DORA COMPLIANCE: ENSURING CYBER RESILIENCE ACROSS THE UK AND IRELAND
The Digital Operational Resilience Act (DORA) is designed to enhance operational resilience, reduce IT threats and boost the ability of financial companies across the European Union to prevent and deal with ICT-related incidents. It comes into force on 17th January 2025, as part of the EU's efforts to regulate the digital sector.
Whilst the UK has left the EU, DORA still impacts UK-based financial firms and third-party ICT providers that serve EU customers or do business with EU financial companies, including those in Ireland. For some companies, it will require additional IT security measures – even if they already adhere to frameworks such as ISO 27001 or COBIT.
UNDERSTANDING DORA: WHAT BUSINESSES IN THE UK AND IRELAND NEED TO KNOW
DORA applies to financial institutions including (but not limited to) credit and payment institutions, investment firms, insurance companies and intermediaries, pension funds and trading platforms. This includes firms based in the UK and Ireland. DORA also applies to ICT companies providing services to financial institutions in scope of the regulation.
The Regulation sets a regulatory framework on digital operational resilience, encompassing:
- IT risk management
- Mandatory incident reporting
- Documentation of test plans
- Third-party risk management
- Training and governance
Compliance will ensure firms have the correct systems in place to withstand, respond to and recover from all types of ICT-related disruptions and threats, including through third parties.
DORA COMPLIANCE SERVICES FROM BUREAU VERITAS
Our experts at Secura Bureau Veritas offer a range of services to support compliance with DORA, wherever you are on your cyber security journey - whether you are a financial institution or an ICT provider serving the UK and Irish markets.
This includes DORA boardroom training, DORA gap assessments, and a suite of DORA implementation services tailored to the specific needs of your organisation.
-
DORA boardroom training
DORA requires directors to undergo training to demonstrate effective governance around cyber security issues. We have developed DORA boardroom training in collaboration with De Clercq Lawyers, providing insight into the risk management measures that organisations must take as a minimum based on DORA. This one day course can be delivered at a location of your choice.
-
DORA gap assessment
Our specialist team can perform a DORA gap assessment, providing a detailed overview of your current security maturity level and the steps you need to take to become DORA compliant. This service is based on our proven Security Maturity Assessment.
-
DORA implementation services
We also offer a range of services to help implement DORA for your organisation. The specific scope of our solution will depend on the outcome of your DORA gap analysis, but may include our CyberCare security service, security management, awareness and behaviour support, incident response and vendor security services.
STEPS TO ACHIEVE DORA COMPLIANCE ACROSS THE UK AND IRELAND
If your organisation is subject to DORA, it is important to start preparing for compliance early. Speak to our cyber security experts to understand more about initial DORA assessment and planning, as well as how to implement the strategies and solutions you need to manage risk and achieve compliance.
WHAT ARE THE BENEFITS OF DORA COMPLIANCE?
Compliance is mandatory for some organisations, but compliance with DORA will also deliver other benefits, including:
- Improved cyber resilience and better planning for ICT threats
- Enhanced understanding of ICT risks across the organisation
- Greater control of ICT supply chains
- Enhanced incident reporting and information sharing
WHY CHOOSE BUREAU VERITAS FOR YOUR DORA COMPLIANCE NEEDS?
- Experienced team with decades of governance risk and compliance experience
- A range of services specifically developed to meet your DORA needs and help you become DORA compliant
- Cybersecurity experts in the field of people, processes and technology
- A single point of contact and proven partnership approach
- A clear roadmap to become and stay DORA compliant
- Backed by the global expertise of Bureau Veritas, a world leader in testing, inspection and certification services
As an independent group of cybersecurity experts with decades of experience working with financial and ICT companies, we can provide advice and support that is free from technology or partner bias, helping you become and stay DORA compliant across the UK and Ireland.
-
HOW DOES DORA RELATE TO EXISTING FRAMEWORKS SUCH AS ISO 27001?
Existing risk frameworks, such as NIST and ISO 27001 provide guidance on how to comply with various laws, through processes such as training staff, performing audits and tests, using incident management and supply chain risk management. These kinds of risk frameworks are a good addition to the DORA, but complying with these standards does not mean that you automatically comply with DORA, which is a regulation in its own right.
-
HOW WILL DORA CHANGE INCIDENT RESPONSE REQUIREMENTS?
Incident management is a critical aspect of ensuring security and continuity of services.
Under DORA, companies must have plans in place to communicate with staff, external stakeholders, the media and clients, in the event of an incident, adhering to strict timelines. Internal escalation procedures must also be established.
In addition, major incidents must be reported to relevant senior management and “the management body”, with an explanation of the impact, response, and additional controls to be established as a result of the incident.
-
WHAT IS THE DORA TIMELINE?
The first batch of DORA policy products were published on 17th January 2024 and DORA applies from 17th January 2025. Additional Regulatory Standards (RTS) and Implementing Technical Standards (ITS) have (First batch January 17th 2024) and are (Second batch 17 July 2024) being published.