Understanding the Digital Operational Resilience Act (DORA) and Its Implications for Network Observability

As we navigate the evolving landscape of digital threats, the Digital Operational Resilience Act (DORA) emerges as a critical regulatory framework for financial entities within the European Union. Effective from January 17, 2025, DORA mandates that financial institutions, including payment institutions, fund managers, and credit institutions, must ensure robust digital operational resilience to withstand, respond to, and recover from ICT-related disruptions and threats.

Key Components of DORA

DORA is built on five foundational pillars:

1. ICT Risk Management: Establishing a comprehensive governance and control framework to manage ICT risks effectively. This involves well-documented strategies, policies, and procedures.
2. ICT-related Incident Management, Classification, and Reporting:
   Implementing processes to detect, manage, and report ICT-related incidents. Major incidents must be reported to the relevant competent authority and, where applicable, to the national CSIRT.
3. Digital Operational Resilience Testing: Regular testing of ICT systems, tools, and processes to ensure they can withstand operational disruptions.
4. ICT Third-Party Risk Management: Managing risks associated with third-party ICT service providers, ensuring these providers comply with DORA
   requirements.
5. Information Sharing: Encouraging entities to share information on cyber threats and vulnerabilities to enhance collective resilience.

Network Observability Under DORA

Network observability is a critical aspect of complying with DORA, particularly under the ICT Risk Management and ICT-related Incident Management pillars. Network observability involves the ability to monitor, detect, and respond to network anomalies and threats in real-time. Here’s how network observability aligns with DORA’s requirements:

• Enhanced Visibility: Network observability tools provide comprehensive visibility into network traffic, enabling financial entities to monitor all activities across their network. This visibility is crucial for detecting potential threats and ensuring that the network operates within expected parameters. Specific protocols monitored include TCP/IP, DNS, HTTP, and HTTPS.
• Real-time Monitoring and Alerts: By continuously monitoring network traffic, observability tools can detect anomalies and generate real-time alerts. This capability is essential for the prompt identification and management of ICT-related incidents, as required by DORA. Types of alerts generated include unusual traffic patterns, port scanning, and DDoS attacks. Tools like NetFlow and sFlow are used to collect flow data, providing insights into traffic patterns and helping to identify anomalies.
• Incident Response and Forensics: Network observability tools facilitate detailed analysis and forensics of network incidents. They help trace the sequence of events during an attack, providing insights into how the attack occurred and which systems were affected. For example, packet capture and deep packet inspection (DPI) can be used to analyze the contents of network packets, helping to identify malicious activity. An example of incident response could involve detecting a sudden spike in DNS traffic, indicating a potential DDoS attack, and then using DPI to analyze the packets and
  confirm the attack.
• Compliance and Reporting: Observability tools can automate the collection and reporting of network data, ensuring that financial entities meet DORA’s reporting requirements. They provide the necessary documentation and evidence to demonstrate compliance with regulatory standards. Security Information and Event Management (SIEM) systems can integrate with network observability tools to provide a centralized view of security events and streamline reporting.
• Integration with Other Security Tools: Network observability solutions can integrate with other security tools, such as Endpoint Detection and Response (EDR) systems and Network Detection and Response (NDR) platforms, to provide a holistic view of the organization’s security posture. This integration enhances the overall effectiveness of the ICT risk management framework. Anomaly detection algorithms and machine learning are used to identify threats by analyzing patterns and behaviors that deviate from the norm.
  
  

Challenges and Considerations

Implementing network observability for DORA compliance presents several challenges and considerations for financial entities:

• Data Volume and Storage: The sheer volume of data generated by network observability tools can be overwhelming. Storing and managing this data requires significant resources and infrastructure. Financial entities must ensure they have the capacity to handle large volumes of data without compromising performance.
• Privacy Concerns: Monitoring network traffic involves collecting and analyzing potentially sensitive information. Financial entities must balance the need for observability with privacy concerns, ensuring that data collection and analysis comply with relevant privacy regulations and do not infringe on individuals rights.
• Integration Complexity: Integrating network observability tools with existing security infrastructure can be complex. Financial entities must ensure seamless integration with other security tools, such as SIEM systems and EDR platforms, to provide a comprehensive view of the security posture.
• Skillset and Expertise: Effective network observability requires specialized skills and expertise. Financial entities must invest in training and development to ensure their teams are equipped to manage and operate observability tools effectively. Cost: The introduction and maintenance of network observability tools requires a targeted investment. Implementing and maintaining network observability tools can be costly. Financial entities must consider the total cost of ownership, including hardware, software, and ongoing maintenance, to ensure they can sustain these investments over the long term.
  
  

Conclusion

The Digital Operational Resilience Act (DORA) sets a high bar for digital operational resilience in the financial sector. Network observability plays a crucial role in meeting DORA’s requirements by providing enhanced visibility, real-time monitoring, and effective incident response capabilities. By leveraging advanced observability tools and addressing the associated challenges, financial entities can ensure they are well-prepared to detect, manage, and mitigate ICT-related risks, thereby safeguarding their operations and maintaining regulatory compliance.

How NEOX Networks can help you with DORA

NEOX NETWORKS GmbH specialises in providing advanced network visibility, monitoring and security solutions. Their products and services can significantly improve network observability and cyber security:

• Network TAPs : NEOX offers a range of Network TAPs that enable passive monitoring of network traffic without compromising network performance. These TAPs ensure that all data is accurately captured and analysed.
• Network Packet Brokers : NEOX’s Network Packet Brokers aggregate and distribute network traffic to various monitoring tools, optimising traffic and ensuring comprehensive visibility.
• Full Packet Capture Systems : The full packet capture systems enable detailed analysis of network traffic and support forensic investigations and real-time threat detection.
  Advanced Packet Processing : NEOX offers advanced packet processing solutions that reduce the data load on surveillance systems and protect sensitive information.

By deploying NEOX NETWORKS solutions, organisations and enterprises can achieve unparalleled network visibility, enabling them to detect and respond to threats more effectively and maintain robust cyber security.