Category: DORA – Digital Operational Resilience Act

Posted on by Leave a comment

FAQ: We are ISO 27001 certified, are we DORA compliant?

Not so fast.

ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you’re a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down:

1. Regulatory vs. Voluntary Framework

↳ ISO 27001 – A voluntary international standard for information security management.

↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance.

2. Scope and Focus

↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls.

↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity.

3. Key Compliance Gaps

 Incident Reporting

↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard.

↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis.

 Security Testing

↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk.

↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning.

 Third-Party Risk Management:

↳ ISO 27001 – Covers supplier risk but with general security controls.

↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions.

4. How financial institutions and ICT providers can address the delta?

 Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you’re not still at this stage now that DORA has been mandatory since January 17, 2025.)

 Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines.

 Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing.

 Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA.

 Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience.

Posted on by Leave a comment

Managing artificial intelligence threats with ISO/IEC 27001

Managing artificial intelligence threats with ISO/IEC 27001

The increasing integration of artificial intelligence (AI) into business processes brings both opportunities and new challenges in terms of information security. To effectively address the threats associated with AI, the adoption of ISO/IEC 27001 provides a structured framework for information security management.

ISO/IEC 27001 and IA Security

ISO/IEC 27001 is an international standard that defines the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). This standard is designed to protect organisations’ information from threats, vulnerabilities and attacks, ensuring confidentiality, integrity and availability of data.

ISO 27001 Controls Relevant to IA

In the field of IA, some specific controls of ISO/IEC 27001 are particularly relevant:

  1. Risk Assessment (Clause 6.1.2): Identify and assess the risks associated with IA systems, considering potential vulnerabilities and specific threats.
  2. Data Security (Clause 8.2): Ensure that data used for training and operation of AI models is protected from unauthorised access and manipulation.
  3. Technical Vulnerability Management (Clause 12.6.1): Implement processes to identify, assess and mitigate vulnerabilities in AI systems, ensuring timely updates and patches.
  4. Access Management (Clause 9.1): Define and control access rights to AI systems, ensuring that only authorised personnel can interact with them.
  5. Security in Development (Clause 14.2.1): Integrate security measures during the development and implementation of AI systems, following secure coding practices and rigorous testing.

Enhancing IA Security with ISO 27001

Implementation of ISO/IEC 27001 helps organisations to:

  • Structure Risk Management: Through systematic risk assessment, organisations can identify and mitigate specific AI-related threats.
  • Establish Operational Controls: Establish operational procedures and policies that ensure the safe and responsible use of AI systems.
  • Ensure Regulatory Compliance: Align with applicable data protection and information security regulations, reducing the risk of penalties.
  • Promote a Culture of Security: Raise staff awareness of the importance of security in the use and development of IA, promoting an organisational culture geared towards information protection.

In addition, the recently published standard ISO/IEC 42001:2023 provides specific guidelines for the management of IA systems, complementing and extending the security measures provided by ISO/IEC 27001.

By adopting an ISO/IEC 27001-based approach, organisations can proactively address AI-related security challenges while ensuring innovation and operational efficiency.

Self-Assessment Checklist:

  1. Risk Assessment
    • Have we identified and assessed the specific risks associated with our AI systems?
    • Is there a documented process for managing AI-related risks?
  2. Data Security
    • Is the data used for training and operating AI models protected from unauthorised access?
    • Have we implemented measures to ensure the integrity and confidentiality of AI data?
  3. Technical Vulnerability Management
    • Is there a procedure for identifying and resolving vulnerabilities in AI systems?
    • Do we regularly monitor vulnerabilities and apply the necessary patches in a timely manner?
  4. Access Management
    • Do we have clearly defined access rights to AI systems?
    • Do we use authentication and authorisation mechanisms to control access to AI systems?
  5. Security in Development
    • Do we apply secure development practices when creating our AI systems?
    • Do we perform regular security tests on our AI models before their implementation?
  6. Regulatory Compliance
    • Are our AI processes aligned with current data protection and information security regulations?
    • Have we documented the measures taken to ensure compliance with applicable regulations?
  7. Security Culture
    • Are our staff trained and aware of AI-related security practices?
    • Do we promote a corporate culture that values information security in the use of AI?

This checklist helps assess the implementation of security controls relevant to IA according to ISO/IEC 27001. A proactive approach to managing these aspects strengthens the overall security of AI systems within the organisation.

Posted on by Leave a comment

Unlocking Professional Opportunities with the DORA Act for Legal, IT, and Privacy Consultants

The Digital Operational Resilience Act (DORA), recently enacted by the European Union, is not just a regulatory requirement; it is a golden opportunity for professionals in legal, IT, and data privacy fields. By ensuring operational resilience in the financial sector, DORA opens doors for consultants to expand their expertise, enhance their services, and meet the growing demand for compliance solutions.

Opportunities for Legal Consultants

Legal professionals are critical to interpreting the complex provisions of DORA, drafting policies, and ensuring organizations align with the regulatory framework. They play a key role in:

  • Drafting contracts and service agreements compliant with DORA requirements.
  • Advising on liability and risk-sharing agreements in outsourcing and ICT third-party relationships.
  • Representing clients in compliance audits and addressing regulatory disputes.

Opportunities for IT Consultants

IT specialists are indispensable in implementing the technical requirements of DORA. Their contributions include:

  • Developing robust cybersecurity measures to meet DORA’s stringent standards.
  • Conducting risk assessments and testing IT systems for resilience.
  • Implementing secure and monitored ICT systems to prevent disruptions.

Opportunities for Privacy Consultants and DPOs

With the increased focus on data integrity and confidentiality, privacy consultants and Data Protection Officers (DPOs) are integral to DORA compliance:

  • Ensuring data protection policies align with both DORA and GDPR requirements.
  • Assisting in secure data processing, storage, and sharing protocols.
  • Providing guidance during regulatory reporting of ICT-related incidents involving personal data.

The DORA Act thus provides a fertile ground for growth and specialization. Professionals who seize this opportunity can position themselves as indispensable partners in helping organizations achieve compliance and operational excellence.

Posted on by Leave a comment

Who Must Comply with the DORA Regulation?

The DORA (Digital Operational Resilience Act) regulation represents a milestone in the European Union’s strategy to strengthen the digital operational resilience of the financial sector. While DORA entered into force on January 16, 2023, its main provisions will become applicable from January 17, 2025. DORA aims to ensure that all financial entities are adequately prepared to manage challenges posed by cyber threats and technological disruptions. But who exactly is required to comply with this regulation? In this article, we will explore the scope of DORA and identify the entities obligated to adhere to its requirements.



1. Regulated Financial Entities

DORA applies to a wide range of financial entities operating within the European Union. These include:

  • Banks: All credit institutions subject to the Capital Requirements Directive (CRD IV).
  • Investment Firms: Companies providing investment services to clients, including those regulated by MiFID II.
  • Insurance and Reinsurance Companies: Including firms operating in life and non-life sectors.
  • Payment Institutions and Electronic Money Institutions: Regulated by the Payment Services Directive (PSD2).
  • Investment Funds: Including UCITS and AIFs (Alternative Investment Funds).
  • Asset Management Companies: That manage funds on behalf of investors.
  • Financial Market Infrastructures: Such as central counterparties, central securities depositories, and regulated market operators.

2. Critical Third-Party ICT Service Providers

In addition to traditional financial entities, DORA extends its application to third-party ICT service providers that offer critical services to financial institutions. These include:

  • Cloud Service Providers: Offering infrastructure, platforms, or software as a service.
  • Data Analytics Providers: Managing or processing sensitive financial data.
  • Network and Communication Service Providers: Ensuring connectivity and security of communications.
  • Other ICT Service Providers: Supplying essential software, hardware, or related services for financial operations.

3. Third Parties and Outsourcing

The regulation recognizes the importance of managing risks associated with outsourcing and the use of third-party providers. Financial entities must:

  • Assess the risks associated with third-party ICT service providers.
  • Continuously monitor the performance and compliance of providers.
  • Establish clear contractual agreements, defining roles, responsibilities, and resilience requirements.

4. Supervisory and Regulatory Authorities

Competent national and European authorities are tasked with:

  • Supervising the compliance of regulated entities with the DORA regulation.
  • Conducting periodic assessments of the digital operational resilience of the sector.
  • Imposing sanctions in case of non-compliance or significant violations.

5. SMEs and Smaller Entities

While DORA has broad applicability, it also recognizes the principle of proportionality. Small and medium-sized enterprises (SMEs) and entities with a lower risk profile may benefit from requirements adapted to their size and operational complexity.

Conclusion

The DORA regulation represents a crucial step towards a more resilient and secure financial ecosystem within the European Union. Its wide application underscores the importance of comprehensive and coordinated preparation against digital threats. With the main provisions becoming applicable from January 2025, it is essential that all affected entities:

  • Fully understand the specific requirements of the regulation.
  • Implement adequate measures to strengthen their digital operational resilience.
  • Actively collaborate with third-party providers and supervisory authorities to ensure continuous compliance.

In an increasingly digital world, operational resilience is not just a regulatory necessity but a fundamental element for customer trust and the stability of the financial market.

Note: This article provides a general overview of the DORA regulation. For specific advice, it is recommended to consult legal or compliance experts.

Posted on by Leave a comment

NIS2 and DORA – What Kind of Consulting Opportunities Do They Provide?

As the European Union continues to evolve its cybersecurity and digital resilience framework, the implementation of the NIS2 Directive and DORA (Digital Operational Resilience Act) has opened up new and diverse consulting opportunities. Both frameworks aim to enhance the cybersecurity posture and operational resilience of critical sectors, presenting a valuable chance for consultants to offer expertise. In this article, we’ll explore the consulting prospects these regulations bring to the market and the specific types of support organizations will need.

1. Risk Assessment and Compliance Readiness

One of the primary consulting needs stemming from NIS2 and DORA is helping organizations assess and understand their current level of compliance. Consultants can:

  • Conduct initial gap analyses to identify areas where a company’s current practices fall short of the regulatory requirements.
  • Evaluate risk exposure, including analyzing existing cyber threats, business continuity plans, and potential vulnerabilities.
  • Develop compliance roadmaps by setting up actionable steps for companies to close gaps and align with the new directives.

2. Policy Development and Implementation

Both NIS2 and DORA require organizations to adopt stringent policies covering various cybersecurity and operational resilience areas. This creates a need for consulting services in:

  • Drafting tailored security policies that address the specific requirements of each directive, as well as the organization’s operational and industry needs.
  • Establishing incident response plans that outline structured procedures to react swiftly to cyber incidents, aligned with regulatory expectations.
  • Policy enforcement training to ensure that policies are not only developed but also implemented across all departments effectively.

3. Cyber Hygiene and Awareness Training

One of the cornerstones of both regulations is ensuring that employees at all levels understand the importance of cybersecurity practices. Consulting services can focus on:

  • Developing and delivering cybersecurity training that covers essential topics, including password management, phishing prevention, and secure handling of sensitive data.
  • Building a culture of cyber resilience by instilling best practices through awareness programs that engage all levels of the workforce.
  • Creating training materials and protocols that comply with NIS2 and DORA standards, ensuring consistent, organization-wide understanding.

4. Incident Management and Response Consulting

Incident response is a critical focus in both NIS2 and DORA, which demand that companies have robust mechanisms in place to handle cybersecurity incidents effectively. Consultants can support by:

  • Establishing incident response teams and workflows that align with the directives’ requirements for timely and organized response to threats.
  • Providing simulation exercises to prepare organizations for potential attacks, such as mock phishing campaigns and cyber-attack simulations.
  • Offering post-incident analysis and improvement plans to refine processes based on lessons learned from previous incidents.

5. Business Continuity and Disaster Recovery Planning

NIS2 and DORA stress the need for comprehensive business continuity and disaster recovery (BC/DR) plans to ensure resilience in the face of disruptions. Consultants can assist by:

6. Supply Chain Risk Management

Both directives emphasize the need for enhanced scrutiny and oversight of third-party vendors and supply chains, as vulnerabilities in these areas can expose organizations to risk. Consulting opportunities here include:

  • Assessing third-party risk by evaluating the security posture of key suppliers and vendors and identifying potential vulnerabilities.
  • Establishing vendor management frameworks that ensure compliance with regulatory requirements while maintaining resilience.
  • Developing vendor risk assessment processes that can be integrated into the organization’s procurement policies to improve security oversight.

7. Cloud Security and Digital Infrastructure Management

With increasing adoption of cloud services, both NIS2 and DORA require organizations to ensure secure management of their digital infrastructure. Consulting opportunities in this area include:

  • Guiding secure cloud migration strategies that align with regulatory requirements, covering aspects like data encryption, access control, and vulnerability management.
  • Auditing cloud providers to ensure they meet necessary security standards, reducing risk exposure from third-party cloud services.
  • Implementing infrastructure monitoring solutions that provide continuous visibility into potential threats and vulnerabilities within an organization’s digital assets.

8. Assistance with Regulatory Reporting and Documentation

NIS2 and DORA impose strict reporting requirements for cyber incidents and regulatory compliance. Consultants can offer support by:

  • Developing standardized reporting protocols to streamline incident reporting processes and maintain clear documentation for regulators.
  • Setting up monitoring systems that can detect and report incidents as per the regulatory requirements.
  • Providing audit preparation and support to ensure that organizations are well-prepared for regulatory inspections and reviews.

Final Thoughts

The NIS2 Directive and DORA are reshaping the cybersecurity and resilience landscape in Europe, creating a high demand for consulting services across various domains. For consultants, this is an opportunity to offer specialized guidance, from initial compliance assessments to detailed policy implementation and incident management strategies. By supporting organizations in meeting these regulatory requirements, consultants can help clients not only achieve compliance but also build robust, resilient systems that are well-prepared to handle the cybersecurity challenges of the future.

Posted on by Leave a comment

NIS 2 Directive and DORA Regulation – The differences in less than 1 minute


FeatureNIS 2DORA ACT
Full NameNetwork and Information Systems Security Directive 2Digital Operational Resilience Act (DORA)
Adoption Date2022 (Member States must transpose it by October 2024)2022, effective from January 2025
ScopeAll entities operating in essential sectors, including energy, transport, health, finance, and critical infrastructuresFinancial sector and its ICT service providers
Main ObjectiveStrengthening cybersecurity in essential and digital sectors, enhancing the resilience of critical infrastructuresEnsuring digital operational resilience of financial entities against cyber incidents or cyberattacks
Type of RegulationDirective (requires transposition into national laws)Regulation (directly applicable in Member States)
Involved EntitiesCompanies in essential sectors (health, energy, transport, water, public administration) and digital service providers (cloud, online platforms, search engines, etc.)Banks, financial institutions, insurers, asset managers, and digital service providers in the financial sector
Security ObligationsIntroduction of cybersecurity requirements for affected entities, including risk management, periodic assessments, and technical and organizational measuresDefining requirements to manage ICT and operational risks, with a focus on operational resilience and third-party risk management
Incident ReportingObligation to report relevant incidents within 24 hours of detection, with follow-up within 72 hours and final reportingObligation to report major cyber incidents to relevant authorities within a specified timeframe (to be defined in the regulation)
SanctionsMember States must provide for effective and proportionate sanctions, with fines of up to 2% of global annual turnover or up to €10 millionSimilar sanctions to NIS 2, with a focus on violations in the financial sector
ICT Risk ManagementICT risk is part of the overall risk management frameworkICT risk is central, with specific obligations for managing third-party providers and operational risks
Supervision and ControlSupervision by national competent authorities in each Member StateSupervision by European financial authorities, such as the European Banking Authority (EBA)
Third-party ProvidersFocus on the security of essential digital service providersStringent obligations for managing risks related to critical ICT providers
Posted on by Leave a comment

What are the steps to comply with DORA

The Digital Operational Resilience Act (DORA) requires financial institutions to meet specific criteria to ensure digital operational resilience. Here are the key steps for compliance:

  1. Risk assessment: Identify and assess operational and cybersecurity risks.
  2. Governance and risk management: Establish strong governance to oversee cyber risk management.
  3. Cyber resilience: Ensure IT systems are resilient against cyberattacks.
  4. Operational resilience testing: Conduct regular vulnerability assessments and attack scenario testing to measure control effectiveness.
  5. Incident management: Develop procedures for rapid response and recovery from cyber incidents.
  6. Continuous monitoring: Implement continuous monitoring to quickly detect and respond to threats.
  7. Outsourcing and third parties: Manage risks from external vendors with appropriate security agreements.
Posted on by Leave a comment

How to Use ISO 27001 to Comply With NIS2 and DORA

The evolving regulatory landscape, with the introduction of NIS2 (Network and Information Systems Directive) and DORA (Digital Operational Resilience Act), requires organizations, particularly those operating critical infrastructure or within the financial sector, to align their security and operational practices with stringent requirements. ISO 27001:2022, the internationally recognized standard for information security management systems (ISMS), provides a robust framework to help organizations meet the expectations of these regulations.

This article explores how ISO 27001:2022 can be used to align with NIS2 and DORA through specific mapping and application strategies for critical infrastructure and financial organizations, as well as their suppliers.

1. Mapping ISO 27001 with NIS2

NIS2, a strengthened version of the original NIS Directive, applies to essential and digital service providers. Its focus is on improving cybersecurity capabilities, risk management, incident reporting, and information sharing for critical sectors such as energy, transport, and healthcare.

ISO 27001 can be effectively mapped to NIS2 requirements by following these steps:

  • Risk management: NIS2 emphasizes risk-based security practices. ISO 27001’s risk assessment (clause 6.1.2) and treatment processes (clause 6.1.3) are integral to identifying risks to critical information systems and applying appropriate controls.
  • Incident management: Both NIS2 and ISO 27001 focus on managing security incidents. Clause 16 of ISO 27001 deals with incident management procedures and can be tailored to meet NIS2’s requirements for reporting significant incidents to national authorities.
  • Supply chain security: NIS2 places greater responsibility on securing supply chains. ISO 27001 Annex A.15 addresses supplier relationships, ensuring that the security controls extend to third-party contractors and service providers.

By leveraging ISO 27001’s existing controls, organizations can systematically address the key components of NIS2, allowing them to ensure a holistic cybersecurity posture.

2. Using ISO 27001 for Critical Infrastructure Companies

For companies operating in critical infrastructure sectors, ISO 27001 provides a structured approach to meeting the stringent cybersecurity requirements of NIS2. Specifically, it aids in:

  • Establishing a risk-based approach: Critical infrastructure organizations are required to focus on preventing and managing cyber risks that can disrupt essential services. ISO 27001’s risk assessment process (Clause 6) ensures that organizations continuously identify, analyze, and mitigate risks associated with their operational environments.
  • Ensuring operational resilience: Annex A of ISO 27001 emphasizes business continuity and disaster recovery, which are vital for critical infrastructure. These align with NIS2’s requirements for maintaining operational resilience in the face of cyber incidents.
  • Maintaining compliance with reporting obligations: NIS2 requires timely and detailed reporting of security incidents. ISO 27001’s structured incident management (Clause 16) ensures that organizations have documented procedures to detect, report, and learn from security events.

ISO 27001 helps critical infrastructure organizations stay compliant with NIS2 while improving their overall security posture and operational resilience.

3. Using ISO 27001 for Suppliers of Critical Infrastructure Companies

Suppliers to critical infrastructure companies are also subject to NIS2 requirements. They must ensure that their security practices are robust enough to protect the supply chain. ISO 27001 is particularly valuable here:

  • Supply chain risk management: ISO 27001 Annex A.15 outlines specific requirements for managing risks associated with suppliers, helping them implement appropriate security controls across their relationships with critical infrastructure operators.
  • Compliance with client demands: Critical infrastructure companies often pass on compliance obligations to their suppliers. By implementing ISO 27001, suppliers can proactively demonstrate their commitment to security and regulatory compliance, fostering trust and ongoing partnerships.

ISO 27001 thus ensures that suppliers can meet the stringent security requirements expected by their clients under NIS2.

4. Mapping ISO 27001 with DORA

DORA (Digital Operational Resilience Act) applies to financial institutions and aims to ensure their ability to withstand cyber threats and operational disruptions. It emphasizes the need for robust cybersecurity, incident response, and third-party risk management.

ISO 27001 offers a practical framework that aligns well with DORA’s key requirements:

5. Using ISO 27001 for Financial Organizations

For financial institutions, ISO 27001 plays a crucial role in building a compliant and resilient cybersecurity framework:

  • Meeting DORA’s resilience requirements: Financial organizations are expected to have robust incident detection and response mechanisms under DORA. ISO 27001’s structured processes (Clause 16) ensure that organizations are prepared to detect, report, and respond to incidents, maintaining operational continuity.
  • Regulatory alignment: With DORA’s focus on governance, ISO 27001 ensures that financial organizations have the necessary security governance structure (Clause 5) in place, including roles, responsibilities, and accountability for information security management.

By adopting ISO 27001, financial institutions can align their information security frameworks with DORA’s rigorous operational resilience and risk management expectations.

6. Using ISO 27001 for Suppliers of Financial Organizations

Similar to critical infrastructure suppliers, suppliers of financial organizations face increased scrutiny under DORA. ISO 27001 helps these suppliers align with DORA’s requirements by:

  • Implementing robust security practices: ISO 27001 ensures that suppliers have standardized security practices, making them reliable partners for financial organizations and compliant with DORA’s supply chain resilience expectations.
  • Proactive risk management: Suppliers must identify, assess, and manage risks in their operations to avoid disruptions in services provided to financial organizations. ISO 27001’s risk management framework allows suppliers to continuously manage these risks in line with DORA.

By using ISO 27001, suppliers of financial organizations can ensure that they meet DORA’s operational and security demands, making them a valuable part of the financial ecosystem.

Conclusion

ISO 27001:2022 serves as a powerful tool for aligning with both NIS2 and DORA regulations. Whether for critical infrastructure companies or financial organizations, the ISO 27001 framework provides the necessary structure for risk management, incident response, and third-party security, enabling compliance with these new regulatory frameworks. Suppliers in both sectors also benefit from implementing ISO 27001, as it ensures they meet the heightened security and resilience demands of their clients under NIS2 and DORA.

Posted on by Leave a comment

DORA Compliance: Practical Tips and Common Pitfalls to Avoid

The Digital Operational Resilience Act (DORA) is a European regulation aimed at strengthening the operational resilience of financial firms by prioritizing cybersecurity and business continuity. Achieving compliance with DORA requires a structured and well-thought-out approach. Here are 10 practical tips and common pitfalls to avoid for effective compliance:

1. Understand DORA’s Requirements

First and foremost, it’s crucial to fully understand DORA’s regulatory requirements. The regulation covers a wide range of areas, from IT governance to third-party risk management and incident reporting. A thorough review and deep understanding of its provisions is the initial step toward ensuring compliance.

2. Assess Your Current Operational Resilience

Evaluating your current level of operational resilience helps identify the areas that need improvement to align with DORA. Companies should conduct a risk analysis of their cybersecurity measures and incident response capabilities, using this assessment as a foundation for planning necessary improvements.

3. Create an Incident Response Plan

DORA requires firms to have clear, updated, and actionable incident response plans. These plans should include detailed procedures on how to identify, contain, mitigate, and communicate cyber incidents to minimize the impact on critical services.

4. Manage Third-Party Vendors

One of the most common pitfalls is poor management of third-party risks. DORA imposes strict oversight of third-party vendors, especially those providing critical services. It’s essential to evaluate their cybersecurity levels and operational resilience and ensure they meet the required standards.

5. Implement Regular Resilience Testing

DORA mandates companies to regularly test their operational resilience capabilities. This can include penetration testing, cyberattack simulations, and stress testing. A common mistake is conducting these tests superficially or infrequently, reducing the overall effectiveness of the resilience strategy.

6. Maintain Up-to-Date Documentation

DORA compliance involves accurate and up-to-date documentation. Companies must keep records of all activities related to risk management, operational resilience, and incident management. A common pitfall is neglecting to review and update these documents regularly, leading to outdated information.

7. Regular Staff Training

Staff play a crucial role in operational resilience. Ensuring that employees, especially those in key areas like IT and security, receive regular training on DORA requirements and best practices in cybersecurity risk management is essential to avoid operational errors.

8. Effectively Communicate Incidents

DORA sets clear guidelines for reporting significant incidents to relevant authorities. However, timely and transparent communication within the organization and to customers is equally important. A common mistake is underestimating the importance of timely incident reporting.

9. Monitor Regulatory Changes

The regulatory landscape, particularly in technology, is constantly evolving. A common risk is complying with DORA’s initial requirements but failing to account for regulatory updates or new guidelines that may arise. Constantly monitoring changes and adjusting business processes is crucial.

10. Integrate DORA into a Broader Business Strategy

A common pitfall is treating DORA compliance as a separate initiative from the overall business strategy. Operational resilience and cybersecurity risk management should be integrated into every aspect of corporate governance to be effective and sustainable. This ensures long-term compliance and maximizes the benefits of DORA.

Conclusion

DORA compliance requires continuous commitment and a holistic approach to operational resilience. By thoroughly understanding the regulation, avoiding common pitfalls, and implementing practical strategies, organizations can effectively align with its provisions and protect themselves from increasing cyber risks.

4o

Posted on by Leave a comment

Obligations under the DORA (Digital Operational Resilience Act) Regulation

Obligations under the DORA Regulation

The DORA Regulation, once in force (15/1/2025), will require all affected entities to adopt specific technical and organisational measures to ensure digital operational resilience.

The financial institutions involved will have to prioritise the implementation of an ICT risk management process, aimed at identifying cyber threats in advance and minimising the impact of cyber incidents. The main responsibility for this process will lie with the company’s management body, which will have to assume ‘full and ultimate responsibility’ for:

  • ICT risk management;
  • The definition and approval of the digital operational resilience strategy;
  • The review and approval of the company’s policy regarding third-party ICT service providers.

Risk Assessment Approach

In detail, the DORA Regulation establishes the adoption of a risk assessment approach that includes:

  • The definition of requirements to harmonise the ICT risk management process with a comprehensive view of business processes;
  • The creation of an ICT Risk Management Framework;
  • The development of a resilient strategy for Disaster Recovery and Business Continuity.

Financial institutions will also need to be able to classify cyber threats and incidents related to ICT vendors, based on criteria established by the DORA Regulation, such as:

  • The number and significance of customers or financial counterparties involved;
  • The duration of the incident;
  • The loss of data, assessing the availability, authenticity, integrity and confidentiality of the data.

Internal Procedures and Communication

Institutions should establish internal procedures to identify, record and categorise incidents, assigning roles and responsibilities and developing communication plans for stakeholders, including board members.

The classification and tracking of incidents are functional to the implementation of a reporting system to the competent bodies provided for in Article 46 of the DORA Regulation. This includes:

Compliance with Third Party ICT Service Providers

In the context of ICT risk management, the DORA Regulation also imposes obligations towards third-party suppliers, requiring:

  • The identification, classification and documentation of all processes that depend on third-party suppliers;
  • The inclusion of contractual clauses to ensure adequate monitoring of supplier activities on services critical to financial operations.

Information Sharing and Resilience Testing

The DORA Regulation also promotes, through Article 45, a voluntary cyber threat intelligence sharing programme among financial actors, aimed at preventing new threats and improving the resilience of the financial ecosystem.

Finally, financial institutions will have to regularly test their operational resilience through periodic tests based on the Threat Led Penetration Testing method, tailored to the size, type of business and risk profile of the institution.