The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) presents a pivotal moment to assess and fortify your ICT risk management practices, ensure they firmly underpin your business – safeguarding it against disruptions and cyber threats.
Latest Insights
Joint-ESAs Public Event on DORA 2024 dry-run on collection of registers of information
The ESAs and the competent authorities are introducing this voluntary exercise
Latest Insights
DORA 2024 Dry run:
Ad Hoc Data collection of registers of information
Final call for participating in the dry run exercise on the DORA Register Of Information.
To assist financial entities (FEs) in the preparation and submission of registers from January 2025, the ESAs, and Competent Authorities (CAs) will conduct a dry run exercise on a best-efforts basis during 2024.
An informative Joint-ESAs Public Event was held by the ESA’s on 30th April 2024, in which the Joint-ESAs provided some further clarification on the dry run for the collection of registers of information. DM participated in that meeting as well and found the information shared very helpful.
Some highlights from the event:
- FEs are invited to reach out to the CAs and declare their interest by 31 May 2024
- The ESAs can accept also ‘late joiners’ later in the process, as long as the CA agrees and has been onboarded to the transmission channel
- All FEs are encouraged to continue preparing their RoI in accordance with the Final Report on draft ITS requirements and obtain all necessary data, where missing
- The ESAs will release the materials and tools for the exercise by 31 May through: Dry run exercise dedicated webpage (EBA), also to be used for tools and FAQ
Visit the links below for more information.
Links
- Factsheet: ‘dry-run’ to prepare for DORA
- Presentation – workshop for industry on DORA 2024 dry run data collection
- ESA Industry workshop recording (video)
- Press release by ESA
Now is the Time to Act
DORA is a significant EU legislation that came into force on January 16, 2023 and will be applicable from January 17, 2025. It strengthens the digital operational resilience of the financial sector, ensuring robustness against cyber threats and disruptions.
DORA aims to standardise and enhance Information Communication Technology (ICT) security and create a streamlined digital framework throughout the European Union. It will ensure that the European financial sector remains resilient even during severe operational disruptions.
DORA DEADLINE – 17 JANUARY 2025
Day(s)
:
Hour(s)
:
Minute(s)
:
Second(s)
Overcoming Challenges of DORA
DORA encompasses 5 core pillars, each addressing critical aspects within ICT and cybersecurity for financial entities:
ICT Risk Management
This pillar focuses on establishing robust processes to minimise the impact of ICT risks. Financial entities are required to provide proof of internal governance and control frameworks to effectively manage all ICT risks. DORA places significant emphasis on management responsibility for digital operational resilience and the need for a comprehensive ICT risk management framework.
Digital Operational Resilience Testing
Financial entities are required to conduct both basic and advanced resilience testing of their ICT framework on a regular basis, including involvement of internal audit. Testing ensures readiness to withstand disruptions and threats – contributing to overall operational resilience.
Information and Intelligence Sharing
Collaboration and exchange of information on cyber threats are essential. DORA provides a framework for effective information-sharing of cyber threats and intelligence amongst financial entities, outlining specific requirements for processes and systems to defend against them.
ICT-related Incident Reporting
DORA emphasises the importance of reporting and managing ICT-related incidents. Entities must report major incidents to competent authorities, enhancing transparency and response capabilities.
ICT Third Party Risk
DORA addresses risks associated with third party service providers. Entities must monitor and manage third-party risks effectively, ensuring the security of outsourced services. This also includes review and potential renegotiation of contractual arrangements.
Compliance Obligations
Since its enactment on January 16, 2023, DORA has been a pivotal force in shaping the EU’s digital finance landscape. Beyond financial resilience, it scrutinises an entity’s ability to navigate and recover from ICT-related disruptions and risks. DORA introduces new compliance obligations across the entire EU financial sector, emphasising operational robustness and preparedness.
Download our “DORA – Practical Guidance” and “DORA Readiness Scan” today. Achieve full compliance before the deadline of January 17, 2025. Strengthen your operational resilience with DM’s expert support.
How DM Can Help You
At DM, our multi-disciplinary teams blend technology expertise, cybersecurity insights, regulatory compliance expertise, project management and ICT risk management. Our expertise will empower your organisation to enhance operational resilience and ensure DORA compliance. We tailor solutions to your organisation and use strategic roadmaps to guide you with actionable steps. Our results-driven approach ensures effective implementation.
Preparation
Understanding Obligations and Impact Assessment
- We define and validate the scope of DORA for your organisation, ensuring a clear understanding of its impact
- Our experts assist in comprehending new DORA requirements, guiding you through the regulatory landscape
- We identify areas of non-compliance, helping you to address gaps effectively
- We adapt governance and outsourcing strategies to align with DORA guidelines
- We ensure effective project management for all DORA-related initiatives
Implementation
Assisting With Implementation
- We ensure comprehensive adoption of a holistic approach that encompasses ICT risk strategy, management, and execution to meet DORA’s resilience objectives
- Our expertise fosters informed management on ICT risk, compliance, and assurance
- We streamline ICT asset identification and management through thorough assessments
- Our team assists in incident handling processes and reporting during security incidents
- We support the enhancement of digital operational resilience testing
- We deliver complete project management support
- We conduct independent reviews on DORA requirement embedding
Maintenance
Internal Audit Function, Assurance and Independent Reviews
- We conduct a thorough risk assessment, and consider organisational status and policies. We identify key focus areas related to operational resilience and cybersecurity
- We develop a long-term audit plan, including a draft plan for the first year. This plan outlines the scope, objectives and audit tasks
- We obtain approval from the managing board or supervisory board for the audit plan and associated budget
- After conducting audits, we report findings to the relevant stakeholders and engage in discussions to agree on corrective action
- We regularly evaluate the effectiveness of the audit plan and services provided. We collaborate with the managing/supervisory board to enhance resilience
- We design improve and implement control frameworks that clearly demonstrate compliance with applicable requirements
Clients We Serve for DORA
As a trusted advisor, DM manages the implementation of the EU’s Digital Operational Resilience Act (DORA) within a diverse range entities and groups, including AIFM’s, UCITS, financial entities in a group structure, pension fund and centralised IT-departments of financial entities. Our involvement for these companies include;
- Conducting comprehensive reviews, thematic audits, GAP analyses, ICT risk assessments and readiness quick scans for the European branches of a prominent global trust fund company headquartered in the USA. Our active involvement spans Ireland and Luxembourg providing actionable insights to enhance the company’s overall performance, risk management and compliance.
- Managing the implementation of DORA (project management) within a group structure involving asset and fund management services across Europe, private wealth management and a pension fund. Our involvement includes performing ICT risk assessments, applying good practices, designing templates, and the development of Digital Operational Resilience strategies.
- We serve as hands-on sparring partners and project managers for DORA implementation in a European real estate investment and asset management company, as well as an asset, capital, and investment management firm. Our expertise ensures data security, privacy, compliance, and seamless operational integration.
Preparing for DORA
At DM, our commitment to clients goes beyond conventional solutions. We actively collaborate with organisations, preparing them for Digital Operational Resilience Act (DORA) implementation. Through these partnerships, we’ve gained valuable insights into the unique challenges faced by organisations striving to enhance their ICT risk management, conduct critical ICT systems testing, and fortify internal digital operational resilience while ensuring legal compliance.
Our Value Proposition: Assurance and Advisory
Assurance: we provide confidence through rigorous assessments and audits. Our approach ensures compliance and risk mitigation
Advisory: we design and implement sustainable solutions collaboratively. Our advisory and project management services guide you towards resilience and excellence
We understand that achieving and maintaining resilience is a continuous process. Let DM assist you to navigate the complexities of DORA.
Compliance Strategy, Consulting and Assurance
DM professionals helped financial organisations formulate and execute effective strategies to achieve DORA compliance, including governance, assurance and risk management enhancements.
Risk Assessment (ICT)
DM professionals assist financial institutions in identifying, assessing, managing, and monitoring ICT risks, supporting the establishment of a robust and resilient risk management framework required by DORA.
Readiness (Quick Scan)
DM’s Quick Scan assists organisations to conduct scope validation and impact assessment on DORA, understanding new requirements, identifying areas of non-compliance, developing and documenting mitigation plans, and adapting governance and outsourcing strategies.
Implementation
DM assists organisations to implement DORA’s resilience objectives, increasing DORA awareness for management teams, streamlining ICT asset management, developing incident handling processes, and enhancing digital operational resilience testing programmes.
Review and Audit
Subject to the relevant governance, we execute internal audit functions taking proportionality into account. We operate on a three-year horizon, underpinned by a meticulously crafted annual audit plan – an approach that ensures the independence of our internal audit function and guarantees its smooth operation.
Information Security and Outsourcing Solutions
DM experts ensure that ICT systems and processes adhere to DORA standards, safeguarding digital operational resilience, mitigating risks and providing outsourcing solutions in line with DORA guidelines.
Related Publications
DORA Triggers Internal Audit
Sharing knowledge, updates and changes regarding the latest developments of DORA
DM Knowledge Outsourcing
Highlighting the most important elements to consider when assessing your organisation’s outsourcing setup
Contact us
Richard Frehé
Managing Director, Consulting
Martin Stravers
Managing Director, Assurance
To find out how we can Do More for you, please complete the following form and we will be in touch.