If you're a financial institution you probably know about DORA, the Digital Operational Resilience Act, introduced
in September 2020 by the European Commission.

shield

The Act came into force in 2023 and the first set of technical
standards have now been published.

Proposal
of DORA

Adoption
Date

We are
here!

Issuance of
technical
standards

24 months
after
adoption

If you are in this sector and covered by this legislation, it's critical that you take steps to comply.

Here at SECFORCE, we have the capability to help you comply with all areas of the existing regulations;

Would you like to get a better idea of your DORA readiness?

DORA's five pillars and what they mean to you.

risk-1

The regulation enforces a top-down approach placing ICT risk responsibility within the management team and making them responsible for defining risk tolerance, business continuity, disaster recovery, budget allocation, understanding of incident's impact, setting roles and responsibilities, etc.

The framework enforces – from an operational level – a number of requirements to ensure effective risk management:

risk-2
incident

DORA enforces not only an agile and effective incident management, but also collaboration at the EU level.
This section of the regulation focuses on three main areas:

Incident management process

Comprehensive process to ensure that the organisation has consistent monitoring and detection capabilities, effectively handles incidents, understanding the root causes and contains the incident.

Standard classification of incidents

Classification criteria, enforced to every financial entity, to rate the incidents depending on number of users/systems affected, duration, geographical spread, data losses, criticality of systems affected, severity of the impact and economic loses.

Reporting

DORA defines the types and timescales of reporting to competent authorities, from the initial notification within the same day of detection to the final report.

testing-1

DORA requires organisations to have an effective, risk-centric and independent testing programme.
It defines two types or testing:

Standard Testing

This testing should be conducted to all critical ICT systems and application at least once a year, and some organisations (such as central securities depositories and central counterparties) are required to perform penetration testing before any deployment or redeployment of any services supporting critical functions. The testing programme should cover a full range of assessments, including but not limited to vulnerability scans, source code reviews, infrastructure and application penetration testing and physical security reviews.

Advanced Testing

Financial institutions should undergo threat-led penetration testing (eg. TIBER EU and CBEST) every three years. It should cover all the ICT processes, systems and technologies supporting the critical functions of the financial entity, but the scope will ultimately be validated by the competent authorities.

third

Interestingly, DORA covers the supply chain security and the impact that it may have on organisations.
This area of the regulation covers three main ideas:

Third-party
risk management

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework, creating a risk register with all their key suppliers, and performing an assessment of ICT risk concentration. Contractual agreements with suppliers should also be reviewed.

EU
Collaboration

Each entity is required to perform a yearly reporting on their third-party suppliers, stating the type of services that they provide and any new arrangements. This will allow the central authorities to gain a holistic understanding of the remit of suppliers and their coverage at an EU level.

Union
oversight

Based on the annual reporting, there will be a designation of critical ICT providers, which should collaborate with the relevant authorities to provide evidence of their security posture.

intelligence

The final area of the regulation requires voluntary exchange amongst financial entities of cyber threat information and intelligence in trusted communities, including indicators of compromise, tactics, techniques and procedures.

In partnership with threat intelligence market leaders SecAlliance, we provide customised solutions to help you maximise this opportunity and benefit from the collective intelligence of the community.

risk-2

Do you have any specific enquiries about one of the five DORA
pillars?

3 simple steps
for compliance

SECFORCE is a one-stop shop for DORA compliance.

steps

Gap Analysis

step-1

Our Approach

For this reason, SECFORCE has built an online tool to streamline information gathering, support and evaluation of
evidence.

tool

A central repository of information and evidence, with clear guidance of the requirements of the law, to start a well-defined journey to compliance.

The ability to delegate tasks to other members of the organisation who are better placed for it. It also allows inter-organisational collaboration (with SECFORCE and your own colleagues) and provides an interface where SECFORCE can guide you towards DORA compliance.

A way to assess not only the current status, but also periodic progress of required changes. This significantly reduces the effort after the initial input, as DORA compliance is required every year.

For each identified gap, it provides a way to assess the operational and cybersecurity risks associated, to prioritise them based on potential impact and relevance to DORA compliance, and to develop a mitigation plan with required actions, timelines and resources.

Choose the plan that suits your organisation best:


Implementation Process

step-2

Our Approach

DORA Testing

step-3
timeline

Our Approach

Our DORA Testing Services:


Standard Testing

DORA's standard testing states that all critical ICT systems and applications should be tested at least once a year. The testing programme should cover a full range of assessments including but not limited to:

  • Infrastructure and application penetration testing
  • Red Team - Threat-Led Penetration Testing (TLPT)
  • Purple Team Assessment
  • Vulnerability scans
  • Source code reviews
  • Physical security reviews

Advanced Testing

Financial entities identified as significant by the authorities should undergo threat-led penetration testing – similar to TIBER assessments – once every three years.

It should cover all the ICT processes, systems and technologies supporting the critical functions of the financial entity, but the scope will ultimately be validated by the competent authorities.

Let us better understand how we can help you meet DORA's
requirements

Roadmap

roadmap