Digital Operational Resilience Act (DORA)

DORA places great emphasis on the overall responsibility of the governing body for digital operational stability. Management must ensure that the company has an effective risk management system for ICT risks and is adequately protected against ICT disruptions and cyber-attacks.

To this end, DORA envisions a holistic ICT risk management framework as fundamental to creating resilient financial enterprises. This enables ICT risks to be identified, assessed, managed and monitored.

One example of the implementation of the DORA requirements is the establishment of resilient ICT systems in the pan-European economic area.

Financial organisations need to ensure that their IT systems and processes can detect and responding to potential threats quickly and effectively.

To increase responsiveness, DORA specifies, among other things, requirements for processes and systems to promptly detect and defend against potential threats.

One example of how this requirement is implemented is automatic network isolation in the event of cyberattacks. This minimises the risk of data loss or system failure and facilitates the restoration of normal operations.

Another DORA requirement is to standardise reporting requirements for serious ICT incidents across the European financial industry. This should help improve the response to such incidents and ensure effective cooperation between national and European authorities.

One example of the implementation of this requirement is the introduction of uniform procedures for monitoring, classifying, and reporting ICT incidents to the relevant authorities.

Regular testing of the operational stability and security of critical IT systems is crucial to the smooth operation of financial enterprises. To ensure that potential ICT disruptions are identified and remediated, a risk-based approach is used in these tests.

One example of the implementation of this requirement is the performance of penetration tests on live production systems at least every three years. This involves a targeted search for vulnerabilities in the system to identify potential attack vectors and take appropriate countermeasures.

DORA is designed to enable financial companies to effectively monitor the risks posed by ICT third-party providers. This is particularly important as more and more financial firms rely on third-party services for their IT systems and processes.

One example of the implementation of this requirement is the introduction of penalties and new termination options for third-party ICT providers that fail to comply with requirements of the DORA regulation. These measures will enable financial firms to ensure robust monitoring of the risk posed by third-party ICT providers.