The Digital Operational Resilience Act (DORA)

Byadmin

The Digital Operational Resilience Act (DORA) is a European regulation that came into effect on January 16, 2023, and will be applicable from January 17, 2025. DORA aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms, ensuring resilience in the European financial sector during severe operational disruptions.

Why is DORA necessary? 

The financial sector increasingly relies on technology and tech companies to deliver financial services, making financial entities vulnerable to cyberattacks or incidents. Poorly managed ICT risks can lead to disruptions in cross-border financial services, affecting other businesses, sectors, and even the broader economy. This is where the Digital Operational Resilience Act, or DORA, comes into play.

What does DORA encompass? 

DORA introduces uniform and harmonized principles for managing cyber risks, streamlining reporting on cyber incidents, and placing third parties under supervision.

Checklist
Here’s a checklist for financial entities, including insurers and insurance intermediaries, to follow when implementing the Digital Operational Resilience Act (DORA):

  • Awareness and engagement:
    • Ensure that management and all relevant departments are aware of DORA and the importance of operational resilience.
  • Risk assessment:
    • Identify the key ICT risks your organization faces.
    • Assess the impact of these risks on business operations and customer service.
  • ICT risk management policies and procedures:
    • Establish documented guidelines and procedures for ICT risk management.
    • Define responsibilities and roles within the organization.
  • Management of third-party ICT risks:
    • Evaluate risks arising from the use of external ICT service providers.
    • Implement contractual arrangements to manage these risks.
  • Incident management related to ICT:
    • Develop a process for detecting, managing, and reporting ICT-related incidents.
    • Define early warning indicators.
  • Information exchange on cyber threats:
    • Collaborate with other financial institutions and relevant authorities to exchange information on cyber threats.
  • Testing and exercises:
    • Conduct regular tests and exercises to evaluate operational resilience.
    • Identify areas for improvement and adjust policies and procedures accordingly.
  • Staff involvement:
    • Train employees on ICT risks and how to respond to incidents.
    • Create awareness within the organization.
  • Monitoring and reporting:
    • Implement monitoring tools to detect ICT incidents.
    • Report incidents to relevant authorities as required.
  • Specific considerations for micro-enterprises:
    • Micro-enterprises may have limited resources but must still comply with DORA.
    • Simplify procedures where possible, ensuring essential measures are taken.

Similar Posts