customer that is already SOC 2 Type II compliant, transitioning to DORA (Digital Operational Resilience Act) compliance will require implementing additional controls and adapting existing processes to meet the specific regulatory requirements of DORA. While SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy, DORA emphasizes digital operational resilience with a particular focus on risk management, incident reporting, third-party management, and governance within the financial services sector.

Here’s a breakdown of the additional controls and focus areas they will need to consider:

1. DORA Enhanced Incident Reporting and Management

• Mandatory Incident Reporting: DORA requires financial entities to report significant ICT-related incidents to the competent authority within set timelines. This is more stringent than SOC 2, which focuses on having incident response plans but does not mandate specific reporting timelines.
  • Additional Control: Develop a formal incident reporting process aligned with DORA’s requirements, including categorization of incidents and defined timeframes for reporting to regulators.
• Incident Classification: DORA requires incidents to be classified based on their severity and potential impact on customers and the financial system.
  • Additional Control: Implement a framework for incident classification to assess the severity and potential impact on customers and operations.

2. DORA ICT Risk Management Framework

• Risk Identification and Assessment: While SOC 2 emphasizes risk management in the context of security controls, DORA requires a broader ICT risk management framework that is tailored to the financial sector, covering all aspects of ICT, including third-party services.
  • Additional Control: Develop a comprehensive risk management strategy that includes ICT-specific risks and integrates this into the broader enterprise risk management approach.
• Scenario-Based Risk Analysis: DORA requires firms to perform scenario-based risk analysis and testing to assess the impact of severe but plausible events on their ICT systems.
  • Additional Control: Implement scenario-based risk analysis procedures to identify weaknesses and assess the impact of disruptive events on critical ICT functions.

3. DORA Third-Party Risk Management

• Enhanced Due Diligence for ICT Service Providers: DORA places significant emphasis on managing risks associated with third-party ICT providers, requiring more extensive oversight and due diligence than SOC 2.
  • Additional Control: Develop enhanced third-party risk assessment procedures, including specific requirements around concentration risks and exit strategies if a critical third-party provider is disrupted.
• Onboarding and Monitoring: Continuous monitoring of third-party services is essential to ensure they remain aligned with regulatory requirements.
  • Additional Control: Implement continuous monitoring (may require new tooling) and evaluation mechanisms for critical third-party providers, ensuring alignment with service level agreements (SLAs) and regulatory expectations.

4. DORA Operational Resilience Testing

• Penetration and Red Team Testing: SOC 2 typically covers regular vulnerability assessments and testing, but DORA calls for more rigorous operational resilience testing, including red team exercises.
  • Additional Control: Introduce red team exercises that simulate real-world attack scenarios to assess resilience against advanced cyber threats.
• Business Continuity Testing: While SOC 2 requires some continuity planning, DORA mandates testing of business continuity and disaster recovery plans more thoroughly.
  • Additional Control: Expand the scope and frequency of continuity plan testing, incorporating stress testing and recovery scenarios for critical ICT services.

5. DORA Governance and Oversight

• Board Accountability for ICT Risks: DORA emphasizes that the board or senior management should take direct responsibility for overseeing ICT risk management and resilience strategies. This is more explicit than the general oversight requirements in SOC 2.
  • Additional Control: Develop a governance structure that clearly defines the board’s role in ICT risk management, including regular reviews and updates on ICT risk and resilience.
• Reporting to Regulators: DORA requires regular reporting to regulatory authorities, including details on ICT risks, incidents, and testing outcomes.
  • Additional Control: Create a process for preparing and submitting periodic reports to regulatory bodies as required under DORA.

6. DORA Information Sharing and Threat Intelligence

• Sector-wide Information Sharing: DORA encourages financial institutions to participate in sector-wide information-sharing initiatives to strengthen collective resilience.
  • Additional Control: Establish processes to join and actively participate in threat intelligence networks and share relevant threat information with peers in the financial sector.
• Collaboration in Response to Cyber Threats: Develop protocols for working with other financial entities and regulators during cyber incidents.
  • Additional Control: Create formal collaboration protocols to engage with industry bodies and regulators during incidents.

7. DORA Regulatory Compliance Documentation

• Compliance with EU Standards: DORA requires alignment with EU standards, which may include adherence to specific guidelines and frameworks not covered by SOC 2.
  • Additional Control: Update the compliance program to align with DORA’s requirements and maintain documentation to demonstrate adherence to EU regulations.
• Readiness for Regulatory Audits: While SOC 2 focuses on audits related to control effectiveness, DORA requires readiness for more detailed regulatory audits.
  • Additional Control: Prepare for DORA-specific regulatory audits by maintaining detailed records of ICT risk management practices, testing results, and incident reports.

SOC 2 VS DORA Key Take Aways:

• Red Teaming is likely to be a new skill for smaller companies.
• Monitoring third parties, and potentially ending relationships, goes beyond what most companies do to comply with SOC 2.
• ICT Auditing is more stringent requiring additional testing, documenting and reporting of compliance activities.