Digital Operational Resilience Act
With the Digital Operational Resilience Act (DORA for short), the EU is focusing in particular on digital resilience. DORA aims to achieve this by implementing various requirements for the stability of digital systems in the financial sector.
In an interconnected Europe, where international cooperation between financial companies is widespread and digitalization-related risks potentially have cross-border impacts, DORA aims to provide a complementary common legal framework at EU level. Regulations that have so far applied specifically for institutions in Germany, such as BAIT, ZAIT, VAIT and MaRisk, will thus be supplemented by a set of regulations at EU law level.
For whom DORA applies
The requirements apply to different types of financial companies as well as to critical third-party ICT providers to financial companies:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money instutions
- Investments firms
- Crypto-Asset service providers
- Central securities depositories
- Central Counterparties
- Trading Venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit Rating Agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- securitisation repositories
- ICT third-party service providers
The requirements of DORA
DORA consists of a total of 45 articles, which are divided into the following chapters:
- ICT risk management
- Handling, classifying and reporting of ICT-related incidents
- Testing of digital operational resilience
- ICT third party risk management
- Agreements on the exchange of information
The next step will be the development of standards by the European Supervisory Authorities based on DORA, which will contain guidelines for the implementation of the requirements. Although affected companies and institutions have been given a deadline of two years until DORA requirements are enforceable, I recommend: Do an early comprehensive gap analysis in your company. This analysis will reveal concrete deviations from the DORA requirements, on which basis you can plan and implement suitable harmonization projects for the next two years.
I'm sure you are already familiar with some of the topics of the DORA regulation from the extensive national regulations, so these have already been implemented at your company or are at least in the process of being implemented. However, there are also new requirements: DORA, for example, mandates more complex service provider management and additional technical analyses in the form of threat-oriented penetration tests.
As with any security project, this naturally creates new expenses for affected companies through the preparation and implementation of additional security measures. However, we clearly see an opportunity for you to rise to a significantly higher level of security through strengthened resilience and thus counter the increasing threat situation.
Harmonization with the DORA: How do we proceed?
Understanding DORA requirements (recommended)
Presentation of the requirements and building internal knowledge about DORA in the organization during a first Workshop. The presentation will cover the general requirements of DORA as well as known risks, challenges, and best practices from similar regulatory-driven projects.
Evaluate requirements for the company
Identification of measures for harmonization with DORA as part of a Gap Analysis. The requirements affect institutions holistically. Therefore, a pure document review is not sufficient to ascertain the implementation status of the DORA requirements. We therefore recommend a combination of:
- Document review
- Interviewing key personnel
- Implementation check
Plan & implement measures for harmonization
Implementation of harmonization with DORA in a comprehensive Implementation Project tailored to the institute. We support you here at all levels, from the definition of the strategy and the drafting of guidelines to the operational implementation of the requirements in the organization.
We individually address the key areas identified in your gap analysis and, in addition to implementing the individual requirements, we also support you in change management and communication within the institution. During these types of harmonization projects, we support financial institutions often with, for example:
- Establishment or adjustment of IT governance
- Planning and implementation of appropriate risk management
- Establishment or optimization of service provider management in compliance with the applicable regulatory requirements
- Required Security Analysis, such as Red Team Assessments
More Informationen on the Digital Operational Resilience Act
NIS-2 and Dora: Why Two Pieces of EU Cybersecurity Legislation?
7 Questions on DORA