Countdown to the implementation of the European Digital Operational Resilience Regulation, DORA
Resilience can be defined as the ability to adapt and recover from an adverse situation, and this is the main objective of DORA regulation, to regulate how we should cope with such a situation which, if it were to occur, could have serious consequences.
Such a key sector, on which many other organisations, both public and private, depend, as is the financial sector, must have the appropriate digital operational resilience mechanisms in place to deal with situations that could compromise the normal functioning of operations and, should this inevitably occur, to minimise the impact of an incident to return to normality in the shortest possible time.
Who does DORA regulation apply to?
Article 2 of the Regulation contains a list of the organisations that will have to comply with the European regulation (credit institutions, insurance companies, payment institutions, electronic money institutions, fund managers, pension funds, credit rating agencies, etc.), which are basically the vast majority of organisations in the financial sector, as well as their suppliers, a very important point, as they will be required to contract with third parties considered "insurances", a matter that has yet to be determined.
How will DORA regulation affect me?
Broadly speaking, DORA will have an impact on the entire organisation, including senior management, and can be grouped into different compliance initiatives with an impact on the following groups:
DORA will have an impact on the entire organisation, including senior management
Governance and Regulation
Internal policies, rules and procedures already in place in the organisation should be brought in line with the requirements of DORA, (e.g. bring the incident management procedure in line to include reporting of serious incidents to the European authority).
Organisational Measures
New roles, responsibilities and accountability will be established for the governing body, as well as the appointment of new figures such as the Chief Technology Risk Officer (CTRO) to supervise compliance with the regulation, who will be the person in charge of ensuring compliance with the technological risks faced by the organisation. This new role can be performed internally or through an external company.
ICT security, business continuity and third-party risk management
Security and business continuity will be extended throughout the supply chain. We will no longer only have to assess, address and mitigate our own ICT risks, but we will also have to ensure and monitor that our critical suppliers do the same, so that we can reduce the risks of third-party incidents.
Incident management and reporting
In addition to being able to identify, manage and contain a security incident, we will have to report serious incidents to the competent European authority, through a procedure that has yet to be defined.
We will have to report serious incidents to the competent European authority
Digital operational resilience testing
Any specific risks to which the entity is exposed, and any factors deemed appropriate shall be assessed annually on an independent basis.
Execute annual testing of all critical ICT systems and applications (vulnerabilities, code analysis, performance, capacity, etc.). In addition, specific advanced tests, validated by supervisory authorities.
When does DORA enter into force?
Its effective date of entry into force is January 2025, but due to the large number of initiatives that will need to be implemented, entities are already working to catch up with the requirements of the regulation.
One of the most important issues for adoption is that European supervisory authorities have yet to develop and publish various regulatory technical standards (RTS) specifying how to address and implement some aspects of DORA that are not defined.
The issuance of these RTS is scheduled to take place before July 2024, leaving us little time to achieve compliance. Therefore, the best strategy would be to identify and adopt the measures required by DORA as early as possible, and to adapt them before the publication of the RTS.
How can we help you?
At Izertis we adapt all types of organisations to DORA compliance, from the diagnosis or study of the initial situation, GAP analysis, adaptation of the regulatory framework, supplier security assessment to technical tests to measure digital operational resilience, shall we talk?