DORA, the six pillars, and how to get compliant
The Digital Operational Resilience Act (DORA) is a new EU regulation that aims to provide a harmonized framework for digital operational resilience and cybersecurity. It emerged from the need to establish minimum rules regarding the security of networks and information systems currently in force within the European Union.
DORA is a significant step forward in ensuring that financial institutions are better prepared for cyber threats. The act will help to ensure that financial institutions are better prepared for cyber threats by providing a harmonized framework for digital operational resilience and cybersecurity.
The act includes six pillars for financial services to focus on to maximize their digital resilience. These six pillars are:
1. Governance & Organization
2. ICT Risk Management Framework
3. ICT Incident Management, Classification & Reporting
4. Digital Operational Resilience Testing
5. Third-Party Provider Risk Management
6. Information Sharing
Governance & Organization
The Governance & Organization pillar aims to ensure that financial institutions have a clear governance structure and effective management processes in place to manage their ICT and cybersecurity risks. This includes establishing clear roles and responsibilities for managing ICT risks, ensuring that the board of directors is informed about ICT risks and that there is a clear escalation process in place for managing these risks.
ICT Risk Management Framework
DORA stipulates that that financial institutions must have a comprehensive risk management framework in place to manage their ICT risks. This includes identifying and assessing ICT risks, implementing appropriate controls to mitigate these risks, and monitoring and reporting on the effectiveness of these controls. The framework should be integrated into the overall risk management framework of the institution.
ICT Incident Management, Classification & Reporting
The ICT Incident Management, Classification & Reporting pillar aims to ensure that financial institutions have effective processes in place to manage ICT incidents. This includes establishing clear incident management procedures, classifying incidents based on their severity and impact, and reporting incidents to relevant authorities. The goal is to ensure that financial institutions can respond quickly and effectively to ICT incidents and minimize their impact.
Digital Operational Resilience Testing
Digital Operational Resilience Testing includes conducting regular testing of critical business services and IT systems, identifying vulnerabilities and weaknesses, and implementing appropriate remediation measures. The goal is to ensure that financial institutions are able to maintain their critical business services even in the face of disruptive events.
Third-Party Provider Risk Management
This includes conducting due diligence on third-party providers, establishing clear contractual arrangements, and monitoring third-party providers for compliance with relevant regulations. The goal is to ensure that financial institutions can manage the risks associated with third-party providers and maintain their operational resilience.
Information Sharing
The Information Sharing pillar focuses on effective information sharing between financial institutions and relevant authorities. This includes establishing clear channels for information sharing, guaranteeing that information is shared in a timely and effective manner, and protecting the confidentiality of sensitive information. The goal is to ensure that financial institutions will respond effectively to disruptive events and maintain their operational resilience.
When do I need to have all this in place?
The Digital Operational Resilience Act (DORA) was published in the Official Journal of the EU on 27 December 2022 and entered into force on 16 January 2023. Financial entities in the European Union and their critical ICT providers must be ready to comply with DORA by 17 January 2025.
Regulativ.ai can help you achieve this outcome rapidly, with minimum fuss, and at a reasonable cost. If you would like to learn more about DORA as a Service, contact Mark Weston at mark.weston@regulativ.ai or Mark Weston | LinkedIn.