DIGITAL OPERATIONAL RESILIENCE ACT (DORA)
The Digital Operational Resilience Act (DORA) is designed to enhance operational resilience, reduce IT threats and boost the ability of financial companies in the EU to prevent and deal with ICT related incidents. It comes into force on 17th January 2025, as part of the EU's efforts to regulate the digital sector.
DORA applies to all financial institutions in the EU, but its remit covers any UK financial firm that works with EU customers or does business with EU financial firms. For some companies, it will require additional IT security measures – even if they already adhere to frameworks including ISO 27001 or COBIT.
UNDERSTANDING DORA: WHAT UK BUSINESSES NEED TO KNOW
DORA applies to financial institutions including (but not limited to) credit and payment institutions, investment firms, insurance companies and intermediaries, pension funds and trading platforms.
The Regulation sets a regulatory framework on digital operational resilience, encompassing IT risk management, mandatory incident reporting, documentation of test plans, third-party risk management, plus training and governance. Compliance will ensure firms have the correct systems in place to withstand, respond to and recover from all types of ICT-related disruptions and threats, including through third parties.
Obligations for impacted companies can be roughly divided into five groups:
- (ICT) Risk management
- Digital operational resilience testing
- Managing security of IT service providers (ICT Third-party risk)
- (ICT) Incident management (classification and reporting)
- Information exchange (e.g. exchange of information on cyber threats)
THE IMPORTANCE OF DORA COMPLIANCE FOR UK ORGANISATIONS
Although DORA is an EU regulation, it impacts third-party ICT providers too. DORA only allows companies to enter into contract with providers that meet the information security requirements as set out in the framework. This includes UK-based providers of cloud services, network services, hardware services and ICT consulting, when supplying services to EU financial companies.
DORA is a complex regulation, which increases obligations for many organisations. A hasty or uninformed approach may not only leave your organisation vulnerable, but also put you at risk of legal and financial penalties.
Any breach of requirements could lead to a fine of up to 2% of total annual worldwide turnover, or up to 1% of the company's average daily turnover worldwide.
DORA COMPLIANCE SERVICES FROM BUREAU VERITAS
Our experts at Secura, a Bureau Veritas company, offer a range of services to support compliance with DORA, wherever you are on your cyber security journey.
-
DORA boardroom training
DORA requires directors to undergo training to demonstrate effective governance around cyber security issues. We have developed DORA boardroom training in collaboration with De Clercq Lawyers, providing insight into the risk management measures that organisations must take as a minimum based on DORA. This one day course can be delivered at a location of your choice.
-
DORA gap assessment
Our specialist team can perform a DORA gap assessment, providing a detailed overview of your current security maturity level and the steps you need to take to become DORA compliant. This service is based on our proven Security Maturity Assessment.
-
DORA implementation services
We also offer a range of services to help implement DORA for your organisation. The specific scope of our solution will depend on the outcome of your DORA gap analysis, but may include our CyberCare security service, security management, awareness and behaviour support, incident response and vendor security services.
STEPS TO ACHIEVE DORA COMPLIANCE IN THE UK
If you already know your organisation is subject to DORA or has EU-based clients that will fall under the regulation, it is important to start preparing for compliance early. Speak to our cyber security experts to understand more about initial DORA assessment and planning, as well as how to implement the strategies and solutions you need to manage risk and achieve compliance.
WHAT ARE THE BENEFITS OF DORA COMPLIANCE?
Compliance is mandatory for some organisations, but compliance with DORA will also deliver other benefits, including:
- Improved cyber resilience and better planning for ICT threats
- Enhanced understanding of ICT risks across the organisation
- Greater control of ICT supply chains
- Enhanced incident reporting and information sharing
WHY CHOOSE BUREAU VERITAS FOR YOUR DORA COMPLIANCE NEEDS?
- Experienced team with decades of governance risk and compliance experience
- A range of services specifically developed to meet your DORA needs and help you become DORA compliant
- Cybersecurity experts in the field of people, processes and technology
- A single point of contact and proven partnership approach
- A clear roadmap to become and stay DORA compliant
- Backed by the global expertise of Bureau Veritas, a world leader in testing, inspection and certification services
-
HOW DOES DORA RELATE TO EXISTING FRAMEWORKS SUCH AS ISO 27001?
Existing risk frameworks, such as NIST and ISO 27001 provide guidance on how to comply with various laws, through processes such as training staff, performing audits and tests, using incident management and supply chain risk management. These kinds of risk frameworks are a good addition to the DORA, but complying with these standards does not mean that you automatically comply with DORA, which is a regulation in its own right.
-
HOW WILL DORA CHANGE INCIDENT RESPONSE REQUIREMENTS?
Incident management is a critical aspect of ensuring security and continuity of services.
Under DORA, companies must have plans in place to communicate with staff, external stakeholders, the media and clients, in the event of an incident, adhering to strict timelines. Internal escalation procedures must also be established.
In addition, major incidents must be reported to relevant senior management and “the management body”, with an explanation of the impact, response, and additional controls to be established as a result of the incident.
-
WHAT IS THE DORA TIMELINE?
The first batch of DORA policy products were published on 17th January 2024 and DORA applies from 17th January 2025. Additional Regulatory Standards (RTS) and Implementing Technical Standards (ITS) have (First batch January 17th 2024) and are (Second batch 17 July 2024) being published.