NEWS & INSIGHTS
DORA: A Practical Guide for Financial Institutions
and ICT Service Providers
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU Regulation, published in December 2022 and coming into effect in January 2025, with the aim to establish a coherent approach to information and communication technology (ICT) risk in the Financial Sector and strengthen the operational resilience of the financial services industry. It consolidates previous legal acts and improves rules with respect to ICT risk management, incident response, operational resilience testing and ICT third party monitoring.
The clock is ticking for financial institutions (FIs) and critical third-party ICT service providers in the EU. The Digital Operational Resilience Act (DORA) takes effect in January 2025, mandating stricter cybersecurity measures. This guide equips you with some simple steps to navigate the DORA implementation process. We’ve done the heavy lifting and read through the lengthy official documents and laid down the vital few, so you don’t have to.
Phase 1: Laying the Groundwork
- Set up a dedicated team with representatives from IT, risk management, compliance, and legal departments. This team will spearhead the DORA implementation, manage communication, and track progress. Top Management will need to oversee and step in where decisions need to be made and resources should be committed.
- Assess your current posture against DORA’s requirements. Identify gaps in areas like risk management, incident reporting, and third-party oversight. Tools like risk assessment frameworks and auditing can be helpful for this purpose.
- There are Regulatory Technical Standards (RTS) that you need to consider for guidance on specific aspects of DORA.
- Create a roadmap outlining the steps required for compliance. This plan should include clear milestones, timelines, resource allocation, and budget estimates. Prioritise high-impact activities and address critical gaps first. We have a robust Roadmap for entities of any size and any maturity level. You can find the Roadmap here.
- DORA’s regulation and the respective RTS suggests that organisations should consider collaborating with Cybersecurity consultants experienced in DORA compliance. They can guide your implementation strategy and ensure alignment with legal requirements. For more technical details, you may refer to the latest Regulatory Technical Standards (RTS) drafts available. Depending on the type of your organisation other legal requirements coexist and may require DORA compliance (e.g. MiCA).
Phase 2: Building a DORA-Compliant Framework
- Regular Vulnerability Assessments: Regularly scan critical systems for vulnerabilities using industry-standard tools.
- Security Controls Implementation: Implement robust security controls over a wide range of both technical and organisational like access controls, data encryptions, firewalls, loggin and monitoring incident
- Response Plan: Develop a detailed incident response plan outlining procedures for detecting, responding to, and recovering from cyber incidents
- Develop an effective incident response plan. Establish clear and efficient procedures for reporting major incidents to relevant authorities within the stipulated timefrrames. Train your staff on incident identification, reporting protocols, and escalation procedures. Check the Regulatory Technical Standards on criteria for the classification of ICT-related incidents for more guidance and thresholds on mandatory incident notifications.
Regularly assess the effectiveness of your ICT systems and processes. This includes:
- Penetration Testing: Conduct penetration testing to identify exploitable weaknesses in your systems and applications.
- Incident Response Drills: Simulate cyberattacks through incident response drills to test your team’s preparedness and identify areas for improvement.
- Business Continuity Exercises: Ensure your business continuity plan is robust and can be executed effectively in the event of a major disruption. Business Continuity Governance is important for a fast and effective return to full operation after a disruptive incident.
Since FIs rely heavily on third-party ICT service providers, it’s crucial to assess their security posture. This entails:
- Third-Party Risk Assessments: Conduct thorough risk assessments of your critical ICT service providers. Evaluate their security controls, incident response plans, and overall cyber hygiene.
- Contractual Agreements: Ensure contracts with third-party providers clearly define security expectations, responsibilities, and incident reporting protocols.
- Register of information: A complete inventory of ICT services provided by third party ICT providers, identifying the type, the function, audit requirements, exit criteria, contingency measures for business disruption due to failed provision of ICT services and other.
Phase 3: Continuous Improvement and Communication
- Communicate DORA’s requirements clearly and effectively across all levels of your organisation. Train your staff on cyber risk awareness, incident reporting procedures, and their roles in maintaining operational resilience.
- Keep accurate records of your DORA compliance efforts, including risk assessments, incident reports, and testing results. This documentation will be crucial for regulatory audits.
- DORA compliance is an ongoing process. A proper organisational structure and governance to regularly monitor your ICT environment, update your risk assessments, and refine your incident response plans will safeguard continuous improvement, ensure compliance and help you stay ahead of evolving cyber threats.
Building Resilience Together
DORA brings challenging topics that require particular focus. For this reason, the Supervisory Authorities have issue Regulatory Technical Standards (RTS) that identify further elements related to ICT risk management with a view to harmonise tools, methods, processes and policies. These elements are complementary to those identified in DORA.
Nevertheless, one size doesn’t fit all. The RTS identify the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework. By implementing a well-structured and collaborative approach, FIs and ICT service providers within the EU must work together and seek building a culture of digital operational resilience. DORA is not just a regulatory hurdle; it’s an opportunity to strengthen cybersecurity posture, safeguard data, and protect the critical and important business services and your organisation as a whole. Remember, a strategic approach, open communication, and a dedication to ongoing streamlining of DORA compliance framework is the recipe to navigate the DORA requirements and take advantage of the focus on digital financial services.
How can QuadPrime
help you?
This guide provides a general overview, and of course does not substitue profesionnal advice. If you need more detailed support and you are not sure where you can start, please dont hesite to contact us.
QuadPrime, a member of the MAP S.Platis Group, specialises in security and resilience advisory services. We offer customised solutions to help financial firms comply with DORA’s requirements.
QuadPrime champions a resilience-centric approach, partnering with clients to continuously build their capacity to withstand and recover from increasingly disruptive events.
• Seasoned Team: Our team consists of cybersecurity professionals with extensive experience in compliance frameworks like DORA and ISO standards.
• Proven Track Record: We have a successful history of helping organisations achieve and maintain compliance with various regulations.
• Understanding of the Specific Regulatory Environment: We provide the seamless integration of DORA within existing Frameworks leading to significant cost savings throughout the compliance process.
We are a one stop shop for DORA compliance. Our services extend to cover consultation, testing and technical solutions as per DORA requirements. We have a special bundle of services for microenterprises. Contact us today to find out more.