DORA

Digital Operational Resilience Act

Harmonisierung mit BAIT

With the Digital Operational Resilience Act (DORA for short), the EU is focusing in particular on digital resilience. DORA aims to achieve this by implementing various requirements for the stability of digital systems in the financial sector.

In an interconnected Europe, where international cooperation between financial companies is widespread and digitalization-related risks potentially have cross-border impacts, DORA aims to provide a complementary common legal framework at EU level. Regulations that have so far applied specifically for institutions in Germany, such as BAIT, ZAIT, VAIT and MaRisk, will thus be supplemented by a set of regulations at EU law level.

For whom DORA applies

The final version of the Digital Operational Resilience Act became effective on January 16, 2023. Although the requirements are immediately effective for all companies and institutions affected, they are not enforceable until 24 months after the enactment date.

The requirements apply to different types of financial companies as well as to critical third-party ICT providers to financial companies:

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money instutions
  • Investments firms
  • Crypto-Asset service providers
  • Central securities depositories
  • Central Counterparties
  • Trading Venues
  • Trade repositories
  • Managers of alternative investment funds
  • Management companies
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • Institutions for occupational retirement provision
  • Credit Rating Agencies
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • securitisation repositories
  • ICT third-party service providers

The requirements of DORA

DORA consists of a total of 45 articles, which are divided into the following chapters:

  • ICT risk management
  • Handling, classifying and reporting of ICT-related incidents
  • Testing of digital operational resilience
  • ICT third party risk management
  • Agreements on the exchange of information

Although there is still some time left for affected companies until the DORA requirements are enforceable starting 17 January 2025, I recommend: Start your preparations early. Do a Gap Analysis in your company. This analysis will reveal concrete deviations from the DORA requirements, on which basis you can plan and implement suitable harmonization projects.

I'm sure you are already familiar with some of the topics of the DORA regulation from the extensive national regulations, so these have already been implemented at your company or are at least in the process of being implemented. However, there are also new requirements: DORA, for example, mandates more complex service provider management and additional technical analyses in the form of threat-oriented penetration tests.

As with any security project, this naturally creates new expenses for affected companies through the preparation and implementation of additional security measures. However, we clearly see an opportunity for you to rise to a significantly higher level of security through strengthened resilience and thus counter the increasing threat situation.

Dr. Christian Schwartz

Head of Security in Finance I Security Consulting

Harmonization with DORA: How do we proceed?

PCI Zertifizierungsprozess Kick-off

Preliminary Analysis

In a preliminary workshop, we build internal knowledge among all stakeholders. The workshop covers the general requirements of DORA as well as known risks, challenges, and best practices from similar regulatory-driven projects.

We transfer the definition of "critical and important functions" according to DORA to the functions of your company and determine which other security standards and national regulations might affect you. In most cases, the systems and processes implemented to comply with ISO 27001 or the BaFin circulars can be used as a basis.

 

PCI Zertifizierungsprozess Kick-off

Gap Analysis resulting in an Action Plan

The requirements affect institutions holistically. Therefore, a pure document review is not sufficient to ascertain the implementation status of the DORA requirements. We therefore recommend a combination of:

  • Document review
  • Interviewing key personnel
  • Implementation check

The results of this detailed Gap Analysis provide a good picture of the expected costs. They provide implementation options that can be used to set the direction for implementation at the highest management level (Action Plan).

 

PCI Zertifizierungsprozess Kick-off

Harmonization Project

Implementation of harmonization with DORA in a comprehensive project tailored to the institute. We support you here at all levels, from the definition of the strategy and the drafting of guidelines to the operational implementation of the requirements in the organization.

We individually address the key areas identified in your gap analysis and, in addition to implementing the individual requirements, we also support you in change management and communication within the institution. During these types of harmonization projects, we support financial institutions often with, for example:

  • Establishment or adjustment of IT governance
  • Planning and implementation of appropriate risk management
  • Establishment or optimization of service provider management in compliance with the applicable regulatory requirements
  • Required Security Analysis, such as Red Team Assessments

More Informationen on the Digital Operational Resilience Act

NIS-2 and Dora: Why Two Pieces of EU Cybersecurity Legislation?

Read Article

7 Questions on DORA

 

Read Article

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
E-mail: sales@usd.de
PGP Key
S/MIME
Contact form

 

Felix Schmidt
usd Team Lead Sales
Security Consulting