What is DORA Act

DORA (Digital Operational Resilience Act) is a European regulation that sets uniform requirements for the security of networks and information systems of organisations operating in the financial sector and their suppliers of information technology and IT services, such as cloud platforms or data analytics services.

The five pillars of DORA

• Introduction of a risk management system
• Reporting significant ICT-related incidents and threats
• Ensuring ongoing staff training
• Ensure continuous and regular inspection, evaluation and testing of resilience
• Manage risks associated with ICT service providers, ensure minimum requirements for contracts with ICT service and solution providers

DORA is a regulation of the European Union, so it will be directly transposed into national legislations of EU countries.

• The regulation will be effective from 17.1.2025

Who is responsible for the introduction of DORA?

• the statutory body is responsible
• top management of the organization (risk manager, IT manager)

Who is affected by DORA

• DORA applies to almost all financial entities, i.e. companies and organizations operating in the financial sector
• Auditors will not be covered by DORA, but will be included in a future review of the Regulation, which may revize the rules in question.
• DORA takes precedence over the use of NIS2 which was adopted together with the DORA regulation.
• It will not apply to so-called micro-enterprises

Companies and organisations operating in the financial sector

• Banks
• Insurance companies
• Investment companies
• Payment institutions
• Companies in the field of crypto-assets
  
• Insurance intermediaries

What DORA means for organizations

In practice, this means for financial institutions to put in place appropriate and proportionate technical, procedural, managerial and organizational measures. The following 10 points summarize what implementing DORA compliance will mean

1. implement a risk management system - risk analysis and assessment
2. establish information security guidelines
3. implement safety management processes
4. ensure the security and protection of data and information
5. ensure the security of the information system - applications, software, hardware and other IT equipment
6. have secure IT service providers, including cloud services
7. provide staff training in information security
8. implement incident recording, resolution and reporting
9. ensure continuity of operation in the event of an accident
10. ensure improvement of the above

Implementing a risk management system means

• have the described risks in the company
• for each risk, have a description of how to deal with it
• continuously assess and re-identify risks

Implementing information security guidelines means

• Have basic security guidelines such as Security Policy, Password Policy, permissions assignment, etc.
• Have documentation to demonstrate compliance with DORA

Establishing basic safety management processes means

• Control who and why permissions are given to a piece of software
• Control who has access to where in the company (keys, access cards)
• Control who knows what passwords
• Control who stores what information where
• Control that when an employee leaves, you take away all access
• When an employee comes in, that you give them access and to where
• When an employee changes job title, change all access permissions as well

Ensuring the security and protection of data and information means

• Implement data protection such as backup, encryption or other measures
• Control who has access to data and information

Ensuring the security of software, hardware and IT infrastructure means

• Ensure regular testing of operational resilience
• Secure your information systems, applications, software
• Have a secure corporate network against attacks (have a firewall, secure gateway)
• Operate secure and up-to-date software
• Have a secure physical infrastructure (for example, if you have a server room)
• Do not share WIFI password
• Implement detection and evaluation of various attacks, viruses, malware and other cyber threats

Ensuring secure and reliable ICT service providers means

• Have an overview of who your ICT service providers are, including cloud services
• Have an overview of what data you have stored with them
• Know that no unauthorized outsiders, including former employees, can access the data
• Monitor the risks posed by ICT service providers
• Contracts with ICT service providers must contain all necessary details

Ensuring staff training in information security means

• Educate and continuously train employees on the basic types of cyber attacks
• Educate and continuously train employees on how sensitive data is handled and what can happen
• Instruct and continually educate employees on the use of passwords and other login credentials

Implementing urgent resolution of security incidents means

• record attacks, data loss, key loss and other similar security incidents
• address the consequences of these security incidents
• be able to report a security incident to the relevant authorities
• inform clients of incidents that will affect their financial interests

Ensuring business continuity, disaster recovery means

• Have an idea of where your backup data is, how old it is, who to call, and who can perform the restore
• have a business continuity plan, emergency plans and recovery plans.
• know how to react in an emergency
• be able to restore the operation of systems

Ensuring improvement of the above means

• Perform regular inspections, evaluations and testing
• Make regular updates
• Perform regular maintenance of IT equipment
• Carry out regular audits of the actual situation
• Make changes and improvements to processes, IT equipment and/or policies based on audit results

How we can help you meet your obligations and document compliance with DORA

Aptien makes it easy for you to meet much of your regulatory obligations in one place, across all five pillars. It helps with risk management, incident management, complete compliance documentation, asset information management, and managing your actions that follow up on audit findings, risk analysis or result from specific incidents. Aptien, as an integrated risk and compliance management system in one environment, will help you with:

Implementing a risk management system

• Guidance risk register as required by the DORA Regulation
• Maintaining an overview of threats and vulnerabilities
• Maintaining an overview of information assets and their context

Recording and reporting security incidents and threats related to ICT

• Records and incident handling related to ICT and all related information
• Reporting security incidents

Supervision of regular staff training

• Creating training plans
• Monitoring for mandatory cyber security training
• Maintaining policies and work procedures 
• Digital familiarisation of your employees with policies and other documentation

By monitoring regular inspections and resistance testing

• Creation of control and resilience test plans
• Monitoring the deadlines for inspections and resistance tests
• Maintaining information on tests and controls performed on individual IT assets
• Keeping operational records of your IT equipment and infrastructure
• Documentation security of applications and software used
• Keeping documentation of stored backups, test plans and maintenance

Managing risks associated with IT suppliers

• Maintaining information about IT services and their suppliers
• Maintaining information on service providers and keeping a catalogue of services
• Maintaining information on suppliers' approaches
• Maintaining information about your employees' access to services (e.g. cloud services)
• Maintaining information on the security of purchased services
• Management of contracts with IT suppliers (The contract must, for example, stipulate a precise and comprehensible description of all services to be delivered, the conditions for termination of the contract or the provider's obligation to provide assistance to the financial entity in the event of an ICT incident.)
• Manage risks associated with ICT service providers, ensure minimum requirements for contracts with ICT service and solution providers

Supporting your security processes

• Employee onboarding and offboarding support - assigning and removing permissions and access for your employees
• Get an overview of who has access to where and why (who has what key or access card)
• Be in control of the issued keys and cards to employees with a simple app
• Maintaining information about the access and permissions of your employees and suppliers

Business continuity support

• Documentation of technical and organizational measures to increase network and information security
• Notification of regular testing of systems
• Drawing attention to regular process reviews
• Maintaining business continuity in the event of an attack (business continuity)
• Procedures and contingency plans
• Business recovery plans (business continuity plans)
• Maintaining business continuity in the event of an attack (business continuity)