Join the Community

22,178
Expert opinions
44,235
Total members
412
New members (last 30 days)
212
New opinions (last 30 days)
28,725
Total comments

Preparing for DORA

The Digital Operational Resilience Act (DORA) will enter into force on the 17th January 2025. After this point, banks, other financial institutions, and all organisations providing services and products in the financial sector in the EU will be required by law to adhere to the regulation.

This includes explicit rules around areas including incident reporting, ICT risk management, operational resilience testing and ICT third party risk monitoring. Operational resilience in particular, or rather a lack of, has been specifically acknowledged as having the potential to put the whole financial system at risk in the context of a serious incident.

Why should the UK take note?

While the fundamental goal of DORA is to apply a set of uniform requirements for the security of the IT infrastructure of companies and organisations in the financial sector across the EU, critically it also applies to any third parties providing ICT related services to them. This could include data analytics or cloud provision services for example.

As a result, all firms will need to ensure that they can mitigate, respond to and recover from the myriad of potential IT related disruptions and threats they could face. This encompasses the entire financial sector from asset management, credit, crypto-asset service providers, banking and insurance to investment firms.

How can firms best prepare?

Traditionally, the capabilities of financial institutions to detect, respond, recover and protect themselves from breaches, cyber-attacks, data compromise and other serious IT incidents has varied substantially from organisation to organisation.

A key area organisations may want to consider exploring as they embark on their preparations to meeting compliance with DORA is to ensure they are armed with the necessary skills and capabilities. There are a number of avenues to explore here, including:

  • Regular training - financial organisations will need to implement a programme of regular training, not only for staff specifically responsible for IT and security, but also the board/management team. IT security and best practice should be embedded as a compulsory part of all staff training, including senior management. There are a number of training exercises that may prove valuable to help with this, including threat hunting, capture-the-flag and live-fire.
  • Resilience testing - establishment of a digital operational resilience testing programme is a key requirement as part of DORA. This programme will vary in terms of its scale and complexity depending on the organisation’s risk profile, size and nature of business. However, all financial firms will need to ensure their IT systems and applications are tested at a minimum of once a year by an independent party. Furthermore, more advanced threat-led penetration testing (also known as red/purple team assessment) has to be carried out at least every three years.

Time to act

While 2025 may seem like a long away, the reality is that taking the necessary steps to ensure compliance with DORA needs to start happening now. Any organisation operating in or providing IT related services to the financial sector within the EU should start strategically and operationally planning before it is too late. It is also vital to be aware that while DORA officially comes into force on the 17th January 2025, the regulation will start to apply from late 2024, which is less than 18 months from now.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,178
Expert opinions
44,235
Total members
412
New members (last 30 days)
212
New opinions (last 30 days)
28,725
Total comments

Trending

Boris Bialek

Boris Bialek Vice President and Field CTO, Industry Solutions at MongoDB

Enhancing Digital Banking Experiences with AI

Barley Laing

Barley Laing UK Managing Director at Melissa

Reducing the impact of AI-driven fraud in 2025

Now Hiring