Securing the future: What financial institutions need to know about DORA

Preparing for DORA

In a recent webinar, Matthijs Burlage, Solution Engineer at VI Company, provided an in-depth look at the Digital Operational Resilience Act (DORA) and its implications for financial institutions. Matthijs delivered a comprehensive overview of the upcoming legislation and the necessary steps for compliance. Hester Rang, Procurement Manager Asset Management at MN, joined him as a guest expert, who shared valuable insights from her field. Did you miss it? Read our article with all the highlights of the session. If you're interested in a gap analysis or need further assistance on how to deal with DORA, VI Company can help. 

What is DORA?

DORA, the Digital Operational Resilience Act, aims to ensure that financial institutions can effectively handle and recover from cyber-attacks. Building on the existing NIS (Network and Information Systems) directive, DORA is specific to the financial sector and will be enforced starting January 17, 2025. Compliance with DORA includes meeting the requirements of NIS2. 

Key Provisions of DORA

• ICT Risk Management Framework: Organizations must establish a comprehensive framework to manage ICT risks. 

• Incident Response Process: Implementing a robust process for classifying and reporting incidents is mandatory. 

• Security Testing: Regular security testing will become a mandatory requirement. 

• Third-Party Risk Management: Thorough assessment and management of risks associated with third-party suppliers are crucial. 

• Contractual Arrangements: Financial entities and third-party providers must establish clear contractual terms. 

• Oversight Framework: Rules for oversight and cooperation among supervisory authorities are well-defined.

Why DORA Matters

Financial institutions often underestimate their resilience or that of their suppliers. DORA addresses this by setting clear operational and cyber resilience requirements, ensuring institutions can protect their ICT infrastructure effectively. 

DORA Impact on Financial Institutions

DORA classifies financial institutions into large and medium entities. Large entities, defined as those with more than 250 employees or over €50 million in turnover, will face proactive monitoring. Medium entities will report incidents post-occurrence. Regular penetration testing, at least every three years, is mandatory for all. 

**Practical Steps to Compliance **

• Mapping and Gap Analysis: Identify and classify critical assets, document ICT dependencies, and conduct a gap analysis. 

• Implement Solutions: Address gaps by implementing necessary technical and procedural changes. 

• Testing: Develop a comprehensive test plan to ensure ongoing compliance and resilience.

At VI Company, we've taken steps to ensure our DORA compliance, performing thorough impact analyses and maintaining a detailed Register of Information. Our ISO 27001 certification provides a solid foundation to meet DORA’s requirements. 

Insights from the Field

Hester Rang, Procurement Manager Asset Management at MN: As a guest expert in the webinar, Hester Rang shared her extensive experience in categorizing suppliers and reviewing contractual arrangements to ensure compliance with DORA. This involves identifying which suppliers fall under critical categories and ensuring they meet the necessary standards. She emphasized the importance of implementing a detailed incident report system to keep management informed and guarantee timely reporting to regulators. 

During dry runs with regulators, Hester and her team gained additional insights into what is required for compliance. These sessions highlighted the need for detailed Registers of Information and consistent updates to operational and ICT processes. As MN experienced, a major challenge is defining which suppliers are critical and ensuring that contractual arrangements reflect DORA’s stringent requirements. 

Hester emphasized the importance of being proactive: "Financial institutions must start categorizing suppliers and updating contracts now, as the January 2025 deadline is fast approaching. It's essential to be prepared for any incidents from day one." 

Conclusion

DORA is essential for enhancing the resilience of financial institutions against cyber threats. Companies must take proactive steps to comply with its provisions, focusing on ICT risk management, incident response, and third-party risk management. 

Contact us for help on how to deal with DORA

If you're interested in a gap analysis or need further assistance on how to deal with DORA, please reach out. Stay resilient and ensure your ICT security is robust with DORA compliance.