NEWS & INSIGHTS

DORA is not groundbreaking but is the most significant legislation on resilience in the financial sector, and it comes into full effect tomorrow, January 17, 2025.

The Central Bank of Cyprus (CBC) issued a circular to all financial entities licensed in the country, reminding them of the upcoming implementation of the Digital Operational Resilience Act (DORA). The circular, dated 7 January 2025, builds on the European Supervisory Authorities’ (ESA) announcement in early December 2024, which emphasized the importance of meeting DORA’s 17 January 2025 deadline and provided high level guidance on key compliance areas.

Below are some last-minute tips for financial entities to ensure your compliance with DORA falls within the prescribed requirements of the regulatory authorities:

DORA Implementation Deadline

• Remember that the deadline for DORA’s implementation is 17 January 2025, and there is no transitional period.
• Financial entities must be fully compliant with DORA requirements from this date onwards.

Resource Allocation

• Ensure that you have allocated the necessary resources to implement DORA within the specified timeframe.

ICT Risk Management Assessment

• Identify and address any gaps between your internal setups and DORA’s requirements.
• DORA consolidates and enhances requirements in several key areas, including ICT risk management:
  • From 17 January 2025, the CBC will assess institutions under the assumption of full compliance with DORA during ICT risk inspections.
  • This also includes third-party risk management.

Incident Reporting

• Make sure your organization is prepared for DORA’s new reporting obligations:
  • All institutions must report major ICT-related incidents according to DORA’s provisions from 17 January 2025.
  • The reporting template is based on DORA’s Implementing Technical Standards (ITS).
  • The scope of reporting will also include cyber threats, albeit on a voluntary basis.

Register of Information

• Submit an annual report on the Register of Information.
• The first report, with a reference date of 31 March 2025, must be submitted on or soon after the specified date.

Threat-Led Penetration Testing (TLPT)

• Global Systemically Important Institutions (G-SIIs) and Other Systemically Important Institutions (O-SIIs) are required to perform advanced TLPT regularly, at least once every three years.
• The CBC may also designate other entities for TLPT based on predefined criteria found in the regulatory technical standards on TLPT.
• The final list of institutions subject to TLPT will be communicated to those affected.

Third-Party Risk Management

• Financial entities must have registers of ICT third-party providers’ contractual arrangements available for competent authorities by early 2025.
• Competent authorities will then need to report these to the ESAs by 30 April 2025.
• The outsourcing requirements in the Directive on Internal Governance of Credit Institutions will remain in effect until they are repealed.

Supervisory Expectations

• Authorities will supervise DORA requirements in a risk-based manner, considering the risk profiles, size, scale, and complexity of the financial entities.
• The CBC will conduct ICT risk inspections to assess institutions for full compliance with DORA.

ICT Third-Party Service Providers

• The ICT third-party service providers that meet the criticality criteria must assess their operational setup against DORA’s requirements.

EBA & DORA Guidelines Overlap

Many financial entities have already implemented the EBA Guidelines on ICT risk and security management. This provides a strong foundation for DORA compliance, as many of the requirements overlap.

Here’s how to streamline your last-minute DORA preparations, leveraging your existing EBA compliance efforts:

• Conduct a Gap Analysis:
  
  
  • Focus on the unique aspects of DORA: Pay close attention to areas where DORA goes beyond the EBA Guidelines, such as:
    
    
    • Third-Party Risk Management: DORA introduces more stringent requirements for assessing and managing third-party risks.
      
      
    • Digital Operational Resilience: DORA emphasizes the importance of maintaining operational resilience in the face of digital disruptions.
      
      
    • Incident Reporting: DORA requires more detailed and timely incident reporting to regulators.
      
      
  • Document your findings: Clearly document any gaps between your current practices and DORA’s specific requirements.
    
    
• Leverage Existing Controls:
  
  
  • Identify applicable controls:Determine which of your existing controls (developed in accordance with the EBA Guidelines) can be adapted or reused to meet DORA’s requirements.
    
    
  • Enhance existing controls: Where necessary, enhance your existing controls to address DORA’s specific requirements.
    
    
• Prioritize Remediation Efforts:
  
  
  • Focus on critical areas: Prioritize remediation efforts based on the identified gaps and the potential impact of non-compliance.
    
    
  • Allocate resources effectively: Allocate resources efficiently to address the most critical areas first.
    
    
• Communicate and Collaborate:
  
  
  • Internal communication: Ensure effective communication across all relevant departments (e.g., IT, risk, compliance, business) to ensure a coordinated approach.
    
    
  • Collaboration with third parties: Collaborate with third-party service providers to ensure they understand and meet their obligations under DORA.
    
    
• Ongoing Monitoring and Improvement:
  
  
  • Regular reviews: Conduct regular reviews to assess the effectiveness of your DORA compliance program.
    
    
  • Continuous improvement: Continuously monitor and improve your controls and processes to adapt to the evolving regulatory landscape and any emerging threats.

By leveraging your existing EBA compliance framework and focusing on the unique aspects of DORA, you can streamline your preparations and ensure a smooth transition under the new regulatory requirements.

How can Quadprime help you?

At QuadPrime, we offer a wide range of compliance support and technical services under our Operational Resilience Implementation Services (ORIS) including Gap Analysis, ICT Operational Resilience Management Framework, and a wide range of testing services to assist you in establishing an effective DORA framework based on your ICT risk profile.

Our Operational Resilience Implementation Services include:

• Gap Analysis: Determine current state of the organization and prepare a roadmap to close the gaps with DORA’s requirements.
  
  
• Development, Implementation Planning and Support:
  • Help you optimize your existing cybersecurity and resilience frameworks to align with DORA, avoiding redundant efforts and ensuring optimal compliance.
  • Develop a complete ICT Risk Management Framework.
  • Help you to establish governance, mapping your information assets, you’re your critical business processes and especially those outsourced to third-party providers.
  • Design and develop ICT security tools, policies and plans
  • Develop BCP and DR plans, as well as incident response plans, impact analysis and tolerances, and testing programs to align with DORA requirements.
  • Review of key contractual provisions of existing ICT third party providers.
    
    
• Technical Expertise: Our team can assist with technical measures required by DORA including:
  • Threat Detection and ICT-related Incident Identification and Response (SIEM and SOC Service–as-a-service) to facilitate efficient security incident management.
  • Penetration testing and social engineering.
  • Operational Resilience Testing-as-a-Service, which is a cost-effective and efficient way to assess your preparedness with our support on design and execution of customized tests that simulate real-world scenarios and identify vulnerabilities. We can tailor the testing scenarios to address your specific risks.
  • Scenario simulation testing of ICT tools and systems, inter alia disaster recovery plan testing, and BCP testing.
    
    
• CISO-as-a-Service: We’ll help you bridge the DORA expertise gap by building awareness within your organization and source the external expertise you need to meet DORA’s governance and operational requirements.

Quadprime has been at the forefront of operational resilience for many years. Partnering with QuadPrime means leveraging our extensive experience and expertise in security and resilience. As a member of the MAP S.Platis Group, we offer bespoke information security services that help you address your cybersecurity challenges and protect your value end-to-end.

Contact us today to discuss your DORA compliance needs.