DORA to support the financial sector
Juliette Juffermans, Business Analyst at ISPnext: "DORA (Digital Operational Resilience Act) was already implemented in 2023 but will now finally be launched. DORA applies to all organisations active in the financial sector as well as IT service providers that aid these institutions within the EU."
The act
Juliette: "DORA is a law aimed at harmonising and unifying cybersecurity reporting. The main goal is for financial organisations to better manage their IT risks and therefore become more resilient to cyberthreats."
From 2024 onwards, it will be mandatory for financial organisations to report on critical ICT suppliers using the DORA format. The focus lies on ICT risks, ICT incidents, the regular testing of 'digital resilience', managing risks when outsourcing to critical third parties and sharing information regarding cyberthreats.
New compliance obligations
DORA draws on regulatory initiatives from several European regulators including the European Central Bank and combines them into a single rulebook. Most of DORA’s themes are already familiar to Dutch financial institutions. Think of themes such as ICT governance and ICT risk management. From now on, however, these themes can only be submitted using the DORA format. The DORA format is more elaborate than standard frameworks such as ISO27001. As a result, continuity of digital services and backups can be ensured even in the event of operational or technical disruptions, cyberattacks or possible disasters. To do so, financial organisations must adapt their processes where necessary for them to meet the DORA requirements. Organisations have until 17 January 2025 to comply with DORA.
“From 2024 onwards, it will be mandatory for financial organisations to report on critical ICT suppliers using the DORA format.”
Juliette Juffermans, Business Analyst | ISPnext
DORA's impact
DORA’s main themes are listed below:
- ICT risk management: Financial organisations need a programme that describes their risk assessment and continuity plan. In addition, they also need a plan that allows them to immediately respond to ICT-related incidents and describes how to act on them.
- ICT incident management: ICT incidents are reported to a central regulator (in the Netherlands that is DNB). In this case, the customer must also be informed. Reporting and informing concerns any incident that impacts a financial organisation’s services.
- Digital resilience testing: Financial organisations should establish test programmes that focus on hacker testing, (physical) security testing and vulnerability scanning. These test programmes should be reviewed periodically.
- Third-party risk management: Risk management also covers the risks posed by third parties. If the third parties work with critical ICT suppliers, those suppliers should also be looked at. This means a financial organisation will need to map their entire supply chain.
- Sharing of information: Financial organisations should share information on best practices and cyberthreats with other financial institutions.
Are you curious how we can help you comply with DORA? Get in touch via the button below.
More resources
ISPnext achieves ISAE3402 Type 2 Assurance Report
At ISPnext, we are all about data security and providing reliable solutions for our customers. We are therefore proud to announce that we have...
Apex Systems enhances AP Automation with ISPnext
Apex Systems, a technology services firm and ASGN brand (NYSE: ASGN), announced today a strategic alliance with cloud-based Business Spend Management...
New partnership Stratas & ISPnext
Stratas, a digital transformation leader, and ISPnext, a Business Spend Management (BSM) solutions provider, are excited to unveil their strategic...
At BME eLÖSUNGSTAGE you will learn all about the latest trends and innovations to make your procurement ready for the future.📆 14th & 15th of May...
Whitepaper | 5 tips for successful implementation
Source-to-pay solutions offer your company considerable time and cost savings. Think about more efficient procurement and invoice processing. Paul...