{"id":18242,"date":"2024-06-26T14:31:57","date_gmt":"2024-06-26T14:31:57","guid":{"rendered":"https:\/\/acora.s.nomatter.dev\/?post_type=resources&p=18242"},"modified":"2025-01-13T13:27:50","modified_gmt":"2025-01-13T13:27:50","slug":"be-dora-ready-dora-compliance-checklist","status":"publish","type":"resources","link":"https:\/\/acora.s.nomatter.dev\/nltest\/insights\/be-dora-ready-dora-compliance-checklist\/","title":{"rendered":"Be DORA Ready: DORA Compliance Checklist"},"content":{"rendered":"

<\/span>Be DORA Ready: DORA Compliance Checklist<\/b><\/span><\/h2>\r\n

The enforcement date for the Digital Operational Resilience Act (DORA) regulation is fast approaching – January 17, 2025.\u00a0<\/span><\/p>\r\n

Financial institutions across the European Union must be prepared for the upcoming changes, using tools like a DORA compliance checklist, as the act seeks to improve the digital resilience of financial entities against cyber threats.\u00a0<\/span><\/p>\r\n

Does the industry need this? Absolutely. According to the <\/span>IBM Cost of a Data Breach Report 2023<\/span><\/a>, financial institutions rank second in the global cyber attack damage statistics, with losses amounting to approximately $5.9 million per cyber attack in 2023. The average across all industries is $4.45 million. The report also shows that there were twice as many cyber attacks on financial institutions in 2023 compared to 2022.<\/span><\/p>\r\n

 <\/p>\r\n\r\n

\r\n
Read on to learn more<\/a><\/div>\r\n<\/div>\r\n\r\n

 <\/p>\r\n\r\n

Index<\/h3>\r\n\r\n\r\n\r\n
\r\n
    \r\n
  1. Introduction to DORA<\/a><\/strong><\/li>\r\n\r\n\r\n\r\n
  2. Integrating GDPR and NIS2 Requirements<\/a><\/strong><\/li>\r\n\r\n\r\n\r\n
  3. Compliance Timeline<\/a><\/strong><\/li>\r\n\r\n\r\n\r\n
  4. DORA Requirements<\/a><\/strong><\/li>\r\n\r\n\r\n\r\n
  5. Crisis Management: Ensuring Preparedness and Resilience<\/a><\/strong><\/li>\r\n\r\n\r\n\r\n
  6. Your DORA Requirements Checklist<\/a><\/strong><\/li>\r\n\r\n\r\n\r\n
  7. Consequences of Non-Compliance<\/a><\/strong><\/li>\r\n\r\n\r\n<\/ol>\r\n<\/div>\r\n
    \u00a0\r\n
    \"\"<\/figure>\r\n<\/div>\r\n

    <\/span>Introduction to DORA<\/span><\/h2>\r\n

    DORA is a regulatory framework established by the European Union (EU) to strengthen digital resilience in financial institutions. It aims at making these entities able to withstand, respond to, and recover from various IT-related disruptions and risks. It forms part of wider efforts to enhance cyber security, including <\/span>security testing<\/span><\/a> and sound operation within Europe’s finance sectors.<\/span><\/p>\r\n

    DORA should also deal with the increasing complexity and interdependence of digital systems underpinning financial services. <\/span>It helps ensure uniform standards among member states, guaranteeing high levels of protection and continuity of operations.\u00a0<\/span><\/p>\r\n

    The requirements are stringent. Financial institutions must re-engineer their internal processes and systems, creating a more resilient and secure environment. <\/span>Overall objectives include establishing a solid framework that reduces risk and enhances trust and stability within an evolving digital threat landscape.<\/span><\/p>\r\n

    DORA applies to most financial institutions, including <\/span>banks and credit unions<\/b>, <\/span>insurance providers<\/b>, <\/span>investment firms<\/b>, <\/span>fintech companies<\/b>, etc. If it’s a financial institution, chances are high that DORA applies to it. Third-party IT providers supporting these companies must also follow DORA compliance regulations. It’s the entire financial ecosystem.<\/span><\/p>\r\n

    DORA complements existing EU cybersecurity regulations, such as the GDPR and NIS2 Directive – both the GDPR and <\/span>NIS2 Directive<\/span><\/a> are legal measures that boost cybersecurity in the EU.<\/span><\/p>\r\n

    \u00a0\r\n
    \"\"<\/figure>\r\n<\/div>\r\n

    <\/span>Integrating GDPR and NIS2 requirements<\/b><\/span><\/h2>\r\n

    It complements DORA by providing broader cybersecurity and data protection guidelines applicable across the EU. The GDPR focuses on protecting personal data and privacy so financial institutions can engage in responsible, transparent information management. NIS2, however, emphasises the robustness of cyber security areas and incident reporting for essential entities.<\/span><\/p>\r\n

    To establish a cohesive, comprehensive cybersecurity approach, financial institutions must integrate their efforts to comply with DORA to ensure it aligns with GDPR and NIS2. It’ll ensure all aspects of data protection, cyber security, and operational resilience are covered, creating a holistic framework for digital threat management and regulatory compliance.<\/span><\/p>\r\n

    \u00a0\r\n
    \"\"<\/figure>\r\n<\/div>\r\n

    <\/span>Compliance Timeline<\/b><\/span><\/h2>\r\n

    On January 16, 2023, DORA officially became active. Organisations have two years to realign themselves with the new requirements, ensuring full DORA compliance by January 17, 2025. To this effect, European supervisory authorities have been developing regulatory technical standards (RTS), which provide comprehensive guidelines for compliance that our DORA checklist follows.<\/span><\/p>\r\n

    \u00a0\r\n
    \"\"<\/figure>\r\n<\/div>\r\n

    <\/span>DORA Requirements<\/b><\/span><\/h2>\r\n

    Within the regulatory technical standards are five essential pillars:<\/span><\/p>\r\n

    IT Risk Management<\/b><\/h3>\r\n

    Institutions must establish a comprehensive IT risk management framework\/s. These involve ongoing monitoring, identifying potential cyber threats, and deploying appropriate cyber security measures. Regular assessments and updates are essential for effective risk management purposes.<\/span><\/p>\r\n

    IT Incident Reporting<\/b><\/h3>\r\n

    Companies must promptly report any significant ICT-related incidents to their respective regulators. It aims to improve understanding of IT risks across the financial sector and promote a coordinated response mechanism for incidents.<\/span><\/p>\r\n

    Digital Operational Resilience Testing<\/b><\/h3>\r\n

    Entities must regularly test their digital operational resilience abilities against IT disruptions. That includes performing Threat-Led Penetration Testing (TLPT) that emulates cyberattacks and assesses how robustly the cyber security defences are designed.<\/span><\/p>\r\n

    IT Third-Party Risk Management<\/b><\/h3>\r\n

    Third-party IT service providers should be closely monitored with due diligence, following DORA regulations. To minimise the chances of their disruption and breaches, these providers should be subjected to proper risk management processes by finance firms.<\/span><\/p>\r\n

    Information and intelligence sharing<\/b><\/h3>\r\n

    Sharing information about cyber threats with different financial entities helps improve overall robustness within the industry. It’ll also assist in detecting threats more efficiently and addressing them more effectively. Cooperatively, this facilitates easy detection and protection against responding to or reacting to any attack.<\/span><\/p>\r\n

    \u00a0\r\n
    \"\"<\/figure>\r\n<\/div>\r\n

    <\/span>Crisis Management: Ensuring Preparedness and Resilience<\/b><\/span><\/h2>\r\n

    As the enforcement date for the Digital Operational Resilience Act (DORA) approaches, financial institutions must not only comply with regulatory requirements but also be prepared for potential crises that could disrupt their operations. Effective crisis management is a critical component of digital resilience, enabling organisations to respond to and recover from cyber attacks or other operational disruptions swiftly and efficiently.<\/span><\/p>\r\n

    A robust crisis management plan includes clear procedures for handling:<\/span><\/p>\r\n