DORA

The aim of the DORA regulation (Digital Operational Resilience Act) is an EU-wide framework for the management of cybersecurity and ICT risks in the financial sector.

Dora_Circle
DORA Pillars
DORA Pillars

aye4fin is your DORA compliance partner

With the growing reliance on digital technologies, not only does the risk of cyberattacks increase, but the potential consequences of such attacks also become more severe. In addition, unintentional and non-malicious IT problems, such as software errors or system failures, also represent a significant risk in the digitalized financial world.

Existing regulations for financial actors, e.g. BAIT, VAIT, ZAIT, should be brought into line with the new DORA regulation.

Having supported our clients with compliance efforts, we know that efficiency is key for achieving your desired resilience posture while ensuring compliance with DORA requirements.

Risk

ICT risk management

  • Internal governance and control frameworks for effective and prudent management of ICT risks.
  • Identification and classification of all ICT-enabled business functions.
  • ICT security tools, policies and procedures for protection and prevention.
  • Mechanisms for detecting anomalous activity.
  • Backup policy and procedures and recovery and recovery procedures and methods.
ICT

Managing ICT third-party risk

  • At least once a year: report on the number of new agreements for the use of third-party ICT services, categories, contractual agreements and functions provided.
  • Essential elements of the contractual agreement between financial company and ICT third party.
  • Maintaining a register of information relating to all contractual agreements between the parties.
  • Ensuring complete monitoring of 3rd party services.
  • Assessing concentration risk & sub-outsourcing.
Sharing

Information and Intelligence Sharing

  • Share cyber threat information and intelligence to enhance the industry’s digital operational resilience.
  • Collaboration among trusted communities of financial entities
  • Voluntary information sharing
  • Mechanisms to review and act on shared intelligence.
  • The supervisory authorities can ensure a proper balance between cybersecurity and privacy protection.
Incident

Management of ICT incident reporting and cyber security:

  • Determine an individual process for handling ICT-related incidents.
  • Classification of ICT incidents and cyber threats based on specific criteria.
  • Reporting incidents to regulators and customers,
  • Voluntarily reporting any cyber threats to customers and other financial companies.
  • Centralize incident reporting through ESA in coordination with the ECB and ENISA.
Digital Operation

Digital operational resilience testing

  • Develop a program for testing digital operational resilience on at least an annual basis.
  • Advanced threat-led penetration testing every 3 years, with subsequent reporting to the authorities.
  • A set of requirements for the testers.
  • Ensuring testing is conducted by independent internal or external parties.
  • Collaboration with third-party service providers.
Making a plan

Project example

Making a plan