Detection

Article 10 addresses the detection pillar of the NIST-aligned framework that DORA implicitly follows (Identify, Protect, Detect, Respond, Recover). Without effective detection, even the best protection measures are insufficient because threats that evade prevention go unnoticed until significant damage occurs.

Financial entities must implement mechanisms capable of promptly detecting anomalous activities at multiple levels — network, application, data, and user behavior. These mechanisms should cover both automated detection (SIEM, IDS/IPS, behavioral analytics) and human-driven monitoring (SOC operations, threat hunting). The goal is to minimize the dwell time between an intrusion or failure and its detection.

Single points of failure represent a particular concern. The article requires entities to proactively identify components whose failure would cause disproportionate disruption — whether a critical database without replication, a network link without redundancy, or a key person without backup. Once identified, these single points must be addressed through redundancy, failover, or documented risk acceptance.

Detection capabilities must not be static. The article requires regular testing to ensure that monitoring systems remain effective as the ICT environment evolves. New applications, infrastructure changes, and emerging threat tactics can all create blind spots in detection coverage that must be identified and remediated through continuous validation.