Digital Operational Resilience Act (DORA) – for improved ICT Risk Management in the EU

The reliance in digital solutions and services in the financial sector is unquestionable. The European society in turn depends on the trust in the resilience of financial entities. DORA is the latest regulation of critical sectors specificly regulating ICT Risk Management within financial entities.

Why a new regulation?
The Digital Operational Resilience Act (DORA) aims to provide a unified approach for mitigating ICT related incidents and ensuring that the financial sector in Europe can maintain resilient operations. DORA creates uniform requirements for the security of network and information systems of financial entities. It creates a robust framework for the management of ICT related risks, whereby all financial entities will need to make sure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. DORA applies to a wide range of financial entities (credit institutions, payment institutions, central counterparties, trading venues, insurance and reinsurance undertakings, credit rating agencies, etc.) and information and communication technology (ICT) third-party service providers The directive entered into force on January 2023 and will apply from 17 January 2025.

What does it really mean?
To maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Likewise, financial entities should have policies in place for the testing of ICT systems, controls, and processes, as well as for managing ICT third-party risk.

DORA will be a real game changer for how financial entities approach operational resilience. It creates a need for a different and broader view of resilience and requires development of sophisticated new capabilities.

  • With a correct approach, DORA can:
    Improve ability to manage digital risk.
  • Enhance knowledge and understanding of the business impact of operational disruptions in management teams and boards.
  • Create assurance in that mitigations are in place through advanced security testing.
  • Include third parties in the risk management and create an overall control of ICT related operational risk.

What is the proportionality principle?
DORA comes with a proportionality principle meaning that financial entities shall implement the rules considering their size and overall risk profile together with the nature, scale and complexity of their services, activities, and operations.

DORA also provide limitations in the regulations for financial entities classified as “micro entities, “small” or “mid-size” meaning that some of the most advanced digital testing requirements will be applicable only to the biggest, “significant” financial entities.

How can Seadot Cybersecurity Support?
There’s now a preparational period until January 17, 2025. During this period technical and implementation standards will be released to further specify the requirements.

But there’s no time to spend, financial entities should now conduct a gap and maturity assessment based on the final requirements in the DORA Level 1 text, and the upcoming Level 2 standards. Seadot’s experienced compliance experts can support in identifying where capability, resource and expertise gaps currently exist, to achieve an effective implementation period.

  • We recommend focusing on:
    ICT risk governance practices including the identification of critical and important functions.
  • The maturity of incident and threat data collection and analysis capabilities.
  • The sophistication of scenario testing and advanced scenario design.
  • The ability to analyse risks in third parties.

We can also assist you in implementation of any remediation activities identified to ensure compliance with DORA regulations in line with the regulatory deadlines. We have experience and knowledge inside governance, risk management, incident, and continuity management, third party risk and other relevant areas.

Finally, we can help you to stay on top of the regulatory agenda by continuous compliance monitoring and keeping you up to date on the development of DORA and its technical standards.

Download the information about DORA

Building digital operational resilience in a business is not just about technical solutions and regulations, but also about awareness, knowledge and continuous improvement in an organization and with the management and employees. A board of trustees of a financial actor are mandated by DORA to have knowledge in risk management, information security and also take overall responsibility for managing ICT risks and continuity.

Download the information about DORA board training

Contact us!

Emma Stewén
emma@seadot.se
+46 76 601 15 10