DORA focuses on Operational Digital Resilience, which is the ability of a financial entity to build, underwrite and verify its operational integrity and reliability by providing, either directly or indirectly – using third-party ICT service providers – the full range of ICT capabilities necessary to ensure the security of the networks and information systems that the financial entity uses and that support the continuous provision and quality of financial services, including during disruptions.
– The Governing Body allocates an appropriate budget to meet operational digital resilience needs for all types of assets, approves and oversees the implementation of ICT business continuity strategies and ICT response and recovery plans, implements policies to ensure that high standards of data availability, authenticity, integrity and confidentiality are maintained.
– ICT Risk Management includes a Risk Estimation process consisting of sub-processes: Risk Identification, Risk Analysis, Risk Assessment, and the Risk Handling process including: Risk Modification (Recast Risk), Risk Acceptance (Accept Risk), Risk Avoidance and Risk Sharing.
– Reporting serious ICT incidents to the relevant authorities.
– Establish a risk tolerance limit for ICT risks, according to the risk appetite of the financial entity, and analyze the impact tolerance of ICT disruptions
– Testing operational digital resilience
– Testing ICT with Threat-Led Penetration Testing (TLPT). TLPT, also known as Red Team Testing, is a controlled attempt to breach an entity’s cyber resilience by simulating the tactics, techniques and procedures of real actors responsible for cyber attacks.
– Use of risk management measures from third-party ICT service providers
In the context of the DORA Regulation, RTS refers to regulatory technical standards. These standards play a key role in enhancing the digital operational resilience of the EU financial sector.
Key aspects of the RTS described in the DORA framework include:
Classification of major incidents and significant cyber threats
Establishing a policy for ICT services supporting critical or important functions
Information logging
The incident classification scheme presented below is an example of the topics addressed in the RTS.
We entrust the presentation of results covering technical and process areas to Red Into Green, which, thanks to automatic transfer of vulnerability and non-compliance data to Security Center Plus, allows full coverage of requirements and presentation of risk matrices for Business Continuity, Information Security, Data Protection and others.
DORA places great emphasis on, among other things, thorough internal regulatory checks and the proper verification of contracts with ICT service providers to ensure compliance with the regulation. Appropriate legal support is also essential for analyzing key business processes within an organization and linking them to technical information. That’s why we began working with DWF Poland, a law firm that provides support in these matters and many others.
