What is DORA?
DORA (Digital Operational Resilience Act) is the new EU regulation aimed at strengthening the financial sector’s resilience against digital risks and cyber threats. This regulation has been applied since January 16, 2023, and covers a range of financial actors such as banks, insurance companies, and other financial service providers with so-called critical information and communication technology services (ICT services). DORA is expected to be fully implemented by 2025.
DORA includes measures for crypto-asset markets, distributed database technology, and changes in financial service regulations. The focus is on managing ICT-related risks and enhancing operational resilience. Previous measures following the 2008 financial crisis strengthened financial resilience but ignored ICT risks. DORA aims to ensure a uniform framework for digital resilience, including testing ICT systems and increasing awareness among supervisory authorities.
Society as a whole will benefit from the increased confidence in the financial sector that DORA is likely to bring.
How can Lemontree help you with DORA?
Lemontree is a reliable partner offering comprehensive consulting expertise in a range of areas. We have solid regulatory competence and experienced business consultants, change leaders, test managers, and technical testing and quality assurance professionals with 20 years of experience. We have experience with similar regulatory rollouts such as GDPR and are happy to assist you in getting started with the implementation of DORA. The new regulation stipulates several requirements for testers, among others. We meet these requirements and can ensure a successful implementation of DORA for you.
- Expertise: Lemontree has certified DORA experts who can help clients understand and implement the regulation.
- Comprehensive Solutions: Lemontree offers a full range of services, from risk assessments and gap analyses to implementation support, testing, and education.
- Tailored Solutions: Lemontree customizes its services according to each client’s specific needs and conditions.
- Experience: Lemontree has extensive experience with similar regulations (such as GDPR) and a deep understanding of the financial sector’s challenges.
The scope of DORA
DORA has a comprehensive scope and regulates various aspects of digital security and resilience. It regulates the following:
ICT Risk Management Capability
The regulation introduces stricter requirements regarding ICT risk management capability. However, exceptions exist where micro-enterprises or other financial entities, depending on their size and risk profile, can have a simplified ICT risk management framework.
Incident Reporting
To enable financial entities to maintain full control over ICT risk, they must, in addition to having overall capabilities that enable robust and effective ICT risk management, have specific mechanisms and guidelines to handle all ICT-related incidents and report major ICT-related incidents.
Testing
DORA includes provisions for conducting appropriate tests, such as vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where possible, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing.
Management of ICT Third-Party Risks
DORA applies to all critical third-party providers of ICT services, including cloud service providers offering ICT services to financial entities. Since third-party ICT service providers often deliver standardized services to various types of customers, such contractual arrangements may not always meet the individual or specific needs of financial sector entities.
Therefore, it is necessary to establish certain key principles to guide financial entities’ management of ICT third-party risks, which are especially important when financial entities use third-party ICT service providers to support critical or important functions. These principles should be accompanied by a set of fundamental contractual rights regarding several aspects of the performance and termination of contractual arrangements to provide certain minimum safeguards to enhance financial entities’ ability to effectively monitor all ICT risks arising at the third-party service provider level.
Collaboration and Information Sharing Among Actors
As ICT risks become increasingly complex and sophisticated, effective measures to detect and prevent ICT risk will largely depend on the regular exchange of threat and vulnerability intelligence between financial entities. Information sharing contributes to increased awareness of cyber threats.
Under certain circumstances, financial entities may exchange information and intelligence on cyber threats, including indicators of compromised security, tactics, techniques and procedures, cybersecurity alerts, and configuration tools.
Frequently Asked Questions about DORA (Digital Operational Resilience Act)
Here you will find answers to the most common questions we receive from our customers. We have compiled information and solutions on various topics and issues that may arise. Whether it’s technical questions, product information, or general inquiries, we are here to assist you.
Contact us for consultation or questions regarding DORA
Do you have questions or need assistance with implementing the new financial regulations from the EU? Feel free to reach out to us. Fill out the form and we will get back to you shortly. We are here to help you take the next step in your digital development.