Application Protection and DORA Compliance: What you need to know


In 2022, the European Union (EU) introduced the Digital Operational Resilience Act (DORA) as a comprehensive framework to ensure the operational resilience of financial entities. It is an attempt to implement the spirit of the BASEL II Cyber Resilience requirements. The goal is simple: to establish a high common level of digital operational resilience across the EU financial sector.

This regulation introduces legal measures to ensure that financial entities can withstand, respond to, and recover from all types of ICT (Information and Communication Technology)-related disruptions and threats.

DORA tightens security by focusing on specific areas and mandates the establishment of robust ICT risk management frameworks, a formal reporting process for cybersecurity incident reporting, and testing protocols.

It also introduces penalties for failing to meet risk management and reporting standards.

Who’s in charge of enforcing it?

The European Supervisory Authorities(ESAs) oversee the implementation and enforcement of DORA. The ESAs consist of the which includes the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). By the end of 2024, the ESAs are required to finish providing their policy products under the Digital Operational Resilience Act (DORA). The ESAs have already started to provide drafts of Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and operational guidelines.

Expanding the Scope

One significant change with DORA is the expanded scope of financial entities required to comply. In addition to banks and insurance companies, DORA adds new entities such as investment firms, crypto-asset service providers, and third-party ICT service providers.

DORA Directive Requirements

DORA specifies key principles that organizations must address. Many of them are relevant to the implementation of application protection. They include:

  • Governance
  • Operational Risk Management
  • Business Continuity Planning and Testing
  • Mapping Interconnections and Interdependencies
  • Third-Party Dependency Management
  • Incident Management
  • Information Sharing and Communication

What to Look for in Network and Application Protection Solutions

To support these principles, early detection and prevention of cyber-attacks is critical. This can be achieved by effectively deploying network and application protection solutions that integrate:

  • AI and machine-learning based automation to detect and proactively respond to cyber threats and block malicious source IPs, unauthorized devices, and bots from impacting your applications.
  • 24/7 managed services and emergency response teams.
  • Advanced behavioral detection and mitigation techniques. These detection models must be continuously developed and updated by expert security researchers to maintain effectiveness.
  • Automated cross-correlation of security events in real-time to stop suspicious IPs before they cause harm.
  • Techniques to defend against malicious bots and web-based attacks, including proactive protection against emerging vulnerabilities and threats seen in the wild. Zero-day protection can be achieved by employing AI and machine learning.
  • Real-time threat intelligence feeds on active attackers, device and user validation methods like iOS/Android attestation and JavaScript verification.
  • Adaptive Security policies that use both negative and positive models (blocklists and allowlists) to respond automatically to the shifting threat landscape. The security policies should be automatically and continuously updated in real-time and monitored by the vendor’s security experts.
  • Detailed logging and reporting, as well as regular reviews—both quarterly and annually—with dedicated account managers. These reviews, conducted alongside the managed services team, should evaluate the effectiveness of current security measures, and ensure that risk management strategies remain robust and up to date.

Now, as to Specific Principles

Each principle is a bit more specific, so let us address those one by one:

Governance: Official Supervisory Authorities will be assigned. Your network and application protection solution should provide a holistic security umbrella to satisfy the “due diligence” control requirements of comprehensive protection against all current cyber-attack vectors in layers 3-7, from the network layer to the application layer. This includes incorporating WAF, API Protection, DDoS Protection, Bot Management, and Client-side protection—to ensure applications are protected against all types of threat vectors. As well, the solutions in place should provide threat activity reports as evidence of control and resiliency.

Operational Risk Management: Security incident management and reporting. For effective operational risk management, companies need a solution that offers real-time monitoring and alerting of security incidents. This should include the preparation of detailed logging and reporting capabilities to ensure that all incidents are documented and can be reported to the relevant authorities as required by DORA.

Business Continuity Planning and Testing: Companies need a business continuity and disaster recovery solution that ensures no downtime or service disruption, or degradation related to performance. Ensuring business continuity requires the implementation of application delivery and protection mechanisms on the network and application layers. Financial Services organizations should consider implementing smart load balancing and other advanced protections against downtime related to DDoS attacks.

The solutions implemented should provide redundancy and failover mechanisms as well as be monitored and supported by professional ERT while under attack.

Mapping Interconnections and Interdependencies: Accurate Accounting of Applications. To manage interconnections and interdependencies, you need visibility into all your API traffic and third-party scripts and services connected to your applications. Protecting against attacks and breaches through APIs, requires implementing solutions that can map and monitor your entire API matrix as well as the business logic of your applications, and detect any anomalies and block them in real-time. You also must not neglect the client-side/browser-side of your applications; implementing a client-side protection solution can help you discover third-party domains and scripts running on the browser side of applications and assess their threat levels.

A proper solution should block outgoing scripts to suspicious third-party services and prevent data leakage.

Third-Party Dependency Management: Manage Third-Party Risk. Effective third-party dependency management is vital for staying ahead of cyber threats. Periodically evaluate the need and actual usage of third-party services, as well as their connectivity and exposure to data in your systems.

Make sure that the technology solutions you implement employ Industry Best Practice Security Standards such as ISO and annual SOC2 Reports to Lower Supply Chain Risk.

Incident Management: Track, Prevent or Remediate Potential Threats. For effective incident management, companies need a solution that offers real-time monitoring and alerting of security incidents. This should include detailed logging and reporting capabilities to ensure that incidents are documented and can be reported to the relevant authorities as required by DORA. Ask your security vendor to have a quarterly threats and incidents a review meeting and provide you with the relevant reports for auditing.

Information Sharing and Communication: Gather and share information about cyber threats with other financial organizations and state agencies responsible for cyber threat intelligence and emergency response. Ensure that your application protection vendors conduct their own threat intelligence research and regularly provide you with analysis and insights. Additionally, choose vendors with a threat intelligence platform that you can access, which integrates and syncs with their application protection solutions as well as other third-party security systems.

As DORA final and specific requirements have not been finalized, it’s important for CISOs and Compliance Officers to keep track of the latest developments to ensure that the necessary solutions and controls are implemented before January 2025.

At Radware, we provide a comprehensive application protection solution that supports the application protection portion of DORA. Reach out to us with any questions.

Uri Dorot

Uri Dorot

Uri Dorot is a senior product marketing manager at Radware, specializing in application protection solutions, service and trends. With a deep understanding of the cyber threat landscape, Uri helps companies bridge the gap between complex cybersecurity concepts and real-world outcomes.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia