Author: info@edirama.org

Posted on by Leave a comment

NIS 2 – Navigating Cybersecurity Compliance for Organizations

Introduction

The EU NIS 2 Directive is a significant piece of legislation that evolves the original Directive on security of network and information systems (NIS Directive), aiming to enhance cybersecurity across the European Union. The directive was established in response to the growing complexity and interdependency of networks and systems that underpin critical services in the digital age.

Objectives and Scope of the Regulation

The primary objective of the NIS 2 Directive is to improve the overall level of cybersecurity within the EU by addressing the security of both essential and important entities. This includes a range of sectors such as energy, transport, health, and digital infrastructure. The directive broadens its scope to encompass more entities than its predecessor by incorporating various sectors previously excluded.

Practical Implications for Organizations

Organizations affected by NIS 2 must adopt a proactive approach toward managing cybersecurity risks. This daunting task necessitates establishing detailed security measures, ensuring prompt incident response capabilities, and fostering a culture of cybersecurity awareness throughout the organization.

Cybersecurity Risk Management Obligations

A critical aspect of the NIS 2 Directive is the delineation of cybersecurity risk management obligations that organizations must adhere to. Under this framework, entities are required to adopt a risk-based approach to cybersecurity, which includes key responsibilities such as conducting risk assessments, implementing appropriate security measures, and continuously monitoring systems for vulnerabilities.

Operational Impacts and Compliance Challenges

Operationally, organizations may struggle with integrating these risk management strategies into existing frameworks. The transition includes not only technical enhancements but also broad organizational changes focused on cultivating a security-oriented mindset.

Failure to comply with these obligations can lead to a range of serious consequences, including regulatory penalties, reputational damage, and increased vulnerability to cyber threats. Common compliance challenges include a lack of clarity regarding the specific security measures required, as well as difficulties in assessing and managing third-party risks, particularly in an increasingly interconnected world.

Common Gaps and Regulatory Expectations

Regulatory expectations under the NIS 2 Directive mandate that entities demonstrate a clear understanding of their risk posture and establish measures tailored to manage these risks effectively. Organizations may find common gaps in their current security frameworks, including inadequate asset management, insufficient incident response planning, and lack of comprehensive training programs for staff. Regulators will scrutinize how organizations handle these aspects, emphasizing the need for a structured and well-documented risk management approach.

Practical Compliance Section

To effectively comply with the NIS 2 Directive, organizations should take tangible steps that form the foundation of their cybersecurity strategy. Below are key areas where focus is essential:

Concrete Steps Organizations Must Take

  1. Risk Assessments:

    • Conduct regular and thorough risk assessments to identify vulnerabilities and threats to critical information systems.

  2. Incident Response Plans:

    • Establish and document comprehensive incident response plans delineating specific responsibilities and actions during a cybersecurity incident.

  3. Training and Awareness:

    • Implement mandatory training programs for all employees to ensure they understand cyber risks and response protocols.

  4. Third-Party Management:

    • Develop and enforce policies related to the cybersecurity practices of third-party vendors and partners to mitigate supply chain risks.

Required Policies, Procedures, and Evidence

Organizations should formalize policies that align with the requirements of the NIS 2 Directive, ensuring these documents address key cybersecurity practices tailored to their operational context. Evidence of compliance may include:

  • Detailed security policies and procedures.
  • Documentation of completed risk assessments and action plans.
  • Records of training sessions conducted for employees regarding cybersecurity awareness.
  • Evidence of testing incident response capabilities through simulations and drills.

Documentation Expected During Audits or Inspections

During audits, organizations must be prepared to present comprehensive documentation that illustrates their compliance with the directive. This includes but is not limited to:

  • Incident records and response actions taken.
  • Maintenance logs for security tools and systems.
  • Evidence of changes and updates made to security policies over time.
  • Details of communication protocols with relevant regulatory bodies concerning incidents and compliance measures.

Best Practices to Demonstrate Ongoing Compliance

To maintain compliance consistently, organizations should adopt best practices such as:

  • Continuous monitoring and updating of security measures based on the evolving threat landscape.
  • Regular review and testing of incident response plans to ensure effectiveness.
  • Engagement in industry collaboration forums to share insights and best practices.
  • Establishing a dedicated cybersecurity governance team that reports to executive management on compliance status and risk exposure.

Conclusion

In summary, the EU NIS 2 Directive represents a critical framework for enhancing cybersecurity across Europe. Entities must embrace a structured approach to compliance, focusing on risk management, incident handling, and continuous improvement. As cybersecurity threats continue to evolve, maintaining ongoing compliance will not only protect organizations but also ensure the integrity of essential services within the EU. The importance of implementing these measures cannot be overstated; organizations that adopt a proactive and comprehensive compliance strategy will position themselves favorably to meet regulatory expectations and safeguard against cyber risks.

Posted on by Leave a comment

DORA – Transforming Financial Compliance in ICT Risk Management

Introduction

The European Union’s Digital Operational Resilience Act (DORA) represents a significant legislative initiative aimed at strengthening the operational resilience of financial entities. With the increasing reliance on digital technologies and the growing sophistication of cyber threats, DORA’s primary objective is to ensure that financial institutions can withstand, respond to, and recover from a range of disruptions, including ICT (Information and Communication Technology) failures and cyberattacks.

DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, and payment service providers. Its comprehensive scope covers the entire financial sector, placing a strong emphasis on the role of technology in achieving operational resilience. The act establishes a clear regulatory framework that aligns ICT risk management with broader business strategies, ensuring that the financial sector remains stable and resilient in the face of potential disruptions.

Operational resilience and ICT risk management are critical in today’s digital landscape. Financial entities now face new types of risks that threaten their ability to function effectively, necessitating a proactive approach to risk management. By adopting DORA’s measures, institutions not only safeguard their operations but also protect consumer trust and ensure compliance with regulatory expectations.

ICT Risk Management Framework under DORA

One key aspect of DORA is the establishment of a robust ICT risk management framework that financial institutions must implement to identify, assess, manage, and mitigate ICT risks. This framework is essential for ensuring that organizations have a structured approach to operational resilience and ICT risk governance.

Operational Impacts and Compliance Challenges

Implementing an effective ICT risk management framework under DORA presents several operational impacts and challenges. Institutions must conduct comprehensive risk assessments that encompass all aspects of ICT, including hardware, software, data management, and third-party service providers. The complexity of ICT landscapes, particularly for organizations dependent on a multitude of third-party vendors, makes this task particularly daunting.

Furthermore, compliance with DORA necessitates a cultural shift within organizations. Institutions need to integrate risk management practices into their overall business strategy, which requires leadership commitment and a clear communication strategy throughout the organization. Often, the challenge arises from a lack of adequate resources or expertise in developing and maintaining a comprehensive ICT risk management framework, leading to gaps in compliance.

Regulatory Expectations and Common Implementation Gaps

DORA sets forth clear expectations for ICT risk management. Financial entities must ensure that their risk management framework includes:

  • Identification of ICT risks: Institutions should develop methods to identify potential risks associated with their ICT resources.
  • Assessment and evaluation: Regular assessment processes must be established to evaluate the impact and likelihood of identified risks.
  • Mitigation strategies: Appropriate measures must be implemented to reduce risks to a manageable level.
  • Monitoring: Continuous monitoring mechanisms should be in place to track the effectiveness of risk mitigation measures.

Common implementation gaps observed in the industry include inadequate documentation of risk assessments, insufficient integration of ICT risk management into existing frameworks, and a lack of ongoing training for employees on ICT risk awareness. Addressing these gaps is essential for financial entities to enhance resilience against ICT-related disruptions.

Practical Compliance Steps

To comply with DORA, financial entities need to take several concrete steps to establish a comprehensive ICT risk management framework:

  1. Develop a clear ICT Risk Management Policy: Institutions should create a policy that outlines the scope, objectives, and responsibilities concerning ICT risk management.

  2. Conduct a thorough ICT risk assessment: Regular assessments should identify and evaluate the organization’s ICT risks, taking into account vulnerabilities introduced by third-party service providers.

  3. Implement operational controls: Institutions must establish a series of controls that align with their risk tolerance levels, ensuring that all ICT systems are adequately protected.

  4. Create incident response and reporting procedures: Institutions should develop procedures for reporting ICT incidents to ensure timely identification and recovery from disruptions.

  5. Strengthen training and awareness programs: Continuous education for staff on ICT risk management and resilience practices is critical for fostering a culture of compliance.

Evidence and Documentation for Audits

During audits or inspections, financial entities are expected to provide evidence and documentation that demonstrate compliance with DORA requirements. This includes:

  • Written policies and procedures related to ICT risk management.
  • Records of risk assessments, including methodologies used and findings.
  • Documentation of incident reports and responses, highlighting lessons learned.
  • Training records that confirm employee participation in ICT risk awareness programs.

Best Practices for Ongoing Compliance

To maintain compliance with DORA, financial entities should adopt the following best practices:

  • Engage in regular audits of their ICT risk management framework to identify areas for improvement.
  • Maintain open lines of communication with regulatory bodies, ensuring that any changes in compliance requirements are swiftly addressed.
  • Cultivate partnerships with third-party service providers to extend the organization’s resilience capabilities across the entire supply chain.

Conclusion

As financial entities navigate the complexities introduced by the EU Digital Operational Resilience Act, a structured and continuous approach to operational resilience is paramount. Key compliance takeaways include developing a robust ICT risk management framework, addressing common implementation gaps, and fostering a culture of risk awareness throughout the organization.

In a landscape where the potential for disruption is ever-increasing, proactive engagement with DORA’s requirements not only safeguards financial institutions’ operations but also enhances their long-term sustainability and trust among stakeholders.

By taking these measures, financial entities can successfully implement DORA’s provisions, demonstrating their commitment to digital operational resilience in an increasingly challenging environment.

Posted on by Leave a comment

DORA – Enhancing Financial Compliance with ICT Risk Frameworks

Introduction

The EU Digital Operational Resilience Act (DORA) represents a significant regulatory milestone aimed at strengthening the operational resilience of financial entities across Europe. With the increasing reliance on digital technologies and the threat landscape evolving rapidly, DORA establishes a comprehensive framework for managing Information and Communication Technology (ICT) risks. Enacting DORA is crucial as it highlights the necessity for robust operational resilience frameworks that can withstand adverse events, whether they be cyberattacks, technological failures, or other disruptions.

Objectives and Regulatory Scope

DORA aims to create a unified approach to digital operational resilience within the financial sector, ensuring a consistent standard for ICT risk management and resilience practices across all Member States of the European Union. The scope of DORA encompasses a wide array of financial entities, including banks, insurance companies, investment firms, and other critical financial market infrastructures.

Why Operational Resilience and ICT Risk Management are Critical

Operational resilience is pivotal, not only for safeguarding financial stability but also for maintaining consumer trust in the financial system. The rapid digitization of financial services has heightened vulnerabilities, necessitating that organizations adopt proactive measures to predict, absorb, and adapt to disruptions. Therefore, organizations must prioritize ICT risk management as integral to their overall risk governance structure.

ICT Risk Management Framework under DORA

One focal aspect of DORA is the establishment of a robust ICT risk management framework. DORA outlines key elements that financial entities must incorporate to ensure compliance and foster resilience against digital threats.

Operational Impacts and Compliance Challenges

Implementing an effective ICT risk management framework can lead to significant operational impacts. Organizations will need to reassess their current ICT governance framework, identify vulnerabilities, and bolster their risk management strategies. The challenge often lies in integrating these new requirements with existing policies and systems. Many organizations struggle with aligning their risk appetite with operational capabilities, resulting in gaps in compliance.

Regulatory Expectations and Common Implementation Gaps

Regulatory expectations under DORA require that financial entities undertake comprehensive risk assessments, establish clear roles and responsibilities for ICT risk management, conduct regular monitoring, and report on incidents effectively. However, common implementation gaps include:

  • Lack of uniformity in incident reporting mechanisms.
  • Insufficient integration of ICT risk management processes with overall enterprise risk management frameworks.
  • Inadequate training and awareness initiatives among staff regarding ICT risk management protocols.

Practical Compliance Steps for Financial Entities

To navigate the complexities of DORA compliance effectively, financial entities must undertake specific actions to align with the regulatory framework.

Required Policies, Procedures, and Control Frameworks

  1. Develop and Document Policies: Establish clear, documented ICT risk management policies that define the approach to identifying, assessing, and mitigating ICT risks.
  2. Implement Risk Assessment Procedures: Conduct regular risk assessments and ensure they are integrated into the broader risk management framework. Use standardized methodologies to classify and prioritize risks.
  3. Incident Management Framework: Develop robust incident classification procedures, including escalation paths and a clear communication strategy for internal and external stakeholders.
  4. Business Continuity Planning: Ensure that existing business continuity plans account for ICT disruptions and include testing schedules to validate their efficacy.

Evidence and Documentation Expected During Audits or Inspections

Regulatory bodies will require robust documentation as evidence of compliance during audits or inspections. Financial entities should prepare:

  • Detailed risk assessment reports.
  • Documentation of incident management protocols.
  • Records of training sessions related to ICT risk management.
  • Evidence of engagement with third-party ICT service providers and their compliance status.

Best Practices to Demonstrate Ongoing DORA Compliance

Implementing best practices can facilitate ongoing compliance with DORA. These include:

  • Regularly reviewing and updating ICT risk management policies to reflect new threats or technological advancements.
  • Conducting ICT resilience testing exercises at least annually to ensure preparedness for potential disruptions.
  • Engaging with third-party service providers to align their risk management practices with DORA requirements.

Conclusion

In summary, navigating DORA’s compliance landscape necessitates a structured approach to improving digital operational resilience. Financial entities must embrace comprehensive ICT risk management frameworks that align with regulatory expectations while addressing the inherent challenges within their operational processes. As the regulatory environment continues to evolve, it is essential for organizations to adopt a proactive stance, revisiting their policies and training for sustained compliance and resilience.

With DORA’s implementation, the potential to significantly enhance the digital operational resilience of the financial sector is evident. Organizations should view compliance not merely as a regulatory checkbox but as a critical component of their strategic objectives to ensure long-term stability and trust in the financial ecosystem.

Posted on by Leave a comment

NIS 2 – Navigating Compliance for Cybersecurity Frameworks

Introduction

The EU NIS 2 Directive, an extension of the original NIS (Network and Information Systems) Directive established in 2016, is a pivotal piece of legislation focused on enhancing cybersecurity across EU member states. As global cyber threats evolve, the NIS 2 Directive aims to fortify the resilience of critical infrastructure and essential digital services within the EU by establishing stringent security measures and incident response requirements.

Objectives and Scope of the Regulation

The primary objective of the NIS 2 Directive is to improve the overall level of cybersecurity within the European Union by harmonizing cybersecurity requirements across member states. It brings additional sectors and services under its domain, including telecommunications, energy, transport, healthcare, and digital service providers. Specifically, it focuses on both “essential” and “important” entities, reflecting the critical nature of their operations.

Practical Implications for Organizations Subject to NIS 2

For organizations classified as essential or important entities, compliance with NIS 2 is not only a legal obligation but also a critical measure to safeguard their operations, reputation, and customer trust. The directive emphasizes risk management, incident reporting, and governance mechanisms that organizations must adopt for robust cybersecurity practices.

Cybersecurity Risk Management Obligations

Operational Impacts of NIS 2 Compliance

One of the central themes of the NIS 2 Directive is its insistence on proactive cybersecurity risk management. Organizations are required to identify, assess, and mitigate risks to the security of their network and information systems. This involves implementing a wide array of technical and organizational measures tailored to each entity’s specific cybersecurity risk profile.

Compliance Challenges

The primary challenges for organizations lie in the complexity of risk assessment and management processes. Many organizations struggle with understanding how to effectively identify their risk landscape, especially in dynamic environments where new threats can emerge rapidly. This often leads to significant gaps in compliance, as organizations may not have robust processes to assess and manage their cybersecurity risks in alignment with NIS 2.

Another challenge is the documentation and reporting requirements associated with risk management. Organizations must ensure they are maintaining comprehensive records of their risk management activities, which will be scrutinized during compliance audits.

Common Gaps and Regulatory Expectations

Common gaps observed in organizations include inadequate risk assessment methodologies, insufficient incident response planning, and a lack of clear accountability across management levels. Regulatory agencies expect organizations to not only have documented processes but also to demonstrate the effectiveness and continuous adaptation of these processes in response to changing threats.

Practical Compliance Steps

Key Actions Required for Compliance

Organizations must take concrete steps to align their operations with the requirements of the NIS 2 Directive:

  1. Conduct Comprehensive Risk Assessments: Organizations should undertake thorough risk assessments that incorporate a wide range of cyber threats. They must continuously revisit and update these assessments to reflect changes in the risk landscape.

  2. Implement Technical and Organizational Security Measures: Based on the risk assessment outcomes, organizations need to deploy appropriate cybersecurity controls. This includes not only technology solutions but also organizational changes, such as training staff and enhancing incident response capabilities.

  3. Establish Clear Incident Handling Procedures: Develop detailed incident response plans that outline the steps to be taken in the event of a cybersecurity incident. This plan should include roles and responsibilities as well as communication strategies both internally and externally.

  4. Maintain Documentation for Audits: Organizations should prepare and maintain documentation demonstrating compliance efforts. This documentation will be critical during audits and inspections. Records should include risk assessments, security policies, incident reports, and training records.

  5. Adopt Best Practices for Ongoing Compliance: Continual monitoring, regular auditing of controls, and adapting policies as new threats emerge can help organizations maintain compliance in the long term. Establish a culture of security within the organization that emphasizes the importance of compliance at every level.

Expected Documentation During Audits

During audits or inspections, organizations should expect to provide:

  • Detailed risk assessment reports
  • Incident response plans and associated training documentation
  • Security policies and governance frameworks
  • Evidence of ongoing risk management activities, including updates to risk assessments and security measures

Conclusion

In conclusion, the EU NIS 2 Directive sets forth crucial requirements for organizations to enhance their cybersecurity posture. From comprehensive risk management obligations to stringent incident response protocols, compliance presents both challenges and opportunities for critical entities within the EU. To navigate this complex regulatory landscape effectively, organizations must adopt a structured and continuous approach to compliance that not only satisfies regulatory obligations but also fortifies their defenses against an ever-evolving threat landscape. By doing so, organizations can secure their operations and uphold their responsibilities to stakeholders and the broader community.

A well-prepared compliance strategy is not just about adhering to regulations; it is an integral part of the organization’s resilience and sustainability in the face of cyber threats.

Posted on by Leave a comment

How to determine the ‘significance’ of a NIS2 incident: a clear guide to the 9 ENISA criteria

The NIS2 Directive introduces a key concept: not all cyber incidents are the same. Some must be reported because they fall into the category of significant incidents.
According to ENISA (Reg. 2690/2024), the security manager’s ‘impression’ is not enough to determine this: nine regulatory criteria must be applied, each with precise thresholds.

The main criteria include:

significant economic damage (≥ £500,000 or 5% of turnover)

exfiltration of trade secrets

CIA compromise caused by malicious action

serious operational disruption

duration of unavailability beyond sector thresholds

degradation of response time

impact on health

percentage of users affected

recurrence in the last 6 months

Each criterion requires specific information, comprehensive data and an objective approach. Performing the assessment ‘by hand’ increases the risk of error, with potential consequences in an increasingly stringent regulatory environment.

👉 Would you like to see a practical example of applied assessment?
Watch the video demo of the NIS2 Incident Significance Manager software.

 

Posted on by Leave a comment

NIS 2 – T-SCRM is born – the innovative Software for IT Vendor Risk Management

IT Security of the supply chain is no longer a choice, but an obligation.
The NIS 2 Directive and the DORA Regulation require organisations to ensure operational resilience and control over IT and critical service providers.

This is why we have developed T-SCRM., the Windows PC software that simplifies IT risk management with a practical and documented approach:

✅ Assessment of suppliers according to compliance, cybersecurity and reliability criteria
✅ Incident log with severity index (1 = slight, 5 = critical)
✅ Monitoring of contracts and certifications, with alerts on deadlines
✅ Interactive dashboard with risk indicators and graphs
✅ Automatic reports for audits, Supervisory Board 231, NIS 2 and DORA

Who it is aimed at:

NIS 2 and DORA consultants
IT, Compliance and Procurement Managers
DPOs

With T-SCRM  you move from Excel sheets to a structured, reliable and compliant management.

Posted on by Leave a comment

New Release: Asset Manager NIS 2 – The Essential Software for Full ICT Asset Mapping and Compliance

Are you a company, public body, or consultant navigating the complexities of the NIS 2 Directive?
The Asset Manager NIS 2 software is built specifically to support your compliance journey.

With this intuitive tool, you can:

✅ Register and classify all ICT assets, distinguishing between critical and non-critical
✅ Link assets to business processes and managers for clear accountability
✅ Manage external ICT providers (e.g., cloud services) in one centralized system
✅ Automatically assess risks, known vulnerabilities, and security measures applied
✅ Generate detailed reports for audits and inspections
✅ Manage unlimited companies under one license

Runs on Windows 10 or later – no web connection required

Ideal for:
Companies subject to NIS 2
️ Privacy and cybersecurity consultants
️ Public institutions

Learn more & request a demo here:
 https://edirama.eu/prodotto/software-asset-manager-nis-2-annual-license/

#NIS2 #Cybersecurity #ICTAssets #RiskAssessment #ComplianceTools #DigitalSecurity #Edirama #CyberResilience #ConsultingTools

Posted on by Leave a comment

How to Develop Your NIS 2 Consulting Business with Edirama’s Professional Kits

The implementation of the NIS 2 Directive and the 2025 ACN Specifications has created a growing demand for consulting services—from essential and important entities to ICT providers working with regulated companies.

For privacy consultants, management systems experts (ISO 27001, ISO 9001, ISO 45001, etc.) and IT auditors, this is the perfect time to expand their services with a concrete and structured offering.

To support this goal, Edirama has developed the NIS 2 Consultant Kit, which includes:

How each consultant profile can use these tools

1. Privacy Consultant / DPO
Offer a “Privacy + Cyber Risk” package by integrating:

  • Impact assessment on critical data processes using the Audit Kit.

  • Incident and continuity plans from the Documentation Kit.

2. ISO Consultant
Offer a “NIS 2 Compliance Add-On” by integrating:

  • ISO/NIS 2 gap analysis (Audit Kit).

  • NIS 2-specific procedures (Documentation Kit).

  • Asset mapping and risk analysis (Asset Manager Software).

3. IT Consultant / Auditor
Provide a practical technical service, including:

  • Asset classification and service mapping.

  • Security measures implementation.

  • Incident simulation and recovery plans.

Example revenue potential:

Consultant Type Service Offered Avg. Price Clients/year Annual Revenue
DPO Privacy + NIS 2 Package €2,500 10 €25,000
ISO Consultant NIS 2 Add-On to ISO €3,500 8 €28,000
IT Consultant Technical Cyber Risk Package €5,000 6 €30,000

Now is the time to prepare. The NIS 2 Consultant Kit provides all the tools to start delivering compliant, professional, and high-value consulting services.

Posted on by Leave a comment

DORA: How to Organize Governance, Roles, and Operational Responsibilities

Practical Guide for Companies and Consultants in Managing Digital Resilience

The European Regulation DORA (Digital Operational Resilience Act, EU 2022/2554) clearly states: digital resilience is not just an IT issue. It is an organizational, strategic, and cross-functional duty.

To ensure the continuity of essential services in the event of adverse ICT events, it is necessary to establish solid governance, clearly define roles and responsibilities, and make digital resilience an integral part of the company’s operating model.

In this article, we explore how to structure DORA governance, what to do operationally, and how a consultant can support the process.

Governance: Who Leads Digital Resilience?

DORA establishes that the ultimate responsibility lies with the management body (Board of Directors).
This is not a technical compliance to be entirely delegated to the IT department, but a strategic asset under the direct control of the top management.

The Role of Top Management:

✅ Approve the ICT strategy and risk management plans
✅ Allocate resources, roles, and responsibilities
✅ Monitor incidents and testing activities
✅ Ensure that digital resilience is integrated into the company culture

Decisions cannot be merely formal: the Board must receive periodic reports, updates, and dashboards.
An expert consultant can help create clear and decision-oriented reporting models.

Key Roles to Define (Internally or Outsourced)

Effective DORA governance requires the explicit and documented assignment of roles. Here are the main ones:

ICT Risk Manager

Responsible for assessing, classifying, and monitoring risks related to information systems.

Information Security Officer (CISO / ISO)

Coordinates the implementation of security measures, participates in audits, and promotes a security culture.

Business Continuity Manager

Oversees business continuity and disaster recovery plans, including resilience testing.

Incident Reporting Officer

Manages the detection, recording, classification, and internal/external communication of ICT incidents.

Third-Party ICT Provider Manager

Evaluates critical suppliers, manages due diligence, coordinates contractual controls, and audits.

⚙️ Operational Responsibilities: What to Do and Who Does It

DORA requires companies not only to write procedures but also to demonstrate that roles are effectively operational.

Here are the activities that must be assigned and overseen:

Activity Involved Role Frequency
Mapping critical ICT assets ICT Risk Manager, IT Annually or upon changes
Assessing ICT risks ICT Risk Manager Annually or after significant events
Drafting and updating ICT policies ISO/CISO Annually
Simulating business continuity tests Business Continuity Manager Annually
Reporting significant ICT incidents Incident Reporting Officer Within 24h (internal), as per thresholds for external
Evaluating critical ICT suppliers Third-Party ICT Manager + Legal Pre-contract and periodically

How a DORA Consultant Can Act

An expert DORA consultant should:

  • Support in building governance (organizational chart, delegations, decision-making flows)

  • Draft or review policies and job descriptions related to DORA roles

  • Train responsible parties and the Board on minimum competencies required by the Regulation

  • Help create dashboards, reports, checklists for continuous monitoring

A common mistake? Limiting to updating the organizational chart. The real difference lies in making governance operational, active, and verifiable.

Conclusion

The DORA Regulation requires organizations to shift from an isolated ICT model to digital resilience integrated into corporate governance.

To achieve this, it is necessary to:

✅ Clearly define roles and responsibilities
✅ Involve the management body
✅ Assign operational tasks with traceable evidence
✅ Continuously monitor, test, and improve

Posted on by Leave a comment

FAQ: We are ISO 27001 certified, are we DORA compliant?

Not so fast.

ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you’re a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down:

1. Regulatory vs. Voluntary Framework

↳ ISO 27001 – A voluntary international standard for information security management.

↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance.

2. Scope and Focus

↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls.

↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity.

3. Key Compliance Gaps

 Incident Reporting

↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard.

↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis.

 Security Testing

↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk.

↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning.

 Third-Party Risk Management:

↳ ISO 27001 – Covers supplier risk but with general security controls.

↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions.

4. How financial institutions and ICT providers can address the delta?

 Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you’re not still at this stage now that DORA has been mandatory since January 17, 2025.)

 Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines.

 Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing.

 Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA.

 Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience.