Cybersecurity, DORA, Abstract

DORA COMPLIANCE: ENSURING CYBER RESILIENCE ACROSS THE UK AND IRELAND

The Digital Operational Resilience Act (DORA) is designed to enhance operational resilience, reduce IT threats and boost the ability of financial companies across the European Union to prevent and deal with ICT-related incidents. It comes into force on 17th January 2025, as part of the EU's efforts to regulate the digital sector.

Whilst the UK has left the EU, DORA still impacts UK-based financial firms and third-party ICT providers that serve EU customers or do business with EU financial companies, including those in Ireland. For some companies, it will require additional IT security measures – even if they already adhere to frameworks such as ISO 27001 or COBIT.

UNDERSTANDING DORA: WHAT BUSINESSES IN THE UK AND IRELAND NEED TO KNOW

DORA applies to financial institutions including (but not limited to) credit and payment institutions, investment firms, insurance companies and intermediaries, pension funds and trading platforms. This includes firms based in the UK and Ireland. DORA also applies to ICT companies providing services to financial institutions in scope of the regulation.

The Regulation sets a regulatory framework on digital operational resilience, encompassing:

  • IT risk management
  • Mandatory incident reporting
  • Documentation of test plans
  • Third-party risk management
  • Training and governance

Compliance will ensure firms have the correct systems in place to withstand, respond to and recover from all types of ICT-related disruptions and threats, including through third parties.

DORA COMPLIANCE SERVICES FROM BUREAU VERITAS

Our experts at Secura Bureau Veritas offer a range of services to support compliance with DORA, wherever you are on your cyber security journey - whether you are a financial institution or an ICT provider serving the UK and Irish markets.

This includes DORA boardroom training, DORA gap assessments, and a suite of DORA implementation services tailored to the specific needs of your organisation.

  • DORA boardroom training

    DORA requires directors to undergo training to demonstrate effective governance around cyber security issues. We have developed DORA boardroom training in collaboration with De Clercq Lawyers, providing insight into the risk management measures that organisations must take as a minimum based on DORA. This one day course can be delivered at a location of your choice. 

  • DORA gap assessment

    Our specialist team can perform a DORA gap assessment, providing a detailed overview of your current security maturity level and the steps you need to take to become DORA compliant. This service is based on our proven Security Maturity Assessment.

  • DORA implementation services

    We also offer a range of services to help implement DORA for your organisation. The specific scope of our solution will depend on the outcome of your DORA gap analysis, but may include our CyberCare security service, security management, awareness and behaviour support, incident response and vendor security services.

STEPS TO ACHIEVE DORA COMPLIANCE ACROSS THE UK AND IRELAND

If your organisation is subject to DORA, it is important to start preparing for compliance early. Speak to our cyber security experts to understand more about initial DORA assessment and planning, as well as how to implement the strategies and solutions you need to manage risk and achieve compliance.

WHAT ARE THE BENEFITS OF DORA COMPLIANCE?

Compliance is mandatory for some organisations, but compliance with DORA will also deliver other benefits, including: 

  • Improved cyber resilience and better planning for ICT threats
  • Enhanced understanding of ICT risks across the organisation
  • Greater control of ICT supply chains
  • Enhanced incident reporting and information sharing
     

WHY CHOOSE BUREAU VERITAS FOR YOUR DORA COMPLIANCE NEEDS? 

  • Experienced team with decades of governance risk and compliance experience
  • A range of services specifically developed to meet your DORA needs and help you become DORA compliant
  • Cybersecurity experts in the field of people, processes and technology
  • A single point of contact and proven partnership approach
  • A clear roadmap to become and stay DORA compliant
  • Backed by the global expertise of Bureau Veritas, a world leader in testing, inspection and certification services

As an independent group of cybersecurity experts with decades of experience working with financial and ICT companies, we can provide advice and support that is free from technology or partner bias, helping you become and stay DORA compliant across the UK and Ireland.

  • HOW DOES DORA RELATE TO EXISTING FRAMEWORKS SUCH AS ISO 27001?

    Existing risk frameworks, such as NIST and ISO 27001 provide guidance on how to comply with various laws, through processes such as training staff, performing audits and tests, using incident management and supply chain risk management. These kinds of risk frameworks are a good addition to the DORA, but complying with these standards does not mean that you automatically comply with DORA, which is a regulation in its own right.

  • HOW WILL DORA CHANGE INCIDENT RESPONSE REQUIREMENTS?

    Incident management is a critical aspect of ensuring security and continuity of services. 
    Under DORA, companies must have plans in place to communicate with staff, external stakeholders, the media and clients, in the event of an incident, adhering to strict timelines. Internal escalation procedures must also be established. 

    In addition, major incidents must be reported to relevant senior management and “the management body”, with an explanation of the impact, response, and additional controls to be established as a result of the incident. 
     

  • WHAT IS THE DORA TIMELINE?

    The first batch of DORA policy products were published on 17th January 2024 and DORA applies from 17th January 2025. Additional Regulatory Standards (RTS) and Implementing Technical Standards (ITS) have (First batch January 17th 2024) and are (Second batch 17 July 2024) being published.

GET IN TOUCH WITH A MEMBER OF THE TEAM BY SUBMITTING YOUR DETAILS BELOW:

Please select country prefix
Enquiring about
If known (Approx.)
If known (Approx.)
Maximum 3 files.
2 MB limit.
Allowed types: pdf, doc, docx, ppt, pptx, xls, xlsx, jpg, png.
I have read and understood the terms and conditions of {Personal data protection policy}.
Your personal data is collected by Bureau Veritas UK, having its registered office at Suite 206, Fort Dunlop, Fort Parkway, Birmingham B24 9FD, and is subject to computer processing in order to respond to questions from the media about the Group or its subsidiaries on the basis of your consent, and to respond to customer complaints, on the basis of the service contract that you have entered into with a subsidiary of Bureau Veritas.

Your personal data is intended for the Corporate Communication department or the Quality, Health & Safety and Environment department of the Bureau Veritas Group, depending on the nature of your request, and for their service providers, providing consulting and technical services as well as for the Bureau Veritas IT department. Your personal data will be retained for a period of one year for media requests and three years for customer complaints from your request. Your personal data can be transferred outside the European Union, in countries where Bureau Veritas subsidiaries operate, on the basis of standard contractual clauses established by the European Commission, available on request, by submitting a query here.

Fields marked with an asterisk must be filled in. Otherwise, Bureau Veritas would not be able to answer your questions and/or complaints. In accordance with the Data Protection Act 2018 and the General Data Protection Regulation of 27 April 2016, you have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by submitting a query here and unchecking the box dedicated to the collection of your consent. You can exercise your rights online to lodge a complaint to the Information Commissioner’s Office.