11.04.2024

DORA Readiness Analyse

Financial service providers under pressure New EU regulation: Digital Operational Resilience Act must be implemented by January 2025

Strengthening digital resilience with our DORA Readiness Analysis

 

In January 2023, a significant milestone for security and resilience in the financial services industry came into force: the EU Digital Operational Resilience Regulation (DORA) took effect. By January 2025, all companies in the financial services industry are required to implement the guidelines of this regulation. This landmark measure aims to establish a comprehensive industry-wide regulation for cybersecurity, ICT risks and digital operational resilience, significantly strengthening and effectively protecting the European financial market from cyber risks and information and communication technology (ICT) challenges.

The introduction of this new regulation undoubtedly brings challenges for the financial services industry. Compared to existing regulations such as VAIT and BAIT, the DORA regulation represents an even more far-reaching regulation by, among other things, both expanding existing requirements and defining additional requirements. This requires a thorough analysis and adaptation of business practices in order to ensure DORA compliance. Financial services companies are faced with a conflict of objectives, as they have to reconcile the availability of existing resources with the necessary expertise and analysis.

Specialized management consultancies such as Intero Consulting can offer valuable support in this conflict of objectives. With many years of experience in the area of regulatory provisions such as VAIT and customized assessment tools, we can quickly and efficiently determine the current DORA compliance status. Taking into account the optimal use of resources, we identify potential gaps and define suitable measures to close them in a resource-efficient manner and ensure the financial services company's DORA compliance.

The four focus topics of the DORA regulation

DORA specialises in the following four focus areas:

Darstellung der vier tragenden Säulen der DORA-Verordnung der EU.
  • ICT Risk Management

    DORA requires financial services organisations to establish an appropriate ICT risk management framework that includes the identification, assessment, monitoring, reporting and mitigation of ICT risks. The framework should be tailored to the nature, scale, complexity and risk profile of the business and should include a clear allocation of responsibilities, appropriate resource allocation, effective governance and monitoring, and regular review and updating.

    Financial services organisations must also take appropriate security measures to ensure the availability, integrity, confidentiality and authenticity of their ICT systems. This includes applying industry standards, conducting penetration tests and vulnerability assessments, implementing incident response plans and ensuring data recovery capabilities.

  • ICT-Related Incident Management, Classification and Reporting

    In the Incident Management section, DORA describes how financial services organisations should handle, classify and report ICT incidents. ICT incidents are events that lead or could lead to an impairment or interruption of ICT services, systems or networks or that jeopardise the confidentiality, integrity or availability of ICT assets.

    Financial services organisations must establish an internal reporting chain for ICT incidents that includes appropriate escalation procedures, notification mechanisms and roles and responsibilities. They must also have a process for determining the severity of ICT incidents based on the impact on business continuity, customers, financial stability and reputation. Furthermore, serious ICT incidents must be reported immediately to the competent authorities. This should help to facilitate the joint monitoring, assessment and analysis of ICT incidents at national and EU level and promote cooperation between the various supervisory authorities.

  • Digital Operational Resilience Testing

    A central topic of the DORA is the testing of digital operational resilience. This involves regularly testing and reviewing the effectiveness of ICT security measures and procedures. To this end, internal or external tests must be carried out based on a series of scenarios that reflect the threats and vulnerabilities of ICT systems and networks. The tests are designed to assess the ability of financial services organisations to detect, prevent, mitigate and remediate ICT incidents and disruptions.

    DORA places a particular focus on TLPT when testing digital operational resilience. This stands for Threat-Led Penetration Testing, a method for assessing the ICT security of financial services companies. It simulates realistic threat scenarios based on the actors, targets, tactics and techniques observed in current attacks. TLPT is designed to identify weaknesses and gaps in defence mechanisms and provide recommendations for improving digital operational resilience. The scope and frequency of a TLPT are determined by the responsible supervisory authority.

  • Managing of ICT Third-Party Risk

    DORA requires financial services organisations to monitor and manage their ICT risks, particularly those arising from reliance on third parties. Third-party ICT risks are risks arising from the use of or reliance on ICT services, systems or networks provided by external providers. A risk-based approach should be taken to identify, assess and mitigate ICT third-party risks, taking into account the nature, scope and complexity of the business activity and the potential impact on financial stability. For example, appropriate due diligence procedures must be carried out prior to a contractual agreement with a third-party ICT service provider and regularly monitored afterwards. It must also be ensured that appropriate control and contingency mechanisms are in place to guarantee the continuity and quality of ICT services and to respond to any disruptions or failures.

    The "Register of Information", which represents an overarching inventory for ICT third-party service providers and requires, among other things, the documentation of the associated value chains, especially for services that support critical or important functions, is also a key aspect of managing the risks associated with ICT third-party providers.

Regulatory expertise and industry knowledge is crucial in fulfilling the DORA requirements

To ensure that the DORA requirements are met, it is important to record the current status of implementation before defining measures. In addition to the assessment of internal experts, it is also helpful to make use of an objective assessment by a specialized management consultancy.

This objective assessment is based on a combination of regulatory expertise, industry-specific know-how in the financial services sector and a sound analysis of existing evidence such as guidelines, directives, documentation and expert interviews.

Intero Consulting has developed a five-phase plan for this, which is supplemented by audit communication training for internal managers and customized processes to guarantee clearly defined responsibilities and effective provision of information in the event of audits.

Intero Consulting's Five phases to compliance with DORA

Phase 1: Setup

In the first step, we define the responsibilities, establish the project organization and conduct a joint kick-off with all parties involved.

Phase 2: Self-assessment

Your internal experts use a clearly defined list of questions on the DORA requirements to assess the current status and identify initial discrepancies between actual and target. The results are documented in the assessment tool.

Phase 3: Interview

The Intero team validates the previously conducted self-assessment through intensive consultations and discussions with your internal experts. This not only helps us to promote understanding and awareness of the content and importance of the DORA requirements in your organization, but also to identify possible measures for improvement.

Phase 4: Result

The results of the assessment are finally summarized and presented. In addition, a mitigation plan is drawn up containing the necessary steps for implementation.

Phase 5: Implementation of the mitigation plan

The specialist departments implement the mitigation plan as part of a project. In this context, Intero Consulting offers conceptual support for dedicated mitigation measures.

How can Intero Consulting support you with DORA?

  • We support you in the preparation, introduction and implementation of the DORA requirements.
  • With our integrative consulting approach, we enable stakeholder-oriented programme/project management and provide support from goal setting and planning through to project implementation.
  • Taking into account individual, company-specific framework conditions, we strengthen your digital resilience with our DORA Readiness Analysis.
Here you can find more information about our DORA Readiness Analysis

Your GRC experts

[Translate to English:]

Jochen Friedrich

Partner
Dies ist ein Porträtfoto von Michael Lohmann.

Michael Lohmann

Junior Manager
[Translate to English:]

Philipp Fackler

Senior Consultant
[Translate to English:]

Tobias Dusch

Senior Consultant

Further GRC impulses

08.11.2024

DORA and management of ICT third-party risks in the financial sector

11.04.2024

DORA Readiness Analyse

27.09.2023

VAIT-Readiness Assessment

25.01.2023

Governance, Risk & Compliance - Audit Management

08.11.2024

DORA and management of ICT third-party risks in the financial sector

11.04.2024

DORA Readiness Analyse

27.09.2023

VAIT-Readiness Assessment

25.01.2023

Governance, Risk & Compliance - Audit Management

08.11.2024

DORA and management of ICT third-party risks in the financial sector

11.04.2024

DORA Readiness Analyse

27.09.2023

VAIT-Readiness Assessment

25.01.2023

Governance, Risk & Compliance - Audit Management

08.11.2024

DORA and management of ICT third-party risks in the financial sector

11.04.2024

DORA Readiness Analyse

27.09.2023

VAIT-Readiness Assessment

25.01.2023

Governance, Risk & Compliance - Audit Management

08.11.2024

DORA and management of ICT third-party risks in the financial sector

11.04.2024

DORA Readiness Analyse

27.09.2023

VAIT-Readiness Assessment

25.01.2023

Governance, Risk & Compliance - Audit Management