The new European Regulation on Digital Operational Resilience ("DORA") aims to ensure financial institutions are:
- prepared for any incident whose duration or intensity is not entirely predictable
- trained in crisis management
- able to return to normal through various mechanisms.
DORA: the key facts for financial entities
Of course, DORA affects more than just financial entities themselves. Companies that DORA identifies as "ICT providers" to financial institutions will naturally also be affected: both indirectly (through the responsibilities placed on their clients, the institutions) and directly (through DORA's provisions aimed specifically at providers).
DORA: the key facts for ICT providers
Objectives
Impacts
On financial entities
- Monitoring third-party risk throughout the contractual relationship with an ICT service provider
- Mandatory contractual provisions for contracts involving critical or important functions
- Direct supervision of ICT third-party providers designated as "critical" by supervisory authorities
- Impact on the costs of outsourced IT services
On ICT service providers
- Strengthening of contractual obligations with mandatory provisions depending on whether the ICT service provider is involved in critical or important functions
- Direct supervision of third-party ICT service providers designated as "critical" by supervisory authorities
- Conclusion of contractual agreements only with ICT service providers that meet adequate information security standards
- Termination of contractual agreements triggered if the third-party ICT service provider is not compliant in its overall ICT risk management
How to prepare?
Adjustment of internal processes and implementation of the following actions:
For financial entities
- Defining a DORA Policy
- Monitoring the adoption of Regulatory Technical Standards (RTS) and implementing technical standards (ITS) made available by European Supervisory Authorities (see here)
- Adjusting or implementing new procedures:
- identifying important and/or critical ICT service providers
- maintaining a register of providers and an incident register
- ensuring a recovery plan and a continuity plan
- conducting internal and external audits
- defining penetration test scenarios
- establishing reversibility and portability plans
- Selecting qualified auditors
- Reviewing contractual agreements
- Scheduling training at all levels
For ICT service providers
- Assisting clients in identifying important or critical functions
- Assessing security policy in relation to ICT threats and exposure to ICT risks
- Defining a DORA Policy
- Implementing backup and recovery policies and procedures to provide and maintain services at all times
- Participating in the penetration tests carried out by the financial entities
- Reviewing of contractual arrangements for the use of ICT services with financial entities so as to meet new requirements and standards as defined by Regulatory Technical Standards (RTS) and implementing technical standards (ITS)
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
