DORA: what you need to know

Organisations in the financial sector or that supply ICT (information and communication technology) services to financial organisations in the EU need to prepare for new rules that come into effect in January 2025.

Recognising that the financial sector’s increasing reliance on technology puts it at significant risk of cyber attacks and disruption, the EU has enacted new legislation to strengthen the sector’s cyber security.

DORA (the Digital Operational Resilience Act) provides an approach to digital operational resilience for financial entities in all 27 member states, as well as their third-party ICT service providers – irrespective of those service providers’ location.

The DORA Regulation’s requirements

The main part of the Act is Regulation (EU) 2022/2554 on digital operational resilience for the financial sector – the DORA Regulation.

This sets out security requirements covering five important areas:

  • ICT risk management
  • Incident management, classification and reporting
  • Digital operational resilience testing
  • Third-party risk management
  • Information sharing

The Regulation also establishes:

  • Requirements for contractual arrangements between financial entities and ICT third-party service providers;
  • Rules for an oversight framework for critical ICT third-party service providers when providing services to financial entities; and
  • Rules on cooperation among supervisory authorities, and on supervision and enforcement.

The Regulation entered into force on 16 January 2023 and will apply from 17 January 2025.

DORA technical requirements

Further technical requirements will be set out by the three European supervisory authorities: the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority).

Some drafts are currently available, but until the final versions of these technical requirements are published, financial entities should refer to the DORA Regulation itself, which provides plenty of information about the requirements they will be expected to meet.

How IT Governance EU can help your DORA compliance

Among other DORA obligations, financial entities are required to:

  • Implement an internal governance and control framework to manage ICT risk. This must be backed up by testing of ICT technologies;
  • Have an incident response process, which includes reporting to competent authorities; and
  • Ensure that contracts with third-party ICT suppliers provide suitable assurance of their information security.

The Regulation also enshrines the principle of proportionality, stating that financial entities should take account of “their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations” when implementing measures to meet their obligations – in other words, a risk-based approach, such as that advocated by the international standard for information security management, ISO 27001.

If you are in the Regulation’s scope, we can provide you with all the cyber security and information security services and resources you need to ensure your organisation follows industry-recognised best practice and can demonstrate its compliance with DORA’s information security risk management and testing requirements.

We’re currently developing a suite of DORA products and services, but our experts can already advise you on implementing the cyber resilience measures you need.

We have more than 20 years’ experience helping organisations meet their IT governance, risk management and compliance objectives, and are recognised experts in ISO 27001 implementation, having led more than 800 successful certification projects to the Standard worldwide.

IT Governance is recognised under the following frameworks:

  • CREST certified as ethical security testers.
  • Certified under Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
  • Certified to ISO 27001:2013, the world’s most recognised information security standard.

For guidance on planning your DORA compliance programme, speak to one of our experts today.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.