Blog | Cybersecurity & IT
May 20, 2024

Continuous controls monitoring (CCM): Your secret weapon to navigating DORA

Tom Schneider

Stack of coinsFinancial institutions are a critical backbone of the local and geographical – and world – economy. As such the financial services industry is highly regulated and often faces new compliance mandates and requirements. Threat actors target the industry because it manages and processes valuable customer personally identifiable information (PII) such as account, transaction, and behavioural data.

Maintaining consistent operations is critical, especially in an interconnected, global economy. To standardise processes for achieving operational resilience, the European Parliament passed the Digital Operational Resilience Act (DORA).

What is DORA? 

DORA is a regulation passed by the European Parliament in December of 2022. DORA applies to digital operational resilience for the financial sector. DORA entered into force in January of 2023, and it applies as of January 17, 2025.

Blue and White Flags

Two sets of rules, or policy products, provide the regulatory and implementation details of DORA. The first set of rules under DORA were published on January 17, 2024, and consist of four Regulatory Technical Standards (RTS) and one Implementing Technical Standard (ITS). It is worth noting that not all the RTSes contain controls that financial entities need to implement. For example, JC 2023 83, the “Final Report on draft RTS on classification of major incidents and significant cyber threats,” provides criteria for entities to determine if a cybersecurity incident would be classified as a “major” incident according to DORA.   The public consultation on the second batch of policy products is completed, and the feedback is being reviewed prior to publishing the final versions of the policies. Based on the feedback received from the public, the finalised documents will be submitted to the European Commission July 17, 2024.  

What is Continuous Controls Monitoring (CCM), and how can it help? 

DORA has a wide-ranging set of articles, many of which require the implementation and monitoring of controls. Organisations can use a continuous controls monitoring (CCM) solution, which is an emerging governance, risk and compliance technology, to automate controls monitoring and reduce audit cost and stress. When choosing a CCM solution for DORA, consider a data fabric platform that brings together data from enterprise IT and cybersecurity tools and enriches it with business data to help organisations apply data analytics for measuring and reporting on the effectiveness of internal controls and conformance to laws and regulations. The following are examples of how CCM could be used to support DORA compliance. 

Continuous Monitoring: 

Article 9 of DORA, Protection and prevention, explains that to adequately protect Information and Communication Technologies (ICT) systems and organise response measures, “financial entities shall continuously monitor and control the security and functioning of ICT systems.” Similarly, Article 16, Simplified ICT risk management framework, requires entities to “continuously monitor the security and functioning of all ICT systems.” 

Security Cameras

Additionally, Article 6 requires financial entities to “minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.” It goes on to require setting clear objectives for information security that include Key Performance Indicators (KPIs), and to implement preventative and detective controls. Reporting on the implementation of multiple controls, combining compliance data with organizational hierarchy, and reporting on KPIs are all tasks that CCM excels at. When choosing a CCM solution for DORA, consider one that supports uninterrupted oversight of multiple controls by automating the ingestion of data, formatting it, and then presenting it to users through the business intelligence solution of their choice.

The Articles of JC 2023 86 the “Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework” contain many ICT cybersecurity requirements that are a natural fit to be measured by CCM. Here are some examples of these controls:  

  • Asset management: entities must keep records of a set of attributes for their assets, such as a unique identifier, the owner, business functions or services supported by the ICT asset, whether the asset is or might be exposed to external networks, including the internet, etc. 

  • Cryptographic key management: entities need to keep a register of digital certificates and the devices that store them and must ensure that certificates are renewed prior to their expiration. 

  • Data and system security: entities must select secure configuration baselines for their ICT assets as well as regularly verifying that the baselines are in place. 

A CCM solution that is built on a platform that correlates technical and business data supports security, risk, and compliance teams for building accurate, reliable reports to help measure compliance. It provides consistent visibility into control status across multiple teams throughout the organisation. This reduces the need for reporting controls in spreadsheets and in multiple dashboards, helping business leaders make more immediate and data-driven governance decisions about their business. 

Executive Oversight: 

Financial entities are required to have internal governance to ensure the effective management of ICT risk (Article 5, Governance and organisation). CCM solutions that integrate with business intelligence solutions, like Power BI and Tableau, to build executive dashboards and data visualizations can provide an overview of multiple controls through a single display.  

Roles and Responsibilities:  

DORA Article 5(2)) requires management to “set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions.” A CCM solution that combines organisational hierarchy with control compliance data makes roles and responsibilities explicit, which helps improve accountability across risk, management, and operations teams. That is, a manager using CCM does not have to guess which assets or people that belong to their organisation are compliant with corporate policy, or regulations. Instead, they can easily view their compliance status.  

CCM dashboards and detail views provide the specifics about any non-compliant assets such as the asset name, and details of the controls for which the asset is non-compliant. Similarly, CCM can communicate details about compliance for a manager’s staff, such as if mandatory training has been completed by its due date, or who has failed phishing simulation tests. 

Coordination of multiple teams: 

As the FS-ISAC DORA Implementation Guidance notes, “DORA introduces increased complexity and requires close cross-team collaboration. Many DORA requirements cut across teams and functions, such as resilience/business continuity, cybersecurity, risk management, third-party and supply chain management, threat and vulnerability management, incident management and reporting, resilience and security testing, scenario exercising, and regulatory compliance. As a result, analysing compliance and checking for gaps is challenging, particularly in large firms.”  

CCM helps with cross-team collaboration by providing a common, accurate, and consistent view of compliance data, which can reduce overall compliance costs. That is, GRC teams are not tasked with creating and distributing multiple reports for various teams and trying to keep the reports consistent, and timely. Or business teams are no longer responsible for pulling their own reports, overcoming issues with inconsistent or inaccurate reporting from inexperience with the product creating the report, reports being run with different parameters or on different dates, or other differences or errors. CCM helps resolve this issue because it makes the same content, using consistent source data from the same point in time, available to all users.  

5 ways how DataBee can help you navigate DORA

The requirements for DORA are organised under these five pillars. How does DataBee help enterprises to comply with each of the five? 

1. Information and Communication Technologies (ICT) risk management requirements (which include ICT Asset Management, Vulnerability and patch management, etc.) 

DataBee’s Continuous Controls Monitoring (CCM) delivers continuous risk scores and actionable risk mitigation, helping financial entities to prioritize remediation for at-risk resources.  

2. ICT-related incident reporting 

DORA identifies what qualifies as a “major incident” and must therefore be reported to competent authorities. This is interesting compared to cybersecurity incident reporting requirements from the U.S. Securities and Exchange Commission (SEC) which are based on materiality, but do not provide details about what is or is not material. DORA includes criteria to determine if the incident is “major.” Some examples are if more than 10% of all clients or more than 100,000 clients use the affected service, or if greater than 10% of the daily average number of transactions are affected. Additionally, if a major incident does need to be reported, DORA includes specific information that financial entities must provide. These include data fields such as date and time the incident was detected, the number of clients affected, and the duration of the incident. A security data fabric such as DataBee can help to provide many of the measurable data points needed for the incident report.  

3. ICT third-party risk 

DataBee for CCM provides dashboards to report on the controls used for the management and oversight of third-party service providers. These controls are implemented to manage and mitigate risk due to the use of third parties. 

4. Digital operational resilience testing (Examples include, vulnerability assessments, open-source analyses, network security assessments, physical security reviews, source code reviews where feasible, end-to-end testing or penetration testing.) 

DORA emphasizes digital operational resilience testing. DataBee supports this by aggregating and simplifying the reporting for control testing and validation.  DataBee’s CCM dashboards provide reporting for multiple controls using an interface that is easily understood, and which business managers can use to readily assess their unit’s compliance with controls required by DORA. 

5. Information sharing 

As with incident reporting, the data fabric implemented by DataBee supports information sharing. DataBee can economically store logs and other contextual data for an extended period. DataBee makes this data searchable providing the ability to locate, and at the organization’s discretion, exchange cyber threat information and intelligence with other financial entities.