Microenterprises are required to implement all DORA requirements similar to larger enterprises. However, DORA allows for a simplified ICT risk management framework, where the detailed requirements of Articles 5 to 15 do not apply. Our consultancy package supports microenterprises in meeting these requirements with a simplified approach. At Quadprime, we have prepared a special bundle for entities that fall into the scope of DORA but struggle to balance the compliance requirements with their size, complexity, and restricted resources. We are here for you!
Assist in establishing a governance structure that efficiently oversees ICT risk exposure without the need for a dedicated senior executive, ensuring compliance with simplified DORA requirements.
There are a number of exclusions of DORA requirements for the ICT Risk Management Framework for microenterprises. Our offering is adjusted to support microenterprises in establishing a proportional ICT Risk Management Framework, considering their threat environment versus these exclusions, such as:
1. Independence of Control FunctionDevelop a proportional ICT Risk Management Framework that integrates control functions effectively without the need for a separate three lines of defense model.
2. Internal AuditsEstablish an internal audit program tailored to microenterprises, ensuring periodic reviews are conducted efficiently without the need for specialised auditors in ICT risks.
3. Risk Assessment After Significant Changes (Article 8(3))Provide tools and methodologies for conducting risk assessments that align with microenterprises’ operational changes, ensuring assessments are manageable and relevant.
4. ICT Risk Assessment on Obsolete Systems (Article 8(6))Support the evaluation and integration of new technologies, ensuring that risk assessments for outdated systems are simplified and effective.
Develop crisis management procedures that are straightforward and easy to implement, ensuring microenterprises can manage internal and external communication during crises efficiently.
2. Advanced Digital Operational Resilience Testing (Article 24)Design a risk-based digital operational resilience testing program that is scalable and resource-efficient, addressing the critical needs of microenterprises.
3. Threat-Led Penetration Testing (TLPT) (Article 26)Implement a simplified penetration testing schedule that ensures critical vulnerabilities are tested and addressed, tailored to the resources and urgency specific to microenterprises.
Provide guidance on conducting TLPT using internal resources, ensuring compliance while avoiding conflicts of interest and maintaining efficiency.
Assist in establishing and maintaining a comprehensive yet simplified ICT risk management framework, ensuring all aspects are documented and align with DORA requirements for Microenterprises.