DORA to support the financial sector

Juliette: "DORA is a law aimed at harmonising and unifying cybersecurity reporting. The main goal is for financial organisations to better manage their IT risks and therefore become more resilient to cyberthreats."

From 2024 onwards, it will be mandatory for financial organisations to report on critical ICT suppliers using the DORA format. The focus lies on ICT risks, ICT incidents, the regular testing of 'digital resilience', managing risks when outsourcing to critical third parties and sharing information regarding cyberthreats.

DORA draws on regulatory initiatives from several European regulators including the European Central Bank and combines them into a single rulebook. Most of DORA’s themes are already familiar to Dutch financial institutions.  Think of themes such as ICT governance and ICT risk management. From now on, however, these themes can only be submitted using the DORA format. The DORA format is more elaborate than standard frameworks such as ISO27001. As a result, continuity of digital services and backups can be ensured even in the event of operational or technical disruptions, cyberattacks or possible disasters. To do so, financial organisations must adapt their processes where necessary for them to meet the DORA requirements. Organisations have until 17 January 2025 to comply with DORA.

DORA’s main themes are listed below:

1. ICT risk management: Financial organisations need a programme that describes their risk assessment and continuity plan. In addition, they also need a plan that allows them to immediately respond to ICT-related incidents and describes how to act on them.
2. ICT incident management: ICT incidents are reported to a central regulator (in the Netherlands that is DNB). In this case, the customer must also be informed. Reporting and informing concerns any incident that impacts a financial organisation’s services.
3. Digital resilience testing: Financial organisations should establish test programmes that focus on hacker testing, (physical) security testing and vulnerability scanning. These test programmes should be reviewed periodically.
4. Third-party risk management: Risk management also covers the risks posed by third parties. If the third parties work with critical ICT suppliers, those suppliers should also be looked at. This means a financial organisation will need to map their entire supply chain.
5. Sharing of information: Financial organisations should share information on best practices and cyberthreats with other financial institutions.

Are you curious how we can help you comply with DORA? Get in touch via the button below.