<img src="https://secure.leadforensics.com/51974.png" style="display:none;">
English

Vacancies Support Login

English
ISPnext_Stockphoto_Bahaddin_Didi_Fotoshoot

DORA to support the financial sector

Juliette Juffermans, Business Analyst at ISPnext: "DORA (Digital Operational Resilience Act) was already implemented in 2023 but will now finally be launched. DORA applies to all organisations active in the financial sector as well as IT service providers that aid these institutions within the EU."

The act

Juliette: "DORA is a law aimed at harmonising and unifying cybersecurity reporting. The main goal is for financial organisations to better manage their IT risks and therefore become more resilient to cyberthreats."

From 2024 onwards, it will be mandatory for financial organisations to report on critical ICT suppliers using the DORA format. The focus lies on ICT risks, ICT incidents, the regular testing of 'digital resilience', managing risks when outsourcing to critical third parties and sharing information regarding cyberthreats.

New compliance obligations

DORA draws on regulatory initiatives from several European regulators including the European Central Bank and combines them into a single rulebook. Most of DORA’s themes are already familiar to Dutch financial institutions.  Think of themes such as ICT governance and ICT risk management. From now on, however, these themes can only be submitted using the DORA format. The DORA format is more elaborate than standard frameworks such as ISO27001. As a result, continuity of digital services and backups can be ensured even in the event of operational or technical disruptions, cyberattacks or possible disasters. To do so, financial organisations must adapt their processes where necessary for them to meet the DORA requirements. Organisations have until 17 January 2025 to comply with DORA.

Juliette Juffermans - Hexagon
“From 2025 onwards, it will be mandatory for financial organisations to report on all IT suppliers using the DORA format.”

- Juliette Juffermans, Business Analyst | ISPnext

DORA's impact

DORA’s main themes are listed below:

ICT risk management
Financial organisations need a programme that describes their risk assessment and continuity plan. In addition, they also need a plan that allows them to immediately respond to ICT-related incidents and describes how to act on them.

ICT incident management
ICT incidents are reported to a central regulator (in the Netherlands that is DNB). In this case, the customer must also be informed. Reporting and informing concerns any incident that impacts a financial organisation’s services.

Digital resilience testing: Financial organisations should establish test programmes that focus on hacker testing, (physical) security testing and vulnerability scanning. These test programmes should be reviewed periodically.

Third-party risk management
Risk management also covers the risks posed by third parties. If the third parties work with critical ICT suppliers, those suppliers should also be looked at. This means a financial organisation will need to map their entire supply chain.

Sharing of information
Financial organisations should share information on best practices and cyberthreats with other financial institutions.

Are you curious how we can help you comply with DORA? Get in touch via the button below.