DORA's Scope: Precise Analysis of ICT-Related Operational Risk vs Cyber Threats
1. DORA's Fundamental Framework
1.1 Legal Basis and Scope
DORA (Digital Operational Resilience Act - Regulation (EU) 2022/2554) specifically focuses on:
- Resilience: Digital operational resilience
- Risk: ICT risk management
- Reporting: ICT-related incident reporting
- Testing: Digital operational resilience testing
- Third-Party: ICT third-party risk management
1.2 Key Definition: ICT-Related Incident
According to DORA Article 3(7):
'ICT-related incident' means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems and has an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity
2. Precise Delineation of Scope
2.1 ICT-Related Incidents Include:
- Security incidents affecting:
- Network security
- Information systems security
- Data security (availability, authenticity, integrity, confidentiality)
- Service provision
- Operational disruptions involving:
- ICT systems failures
- ICT process failures
- ICT-related human errors
- External events affecting ICT systems
2.2 Types of Incidents as per RTS:
- Cybersecurity: Cybersecurity-related
- Process: Process failure
- System: System failure
- External: External event
- Payment: Payment-related
3. Comparison with Pure Cyber Threat Frameworks
3.1 Barnes' 10 Top Level Cyber Threat Clusters
Specifically focuses on cyber threats with clear categorization:
- Abuse: Abuse of functions
- Server: Exploiting Server
- Client: Exploiting Client
- Identity: Identity Theft
- MITM: Man in the Middle
- Flooding: Flooding Attack
- Malware: Malware
- Physical: Physical Attack
- Social: Social Engineering
- Supply Chain: Supply Chain Attack
3.2 Key Differences
Includes non-malicious system failures
Focuses on malicious actions
Covers process failures
Focuses on attack vectors
Includes accidental human errors
Focuses on intentional attacks
Broader ICT operational scope
Specific cyber threat scope
4. Critical Distinctions
4.1 DORA's Broader Scope
- Operational Focus:
- Includes any disruption to ICT systems or services
- Not limited to malicious actions
- Covers accidental and systemic issues
- Risk Management Approach:
- Based on operational resilience
- Includes business continuity
- Focuses on service maintenance
4.2 Cyber Threat Specificity
- Barnes' Framework:
- Specifically addresses malicious cyber actions
- Clear attack vector categorization
- Focus on threat actors and their methods
- DORA's Coverage of Cyber:
- Includes cyber threats as subset
- Broader incident classification
- Service impact oriented
5. Implications for Implementation
5.1 Reporting Requirements
Under DORA:
- Reporting: All significant ICT-related incidents must be reported
- Coverage: Both malicious and non-malicious incidents included
- Focus: Focus on impact to services and operations
5.2 Risk Management Integration
Organizations need:
- Framework: ICT operational risk framework (DORA compliance)
- Threat Framework: Specific cyber threat framework (e.g., Barnes)
- Mapping: Clear mapping between frameworks
- Process: Integrated incident management process
6. Conclusion
This analysis clarifies that:
- DORA's Scope: DORA addresses ICT-related operational risk and resilience, encompassing:
- System failures
- Process failures
- Human errors
- Cyber threats
- External events affecting ICT
- Cyber Threats: Cyber threats form a subset of DORA's scope, specifically:
- One type of ICT-related incident
- Part of broader operational resilience
- Need specific frameworks (like Barnes) for detailed categorization
- Organizational Needs: Organizations need both:
- DORA compliance for overall ICT operational resilience
- Specific cyber threat frameworks for detailed threat management
References
- DORA: Regulation (EU) 2022/2554 (DORA)
- Technical Standards: DORA RTS/ITS on incident reporting
- Barnes Framework: Barnes' 10 Top Level Cyber Threat Clusters Framework
- Basel: Basel Committee on Banking Supervision - Operational Risk Framework
No additional updates are scheduled at this time.