What is DORA?

The Digital Operational Resilience Act (DORA) is part of a new cybersecurity framework targeting the financial sector. DORA is a regulation that was adopted on November 28, 2022, and came into force on December 27, 2022. This is followed by a 21-month implementation period, meaning that, as of January 17, 2024, the requirements of DORA must be sufficiently implemented in the affected companies.

As with NIS2, the intention is to strengthen the protection of critical infrastructure. However, DORA is specifically targeted at the financial sector, where there is a high dependency on ICT services that enable users to access, edit, and transfer information. Enhanced security is to be achieved through strict requirements for managing suppliers and regular threat-based evaluations of network and information systems.

 

DORA forordning

What are the requirements of the DORA regulation?

  • IT Risk Management: Principles and Requirements for IT Risk Management.
  • Incident Reporting: An expansion of the financial entities' obligations regarding incident reporting
  • Testing: Requirements for basic and advanced testing of digital operational resilience, such as penetration testing and vulnerability assessments.
  • Vendor Management: Monitoring risks, contractual requirements, and oversight of critical suppliers.
  • Information Sharing: Voluntary exchange of information and intelligence regarding cyber threats and attacks.

What is the purpose of DORA?

  • Improves company's cybersecurity and minimizes vulnerabilities.
  • Reduces the risk of destructive cyber attacks that could otherwise result in additional costs.
  • Improves incident reporting procedures, which can expedite recovery after an attack.
  • Promotes a proactive approach to risk management, helping to predict and prevent future threats.
  • Facilitates easier coordination with other companies and organizations in the EU on cybersecurity.
  • Increases the IT resilience of the company and maintains operations in the event of an attack.
  • Can enhance the company's reputation by demonstrating a commitment to high cybersecurity standards.

Which companies are covered by DORA?

  • Credit institutions, payment institutions, investment firms, electronic money institutions.
  • Insurance and pension companies.
  • Central securities depositories
  • Credit rating agencies.
  • Providers of services for crypto-assets.
  • Network financing service providers.
  • Third-party providers of IT security services.
 

How does your organization get started with the implementation process?

The Digital Operational Resilience Act (DORA) builds upon and expands existing regulatory requirements by introducing new obligations for the affected organizations. While many already have experience in managing compliance and regulatory requirements at both national and international levels, DORA presents new requirements that may be less familiar or more extensive than before.

To comply with the regulation, it is crucial for financial organizations to recognize the need for digital and operational resilience. Regardless of the organization's current maturity level, it is essential to initiate or intensify efforts to build this resilience. A good starting point is to conduct a GAP analysis to identify any discrepancies between current processes and the requirements outlined in the DORA regulation. 

 

DO YOU NEED HELP WITH THE IMPLEMENTATION?

At Leave A Mark, we have experience implementing multiple security standards alongside DORA.
If you are looking for guidance or assistance with the implementation, click below or call us for a non-binding conversation at +45 535 27000.

Contact form

DORA's Core Areas for Implementation

Core Area 1: Understand the Requirements of DORA

In the first phase, we review the requirements of the DORA regulation and assess how they specifically relate to your organization's context. This includes mapping and conducting a GAP analysis of the areas in your organization that fall under the provisions of the regulation. This will form the foundation for an implementation plan.                         

Core Area 2: Risk Management

Based on the implementation plan, a framework for risk management will be implemented. We will analyze the appropriate level of IT security and assess the current IT infrastructure, systems, and processes to identify risks. This includes conducting a risk analysis of the identified risks. Based on the risk analysis, policies, procedures, and other measures will be developed and implemented to minimize or eliminate these risks. Following the review of these processes, continuous monitoring will be established to ensure that risks continue to be effectively managed within the organization.

Core Area 3: Testing of Contingency Plans & Testing and Monitoring of ICT Security

Another requirement of the regulation is the execution of fundamental tests of digital operational resilience using Threat-Led Penetration Tests (TLPT). TLPT is used to evaluate the organization's infrastructure with the aim of identifying and exploiting vulnerabilities. The purpose of TLPT is to simulate attacks by a potential hacker or malicious actor to uncover weaknesses and identify areas at risk of unauthorized access or data loss.

                   

Core Area 4: Vendor Management

The regulation also introduces stricter requirements for vendor management for companies in the financial sector. We will assess both existing and potential vendors to ensure compliance with the DORA regulation. This involves establishing criteria for selecting vendors based on their security measures and adherence to security standards. In this context, DORA-related requirements will also be incorporated into contracts with both current and future vendors. Subsequently, regular monitoring will ensure that vendors meet their contractual obligations.

Core Area 5: Incident Reporting

Another requirement of the regulation is that the company must establish specific procedures for documenting and reporting IT security breaches. This entails a significant expansion of the financial entities' obligations regarding incident reporting. Our advisors will therefore develop clear guidelines and procedures for internal incident reporting, establish reporting channels, and define timelines for submission.

                   

Core Area 6: Information Sharing

Organizations must also address the exchange of information and intelligence regarding cyber threats. Supervisory authorities will share anonymized information and intelligence about cyber threats. Our advisors will establish policies and procedures to ensure that information received from authorities is reviewed and effectively managed across the organization.