The Digital Operational Resilience Act (DORA) comes into force on 17 January 2025. Between now and the go-live date what are the key things you need to know?
How does it differ from other operational resilience rules?
The primary distinction lies in the focus on Information and Communication Technology (ICT) risk. DORA aims to enhance the resilience, reliability, and continuity of financial services across the EU.
What are the significant dates to be aware of?
DORA came into effect on January 16, 2023, after being published in the Official Journal of the European Union on December 27, 2022. There is a two-year implementation period until January 17, 2025, by which time organisations falling under its scope are expected to achieve compliance.
Who does it affect?
DORA applies to over 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. It is also noteworthy for the IT community, as it introduces direct supervision of a smaller number of ICT service providers to address systemic operational resilience in the financial sector. However, this aspect is not extensively covered in this document.
What are the obligations of firms?
To ensure that they are compliant a firm must:
-
- Establish an annual security testing program, which includes tests such as Network Security Test, Penetration Test, Web-App Test, Social engineering, conducted by certified and experienced internal or external testers.
-
- Conduct an Advanced Threat Led Penetration Test (TLPT) at least once every three years on critical infrastructure and services, performed by certified and experienced internal or external testers.
-
- Include ICT Third-party providers of critical services within the scope of TLPT.
-
- Ensure the remediation of all identified issues through re-testing or revalidation.
-
- Employ an external Threat Intelligence function.
-
- Issue attestation reports, summaries of findings, and remediation plans to competent authorities upon the completion of TLPT.
We’re here to help
Our team are helping numerous clients unpack and understand the DORA requirements, to support them in successful implementation. If you would like to discuss please contact Hugo Warner (Hwarner@novatusadvisory.com).