Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a regulation established by the European Parliament and the Council to enhance the digital operational resilience of the financial sector. It aims to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The regulation addresses the increasing digitalization and interconnectedness of financial services, which make the sector more vulnerable to cyber threats and ICT disruptions.

Key aspects of DORA include:

  • ICT Risk Management: Financial entities must implement comprehensive ICT risk management frameworks to address and mitigate ICT risks.
  • Incident Reporting: Financial entities are required to report major ICT-related incidents to competent authorities.
  • Digital Operational Resilience Testing: Regular testing of ICT systems to identify vulnerabilities and ensure preparedness.
  • ICT Third-Party Risk Management: Financial entities must manage risks associated with ICT third-party service providers.
  • Oversight Framework: Establishment of an oversight framework for critical ICT third-party service providers to ensure they meet resilience standards.
  • Information Sharing: Encouragement of information sharing among financial entities to enhance collective resilience against cyber threats.
 

DORA requirements

  • Governance and Organization:

    • Establish an internal governance and control framework for ICT risk management.
    • Define roles and responsibilities for ICT-related functions.
    • Allocate appropriate budget for digital operational resilience needs.

  • ICT Risk Management Framework:

    • Develop and maintain a comprehensive ICT risk management framework.
    • Document and review the framework annually or after major incidents.
    • Assign responsibility for ICT risk management to a control function.

  • ICT Systems, Protocols, and Tools:

    • Use and maintain updated ICT systems and tools.
    • Ensure systems are reliable, secure, and capable of handling peak loads.

  • Identification and Classification:

    • Identify and document all ICT-supported business functions and assets.
    • Perform regular risk assessments and maintain inventories of ICT assets.

  • Protection and Prevention:

    • Implement ICT security policies and procedures.
    • Ensure data protection and minimize risks of data loss or unauthorized access.

  • Detection:

    • Establish mechanisms to detect ICT anomalies and incidents.
    • Regularly test detection mechanisms.

  • Response and Recovery:

    • Develop ICT business continuity and recovery plans.
    • Test and review these plans regularly.
    • Maintain redundant ICT capacities.

  • Backup and Restoration:

    • Implement backup policies and procedures.
    • Ensure secure and timely restoration of data.

  • Learning and Evolving:

    • Conduct post-incident reviews and incorporate lessons learned.
    • Monitor technological developments and update ICT risk management processes.

  • Communication:

    • Establish crisis communication plans for ICT-related incidents.
    • Implement internal and external communication policies.

  • Incident Reporting:

    • Report major ICT-related incidents to competent authorities.
    • Notify clients of incidents affecting their financial interests.

  • Digital Operational Resilience Testing:

    • Conduct regular testing of ICT systems, including advanced testing like threat-led penetration testing (TLPT).

  • ICT Third-Party Risk Management:

    • Manage risks associated with ICT third-party service providers.
    • Maintain a register of all ICT third-party service providers.
    • Ensure contractual arrangements include necessary security and resilience provisions.

  • Oversight Framework:

    • Critical ICT third-party service providers are subject to oversight by designated authorities.
    • Regular assessments and recommendations to ensure compliance with resilience standards.

  • Information Sharing:

    • Participate in information-sharing arrangements to enhance collective resilience.

These requirements aim to create a robust framework for managing ICT risks, ensuring financial entities can maintain operational resilience in the face of digital threats and disruptions.

Do you need help with DORA implementation ?

We can help you with this.

2.14.0.0
Click here