Get in touch
Published on 18.01.2023

THE BACKGROUND TO DORA

Operational Resilience

The Digital Operational Resilience Act (DORA) comes into force on 17 January 2025. Between now and the go-live date what are the key things you need to know?

 

How does it differ from other operational resilience rules?

The primary distinction lies in the focus on Information and Communication Technology (ICT) risk. DORA aims to enhance the resilience, reliability, and continuity of financial services across the EU.

 

What are the significant dates to be aware of?

DORA came into effect on January 16, 2023, after being published in the Official Journal of the European Union on December 27, 2022. There is a two-year implementation period until January 17, 2025, by which time organisations falling under its scope are expected to achieve compliance.

 

Who does it affect?

DORA applies to over 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. It is also noteworthy for the IT community, as it introduces direct supervision of a smaller number of ICT service providers to address systemic operational resilience in the financial sector. However, this aspect is not extensively covered in this document.

 

What are the obligations of firms?

To ensure that they are compliant a firm must:

    • Establish an annual security testing program, which includes tests such as Network Security Test, Penetration Test, Web-App Test, Social engineering, conducted by certified and experienced internal or external testers.

    • Conduct an Advanced Threat Led Penetration Test (TLPT) at least once every three years on critical infrastructure and services, performed by certified and experienced internal or external testers.

    • Include ICT Third-party providers of critical services within the scope of TLPT.

    • Ensure the remediation of all identified issues through re-testing or revalidation.

    • Employ an external Threat Intelligence function.

    • Issue attestation reports, summaries of findings, and remediation plans to competent authorities upon the completion of TLPT.

 

We’re here to help

Our team are helping numerous clients unpack and understand the DORA requirements, to support them in successful implementation. If you would like to discuss please contact Hugo Warner (Hwarner@novatusadvisory.com).

More for you:

InsightsOperational Resilience
29 Sep 2023
DORA: A compliance guide for the financial sector
10:00 min read
read post
InsightsOperational Resilience
03 Apr 2023
DORA: Implementing Challenges for Financial Services Firms
2:00 min read
read post
InsightsOperational Resilience
23 Feb 2023
OPERATIONAL RESILIENCE: A CONTINUED EMPHASIS
2:00 min read
read post
InsightsOperational Resilience
31 Jan 2023
OPERATIONAL RESILIENCE IN THE EYES OF THE REGULATORS
2:00 min read
read post
InsightsOperational Resilience
26 Jan 2023
A Guide to Operational Resilience – Download Now
1:00 min read
read post
InsightsOperational Resilience
13 Jan 2023
Operational Resilience: Critical Third Parties – a further dimension
3:00 min read
read post
Explore all
Insights:

Discover the latest insights, stories, 

& essential resources at your fingertips.

InsightsFinancial Crime
11 Jul 2024
Dear CEO Letter – Required Actions in Response to Common Financial Crime Control Failings
5:00 min read
read post
InsightsEMIR Refit
03 May 2024
EMIR REFIT: Navigating Regulatory Changes
3:00 min read
read post
ASIC Rewrite 2024 New Reporting Rules Are You Ready
InsightsASIC Rewrite
30 Jan 2024
ASIC Rewrite 2024: New Reporting Rules Are You Ready?
2:00 min read
read post
EMIR Refit UAT Environment Open For Testing
InsightsEMIR Refit
30 Jan 2024
EMIR Refit – UAT Environment Open For Testing
1:00 min read
read post
InsightsASIC Rewrite
30 Jan 2024
ASIC Rewrite 2024
5:00 min read
read post
InsightsESG
31 Oct 2023
Decoding the new global baseline of ESG Acronyms: the ISSB Standards
4:00 min read
read post
Explore all insights