DORA (Digital Operational Resilience Act) is a European regulation that sets uniform requirements for the security of networks and information systems of organisations operating in the financial sector and their suppliers of information technology and IT services, such as cloud platforms or data analytics services.
It aims to enhance digital operational resilience by ensuring that financial organizations can withstand, respond to, and recover from various types of cyber breaches.DORA is a regulation of the European Union, so it will be directly transposed into national legislations of EU countries.
- The regulation will be effective from 17.1.2025
The five pillars of DORA
- Introduction of a risk management system
- Incidents reporting
- evaluation and testing of resilience
- Vendor management & third party risks
- Sharing information
Who is responsible for the introduction of DORA?
- the statutory body is responsible
- top management of the organization (risk manager, IT manager)
Who is affected by DORA
- DORA applies to almost all financial entities, i.e. companies and organizations operating in the financial sector
- Auditors will not be covered by DORA, but will be included in a future review of the Regulation, which may revize the rules in question.
- DORA takes precedence over the use of NIS2 which was adopted together with the DORA regulation.
- It will not apply to so-called micro-enterprises
Companies and organisations operating in the financial sector
- Banks
- Insurance companies
- Investment companies
- Payment institutions
- Companies in the field of crypto-assets
- Insurance intermediaries
How we can help you meet your obligations and document compliance with DORA
Aptien makes it easy for you to meet much of your regulatory obligations in one place, across all five pillars. It helps with risk management, incident management, complete compliance documentation, asset information management, and managing your actions that follow up on audit findings, risk analysis or result from specific incidents. Aptien, as an integrated risk and compliance management system in one environment, will help you with:
Implementing a risk management system
- Guidance risk register as required by the DORA Regulation
- Maintaining an overview of threats and vulnerabilities
- Maintaining an overview of information assets and their context
Recording and reporting security incidents and threats related to ICT
- Records and incident handling related to ICT and all related information
- Reporting security incidents
Supervision of regular staff training
- Creating training plans
- Monitoring for mandatory cyber security training
- Maintaining policies and work procedures
- Digital familiarisation of your employees with policies and other documentation
By monitoring regular inspections and resistance testing
- Creation of control and resilience test plans
- Monitoring the deadlines for inspections and resistance tests
- Maintaining information on tests and controls performed on individual IT assets
- Keeping operational records of your IT equipment and infrastructure
- Documentation security of applications and software used
- Keeping documentation of stored backups, test plans and maintenance
Managing risks associated with IT suppliers
- Maintaining information about IT services and their suppliers
- Maintaining information on service providers and keeping a catalogue of services
- Maintaining information on suppliers' approaches
- Maintaining information about your employees' access to services (e.g. cloud services)
- Maintaining information on the security of purchased services
- Management of contracts with IT suppliers (The contract must, for example, stipulate a precise and comprehensible description of all services to be delivered, the conditions for termination of the contract or the provider's obligation to provide assistance to the financial entity in the event of an ICT incident.)
- Manage risks associated with ICT service providers, ensure minimum requirements for contracts with ICT service and solution providers
Supporting your security processes
- Employee onboarding and offboarding support - assigning and removing permissions and access for your employees
- Get an overview of who has access to where and why (who has what key or access card)
- Be in control of the issued keys and cards to employees with a simple app
- Maintaining information about the access and permissions of your employees and suppliers
Business continuity support
- Documentation of technical and organizational measures to increase network and information security
- Notification of regular testing of systems
- Drawing attention to regular process reviews
- Maintaining business continuity in the event of an attack (business continuity)
- Procedures and contingency plans
- Business recovery plans (business continuity plans)
- Maintaining business continuity in the event of an attack (business continuity)