{{item.title}}
{{item.text}}
{{item.title}}
{{item.text}}
DORA introduces a five-pillar framework of ICT risk management; incident reporting; digital operational resilience testing; third-party risk management; and information sharing. Through this digital operations framework, DORA will help firms ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
Under DORA, the management body is responsible for defining, approving and implementing a comprehensive ICT risk management framework. The framework should include a digital operational resilience strategy and the methods used to manage ICT and cyber risk and meet objectives by:
DORA requires financial entities to have an ICT-related incident management process that:
DORA requires all entities to implement a sound and comprehensive digital operational resilience testing programme. It should:
DORA requires financial entities to manage ICT third-party risk as an integral component within their ICT risk management framework and in accordance with the principles defined. These principles include the following:
DORA introduces an oversight framework for critical ICT third-party providers (CTTP), outlining specific criteria for designating a third-party as critical. CTPPs will be charged a fee to cover oversight costs. The oversight framework includes the provision of a ‘lead overseer’ for each CTPP, who will have the power to:
DORA encourages financial entities to exchange among themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing enhances the digital operational resilience of financial entities and is implemented through arrangements that protect the potentially sensitive nature of the information shared. The information-sharing arrangements should also define the conditions for participation, and financial entities must notify the competent authorities of their involvement in such information-sharing arrangements.
In the months ahead, the European Supervisory Authorities (ESAs), through the Joint Committee, will develop common draft regulatory technical standards in relation to:
Our IT risk and Cyber experts can assist with all aspects of DORA compliance, from current state assessments and gap analyses to implementing processes and controls and achieving compliance. Our dedicated project management experts can also ensure that your plans are clear, concise and tracked to completion.
The first step to compliance is a current state assessment and gap analysis to understand the level of maturity of ICT and cyber risk management and identify gaps in compliance with the regulation. In many cases, organisations will be leveraging—or have implemented—existing frameworks or guidelines such as NIS2 or the EBA’s Guidelines on Operational Resilience and Cross-Industry Guidance on Outsourcing, which provide a starting point for compliance. However, DORA is more prescriptive than the existing operational resilience and cybersecurity guidelines. So, while these will be a useful starting point, they will not guarantee compliance with DORA.
A detailed implementation plan must be developed once the readiness assessment and gap analysis have been completed. It should provide clear direction on how compliance with DORA can be achieved by January 2025. This plan should be granular, have clear objectives and defined responsibilities, and be time-bound to ensure compliance by January 2025. Given the broad scope and nature of the regulation, the implementation plan will likely consist of changes or enhancements to existing policies, processes and documentation, as well as the development of new ones.
With a potentially wide-ranging plan to implement alongside other projects and business-as-usual activities, having a dedicated and experienced team focused on achieving compliance with DORA would benefit many organisations. Each workstream in the plan should have clearly defined deliverables, action owners and milestones, and these should be monitored closely to ensure successful delivery against the project’s timelines. Having worked with organisations of all sizes, we have seen examples of best practices and common pitfalls. As a result, we can bring hugely valuable insights to your organisation to deliver the plan and achieve compliance.