Quadprime

NEWS & INSIGHTS

Special Bundle DORA consultancy package
for Microenterprises

Microenterprises are required to implement all DORA requirements similar to larger enterprises. However, DORA allows for a simplified ICT risk management framework, where the detailed requirements of Articles 5 to 15 do not apply. Our consultancy package supports microenterprises in meeting these requirements with a simplified approach. At Quadprime, we have prepared a special bundle for entities that fall into the scope of DORA but struggle to balance the compliance requirements with their size, complexity, and restricted resources. We are here for you!

Governance and Organisation

1. Senior Executive Appointment (Article 5(3)) Microenterprises are exempt from the requirement to appoint a senior executive responsible for overseeing ICT risk exposure and the associated documentation from arrangements concluded with third-party ICT service providers. Our Support:

Assist in establishing a governance structure that efficiently oversees ICT risk exposure without the need for a dedicated senior executive, ensuring compliance with simplified DORA requirements.

ICT Risk Management Framework

There are a number of exclusions of DORA requirements for the ICT Risk Management Framework for microenterprises. Our offering is adjusted to support microenterprises in establishing a proportional ICT Risk Management Framework, considering their threat environment versus these exclusions, such as:

1. Independence of Control Function
  • Microenterprises are not required to ensure the independence of the control function for overseeing ICT risks. This means they are exempt from implementing a three lines of defense model, which typically involves separate ICT risk management, control, and internal audit functions.
Our Support:

Develop a proportional ICT Risk Management Framework that integrates control functions effectively without the need for a separate three lines of defense model.

2. Internal Audits
  • Microenterprises are not required to conduct regular internal audits of their ICT risk management framework by auditors with specific knowledge, skills, and expertise regarding ICT risks.
Our Support:

Establish an internal audit program tailored to microenterprises, ensuring periodic reviews are conducted efficiently without the need for specialised auditors in ICT risks.

3. Risk Assessment After Significant Changes (Article 8(3))
  • Microenterprises are exempt from conducting a risk assessment after any significant change in the infrastructure of network and information systems, processes, or operations affecting their own business functions supported by ICT.
Our Support:

Provide tools and methodologies for conducting risk assessments that align with microenterprises’ operational changes, ensuring assessments are manageable and relevant.

4. ICT Risk Assessment on Obsolete Systems (Article 8(6))
  • Microenterprises are not required to conduct a specific ICT risk assessment on all outdated ICT systems before and after the integration of new technologies, applications, or systems.
Our Support:

Support the evaluation and integration of new technologies, ensuring that risk assessments for outdated systems are simplified and effective.

Detection, Response, and Recovery

1. Comprehensive Crisis Management Function (Article 11(7))
  • Microenterprises are not required to have a dedicated crisis management function defining clear procedures for managing internal and external communication in crisis situations.
Our Support:

Develop crisis management procedures that are straightforward and easy to implement, ensuring microenterprises can manage internal and external communication during crises efficiently.

2. Advanced Digital Operational Resilience Testing (Article 24)
  • Microenterprises are exempt from maintaining and reviewing a comprehensive digital operational resilience testing program as part of their ICT risk management framework. They are only required to conduct tests combining a risk-based approach considering the scale of resources, urgency, type of risk, and criticality of informational resources.
Our Support:

Design a risk-based digital operational resilience testing program that is scalable and resource-efficient, addressing the critical needs of microenterprises.

3. Threat-Led Penetration Testing (TLPT) (Article 26)
  • Microenterprises are exempt from conducting advanced threat-led penetration testing (TLPT) every three years. This includes tests involving third-party ICT service providers and assessments validated by competent authorities.
Our Support:

Implement a simplified penetration testing schedule that ensures critical vulnerabilities are tested and addressed, tailored to the resources and urgency specific to microenterprises.

Third-Party ICT Service Providers

1. Internal Auditors for TLPT (Article 27)
  • Microenterprises are not required to use internal auditors approved by the competent TLPT authority for conducting TLPT and avoiding conflicts of interest.
Our Support:

Provide guidance on conducting TLPT using internal resources, ensuring compliance while avoiding conflicts of interest and maintaining efficiency.

Simplified ICT Risk Management Framework

1. Detailed ICT Risk Management Framework (Article 16)
  • Microenterprises are subject to a simplified ICT risk management framework, which requires establishing and maintaining a sound and documented ICT risk management framework. However, the detailed requirements of Articles 5 to 15 do not apply.
Our Support:

Assist in establishing and maintaining a comprehensive yet simplified ICT risk management framework, ensuring all aspects are documented and align with DORA requirements for Microenterprises.

Contact Us

    QuadPrime Limited needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy https://quadprime.com/privacy-policy/

    Special Bundle DORA consultancy package for Microenterprises

    X