Is Your Organization DORA-Ready?
Navigating compliance with the Digital Operational Resilience Act.
Digital Operational Resilience Act (DORA)
DORA is an EU regulation on the digital resilience of the financial sector. DORA refers to: Financial sector institutions, in particular banks, payment institutions, insurance companies, reinsurance companies, and crypto-asset service providers.
The regulation came into effect on January 16, 2023. The addressees of DORA have until January 17, 2025, to prepare for the new requirements.
To be DORA-ready, an organization must enhance its operational resilience by implementing robust governance frameworks, conducting thorough risk assessments, and ensuring continuous monitoring of ICT (information and communication technology) systems. It is crucial to develop incident management plans, establish comprehensive cybersecurity policies, and maintain resilient data infrastructure.
Compliance also requires organizations to conduct regular testing of ICT systems for vulnerabilities and
Key regulations covered by DORA
- ICT Risk Management – considering the principle of proportionality and the responsibilities of supervised entities
- Management of ICT service providers' risk
- Security documentation that should result from identified risks
- ICT Incident Management – harmonization and centralization of the management process for serious ICT incidents at both the national and EU level
- Verification of the security of systems, processes, and services
Process identification - how to start?
- Identifying processes,
- Identifying IT resources (systems, technical infrastructure),
- Reviewing and cataloguing contracts with third parties responsible for ICT infrastructure (Information and Communications Technology).
We assist financial entities in fulfilling their DORA obligations
BIA analysis is the first step in preparing for DORA compliance. It helps identify critical and significant resources and processes within the organization. During the analysis, we focus on identifying processes and tasks performed within these processes. Additionally, we identify IT and non-IT resources used by these processes and tasks. We define the connections between processes and determine RTO (Recovery Time Objective) and RPO (Recovery Point Objective), i.e., the time required to restore processes after a failure and the acceptable level of data loss expressed in time.
We develop and tailor ICT risk management procedures to meet our clients' needs. Processes are built based on best market practices and frameworks such as ISO 31000 and NIST 800-53. After developing the required procedures, we assist clients in conducting a risk analysis considering all significant factors that might affect the estimated risk level.
We support clients in developing risk mitigation plans. In addition, we develop security procedures, including incident management procedures in accordance with legal requirements. We use process identification patterns and criticality factors we have developed or adapt existing client materials as input.
The analysis stages conclude with the presentation of results by Finture experts at a summarizing meeting. Our work also produces a comprehensive collective report prepared in collaboration with designated organizational units. The information included may serve as a basis for preparing strategic corporate documents, including periodic reports or reports subject to further legal approvals. The scope and detail of the data included in the summarizing report are always agreed upon with the end recipients. The report will also include recommendations for critical process areas along with scenarios for periodic vulnerability assessments (a process of improving organizational resilience and response to emergency events).
Finture - DORA advisory competencies
Our team
See more of our services
Custom software development
Our company fully understands that the individual needs of our clients require a personalized approach. Our team of technology and insurance industry professionals is ready to create software that perfectly suits the unique requirements and specifics of their business.
Our experience and attention to every detail are the keys to the success of the projects in which we participate.
Staff augmentation
Whether you need a single system-business analyst, a developer, a tester, DevOps, or a complete team to carry out the assigned tasks, at Finture, we are ready to help you select the right person or complete a team according to your requirements.