Digital Operational Resilience for the Financial Sector Act (DORA)

The Digital Operational Resilience Act (DORA) entered into force on 16^th  January 2023. It outlines EU regulations for information systems security for financial entities.

The requirements cover several key areas, including: ICT risk management, ICT-related incident reporting, resilience testing, information and intelligence sharing and third-party ICT risk.

The Regulation covers most financial services entities, including third parties. While there are some organisations to which the Regulation does not apply, in time most organisations will aspire to comply with the guidelines.

ICT has gained a pivotal role in the provision of financial services, to the point where it has now become critical in the operation of daily functions of financial entities. In introducing this Act, the European Union is attempting to both upgrade the ICT requirements and consolidate them into one Union-wide Act. This will help reduce regulatory complexity, foster supervisory convergence and increases legal certainty. It will also reduce compliance costs, especially for financial entities operating across borders.

The regulation will become applicable in Jan 2025, so organisations must now begin to plan and implement the changes that will be required.

Begin with a DORA strategy that is in line with organisational goals.:

• Explain how the framework supports the entity’s strategy and objectives.
• Establish risk appetite /risk tolerance for ICT risks
• Set out information security objectives and Key Performance Indicators (KPIs)
• Establish Key Risk metrics / Key Risk Indicators (KRIs)
• Articulate what, if any, changes are required in the existing ICT architecture/infrastructure
• Be able to outline what’s in place to protect assets, detect incidents and mitigate their impact
• Be able to demonstrate the effectiveness of controls based on incidents reported
• Implement resilience testing, including; pen tests, open source analyses, source code reviews, scenario-based exercises and compatibility testing.
• Communications strategy in the event of an incident.

There is much to be done and just 18 months left to do it. Organisations need to make a start now to ensure they are fully compliant by Jan 2025.

You can contact us directly to avail of a free tailored demo to see how CalQRisk can streamline risk management processes with these regulations.