What is DORA?
DORA is a European Union regulation that creates a binding, comprehensive ICT risk management framework for the financial sector.
Dora is the Digital Operational Resilience Act.
The Digital Operational Resilience Act (DORA) is a European Union regulation designed to accelerate cyber resilience capabilities among financial services institutions. DORA will focus more on resilience and recovery as opposed to traditional detect-and-protect methods to combat operational disruptions, like cyberattacks.
Contact Titanium Consulting to learn how we can help your organisatiomn align to following five core pillars of DORA:
• ICT Risk Management
• ICT-related Incident Reporting
• Operational Resilience and testing
• Third Party Risk Management
• Intelligence Sharing
Does DORA apply to the UK?
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. The regulation introduces specific and prescriptive requirements for all financial market participants.
To impose new regulatory standards for technology providers in the financial services sector, the UK government has hinted that it will legislate for a UK-equivalent of the EU’s planned new Digital Operational Resilience Act (DORA) this coming legislative year.
On this basis UK organisations should begin early planning and discovery and Titanium Consulting can help with this.
What are the five Pillars of DORA?
Information and Intelligence Sharing: There is also opportunity for financial institutions to consider engaging in greater threat intelligence sharing with other financial institutions. DORA envisions a “trusted community of financial entities” through membership arrangements that enable the sharing of information and potentially also the involvement of technology providers and regulatory authorities.
Risk management: DORA may require changes to be made to a financial institution’s overall risk management framework. A review of governance arrangements, policies, controls and risk assessment and mapping activities may be required to align current practices with DORA’s specific requirements.
Incident reporting: DORA introduces new requirements for preparing for, responding to, and reporting on major technology. This regime is broader than GDPR as it covers ICT incidents and not only (personal) data breaches. Consideration will also need to be given to voluntary arrangements to report cyber threats as opposed to incidents.
Resilience testing: Threat-led penetration testing on live production systems features as one aspect of DORA’s approach to detecting and mitigating vulnerabilities, adverse events and cyber-attacks. As part of a broader digital operational resilience testing programme all ICT systems and applications supporting critical or important functions will need to be tested and effective follow-up remedial activities will need to take place.
ICT third party risk management: Contracts in place with third party technology providers may need to be varied to comply with DORA. Unlike other regulatory regimes, consideration will need to be given to both arrangements that are usually classified as outsourcing and those that are not.
When does DORA come into effect?
DORA entered into force on 16th January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by early 2025