Is Your Organization DORA-Ready?

Navigating compliance with the Digital Operational Resilience Act.

Digital Operational Resilience Act (DORA)

DORA is an EU regulation on the digital operational resilience of the financial sector. It applies to financial sector institutions, especially banks, payment institutions, insurance companies, reinsurance companies, and crypto-asset service providers.

The regulation came into force on January 16, 2023. To be DORA-compliant, an organization must increase its operational resilience. This requires the implementation of solid governance frameworks. It also involves conducting thorough risk assessments. In addition, organizations must ensure continuous monitoring of ICT systems (Information and Communication Technologies). It is also crucial to develop incident management plans, establish comprehensive cybersecurity policies, and maintain resilient data infrastructures.

Compliance with DORA also requires regular testing of ICT systems. These tests should detect vulnerabilities to threats. Organizations must also establish protocols for incident reporting. This includes serious ICT-related events. Furthermore, compliance involves third-party risk management. Organizations must ensure that external service providers meet the same resilience standards.

Key regulations covered by DORA

  • ICT Risk Management – considering the principle of proportionality and the responsibilities of supervised entities
  • Management of ICT service providers' risk
  • Security documentation that should result from identified risks
  • ICT Incident Management – harmonization and centralization of the management process for serious ICT incidents at both the national and EU level
  • Verification of the security of systems, processes, and services

Process identification - how to start?

To achieve organizational compliance with DORA regulations, the first step in preparing for the new regulations is:
  • Identifying processes,
  • Identifying IT resources (systems, technical infrastructure),
  • Reviewing and cataloguing contracts with third parties responsible for ICT infrastructure (Information and Communications Technology).

Processes and resources should be classified in accordance with regulatory requirements. In particular, it is necessary to identify processes and resources that are critical or important. A critical or important function is one whose disruption could significantly impact the organization’s financial performance. Disruptions can also affect the security or continuity of the services provided. As a result, such a situation may threaten the ability to carry out core business operations. Moreover, it may lead to non-compliance with license conditions. It can also prevent the organization from fulfilling its obligations under financial services regulations.

We assist financial entities in fulfilling their DORA obligations

We assist financial entities in fulfilling their DORA obligations. As part of the services provided by experienced experts at Finture, we support clients subject to DORA regulations through the following compliance examination and reporting stages:

BIA analysis is the first step in preparing for DORA compliance. It helps identify critical and significant resources and processes within the organization. During the analysis, we focus on identifying processes and tasks performed within these processes. Additionally, we identify IT and non-IT resources used by these processes and tasks. We define the connections between processes and determine RTO (Recovery Time Objective) and RPO (Recovery Point Objective), i.e., the time required to restore processes after a failure and the acceptable level of data loss expressed in time.

We develop and tailor ICT risk management procedures to meet our clients' needs. Processes are built based on best market practices and frameworks such as ISO 31000 and NIST 800-53. After developing the required procedures, we assist clients in conducting a risk analysis considering all significant factors that might affect the estimated risk level.

We support clients in developing risk mitigation plans. In addition, we develop security procedures, including incident management procedures in accordance with legal requirements. We use process identification patterns and criticality factors we have developed or adapt existing client materials as input.

The analysis stages conclude with the presentation of results by Finture experts at a summarizing meeting. Our work also produces a comprehensive collective report prepared in collaboration with designated organizational units. The information included may serve as a basis for preparing strategic corporate documents, including periodic reports or reports subject to further legal approvals. The scope and detail of the data included in the summarizing report are always agreed upon with the end recipients. The report will also include recommendations for critical process areas along with scenarios for periodic vulnerability assessments (a process of improving organizational resilience and response to emergency events).

Finture - DORA advisory competencies

We cooperate with many top providers of security solutions. This gives us in-depth knowledge of both widely used and potential tools for automating and supporting security within organizations. Additionally, we help select the solution that best fits the client’s needs and support its implementation and maintenance. Moreover, we have expertise in implementing and maintaining tools for vulnerability management, email protection, endpoint and server security, as well as automating TLPT processes.

Our team

Domain experts – the people who work daily in the processes we automate in IT projects – are an irreplaceable source of information about how a given business process actually operates, how it flows, and what is needed in their day-to-day work.
Our team consists of specialists with extensive experience in information security management, risk management, and business continuity management. All these efforts are supported by individuals familiar with the processes and specifics of the financial sector in Poland.
Meet the team

See more of our services

business processes

Custom software development

Our company fully understands that the individual needs of our clients require a personalized approach. Our team of technology and insurance industry professionals is ready to create software that perfectly suits the unique requirements and specifics of their business.

Our experience and attention to every detail are the keys to the success of the projects in which we participate.

Custom Solutions

Staff augmentation

Whether you need a single system-business analyst, a developer, a tester, DevOps, or a complete team to carry out the assigned tasks, at Finture, we are ready to help you select the right person or complete a team according to your requirements.

Staff Augmentation