DORA Compliance

DORA compliance

Achieve operational resilience with industry best practices recommended in DORA compliance 

Gain end-to-end support for compliance management for implementing the guidelines recommended in DORA compliance. 

Home
Compliance
HIPAA

Understanding DORA 

DORA compliance

The European Union passed the Digital Operational Resilience Act on 27 December 2022 to augment the cyber resilience of financial entities in Europe. It covers all the aspects of operational resilience that financial entities failed to address in the past. It ensures the security and reliability of operations. The primary objective of DORA is to provide a detailed framework with all the hygiene measures to manage risks associated with operations including cyber threats and system failures. It is a one-of-a-kind framework that has assigned power to supervisors in financial services to periodically conduct risk assessment on Critical ICT 3rd Party Providers (CTPPs) such as Cloud Service Providers (CSPs). DORA requires all the subjected entities and CTPPs to implement and show capabilities for information and network security of all the systems. 

What does it cover? 

FISMA has specified requirements under these main domains: 

ICT risk management and governance
DORA has specified that the management body of all the subjected entities will be accountable for the governance of ICT. They will be defining risk management strategies and long-term risk management frameworks that are made to address the latest developments in the threat landscape. Entities are needed to periodically conduct risk assessments of their posture and conduct business impact analysis of cyber-attacks. Additionally, they are required to prepare long-term plans for business continuity and recovery.
Incident Response and Reporting
Entities must establish a comprehensive system for monitoring, categorizing, recording, and reporting all ICT-specific incidents. They must prepare a detailed report based on the root cause analysis with all the necessary incident-specific evidence, document it thoroughly, and report it to the relevant parties. They must adopt an efficient system for incident response management.
Resilience Testing
All the entities that are subjected to the DORA compliance are required to periodically evaluate the defense posture of their ICT systems, identifying, and addressing all the vulnerabilities. They must prepare a detailed report with all the vulnerabilities identified and classified as per their severity. They are required to conduct scenario-based testing and threat-led pen-testing at least once a year.
Third-party risk management
Entities must take measures to manage the risks of all the third parties that are associated with them through contractual agreements and regular security posture assessment. They must identify all the dependencies associated with the third parties and must take measures to ensure that there is no increased reliance on a single third-party provider. They must periodically assess all the third-party agreements and ensure that they are up to the latest DORA requirements.
Information Sharing
As per DORA, entities are required to share all the incident-specific information including security vulnerabilities, tactics, techniques, and procedures that are being deployed by all the modern-day threat actors.

Consequences of DORA non-compliance 

Entities that are subjected to DORA must show adherence to all the guidelines by January 2025 on the assessment by “competent authorities” designated as regulators for each EU member state. They have the power to issue remediation measures where needed and penalize non-compliance upon assessment.  All the critical ICT providers are to be governed by Lead Overseers assigned by the European Commission. They can penalize entities for noncompliance with fines of up to 1% of daily global turnover for every day, up to 6 months until found compliant.  

To whom does it apply? 

DORA is applicable to Europe’s financial sector. It is applicable to entities including: 

Banks
Credit Institutions
Non-traditional entities
Investment firms
Crypto asset service providers
Crypto asset service providers
Crowdfunding platforms
Entities excluded from financial regulations
3rd party service providers that supply financial firms with ICT systems and services like data centre and cloud services
Firms that cover critical third-party information services such as credit rating services and data analytics providers

Do these challenges look familiar? 

Here are some of the business challenges of adhering to DORA compliance: 

challenges
Description
Establishing a framework that caters to all the DORA requirements
The high complexity of requirements in DORA makes it challenging to establish a framework that encompasses all the recommended measures, policies, and procedures.
Management of risks associated with ICT
Understanding and addressing the risks associated and taking measures to treat the risks take a level of expertise that not all organizations possess on board.
Incident Response
It is required as per DORA regulations that measures be taken for incident response. For example, it is required to report incidents to associated authorities but organizations may fail to do so due to strict guidelines required for the same.
Challenge ensuring operational resilience
As per DORA, entities must build, assure, and review their operational integrity and reliability and take measures to secure themselves against modern threats but they may not have a team for it.
Managing risks of third-party providers
Organizations may find it challenging to manage risks across all their Critical Third Party Providers (CTPPs) on their own.

SharkStriker’s Approach 

SharkStriker understands that staying compliant today is highly challenging, especially with the constantly changing regulatory environment. Therefore, we have compliance management services. The following is the approach followed by SharkStriker: 

  • 01
    Risk Assessment
    We assess all the risks across the IT infrastructure, identifying and categorizing varied risks in ICT systems using real-world techniques through a VAPT
  • 02
    Gap assessment
    We identify and categorize gaps in compliance and prepare a report of all the details pertaining to the gaps identified.
  • 03
    Risk Treatment plan
    We prepare a detailed plan comprising policies, rules, processes, measures, procedures, and controls to be implemented to treat all the risks.
  • 04
    Implementation
    We look for gaps in implementation and address them as per their identification
  • 05
    Post implementation audit
    We conduct an assessment, looking for gaps in implementation. Upon discovery, we address the discovered gaps with the right set of measures.
  • 06
    Training and awareness
    We bridge all the awareness gaps in cybersecurity and compliance by developing a training program that addresses awareness gaps across multiple levels in the organization.

Implement best practices for securing financial information with SharkStriker’s compliance management services for CMMC