DORA, the Digital Operational Resilience Act (not to be confused with the cartoon), applies as of January 17, 2025. If you work in the financial sector, the DORA regulation is certainly not news by now. But if you are still working on your compliance, let us help you determine what needs to be done.
As a cybersecurity expert based in Europe, Pointsharp is already working with several organizations on their DORA compliance journey and is also prepared to help you.
To get everyone on the same page, let us do a quick walkthrough of the directive in a few points.
DORA aims to raise the level of risk management and cybersecurity in every financial sector organization. It affects over 20,000 EU organizations in banking, insurance, credit, and similar fields.
There is a heavy emphasis on ICT risk management (internet and communications technology), especially third-party risk management. This means you must manage your processes and all third-party solutions within IT, telecommunication, and security.
The directive has five central areas: ICT risk management, reporting of ICT-related incidents, third-party ICT risk management, continuous testing of cybersecurity, and information sharing.
The directive shares many similarities with NIS2, such as risk management, better general cybersecurity, and incident reporting. And yes, like GDPR and NIS2, there are fines for non-compliance involved.
Of course, this regulation's main goal and benefit is better overall cybersecurity, which will, in turn, lead to fewer incidents and security breaches.
Fewer incidents will, in turn, put your entire organization in a better light. You will be perceived as a secure and trustworthy player in the financial industry.
If your organization is in the financial sector, then most likely, yes. You surely already know this, as DORA has been on the table for a few years now. The complete list can be found in the directive's official journal under article 2.
For third parties, the short answer is that if you are classified as an ICT organization and have customers in the financial sector, you are also affected and are supposed to be DORA compliant. If you are not compliant, you might lose business in that sector.
Like GDPR, DORA does not have an official certification but rather a self-certification form. Follow the regulations' guidelines, report any incidents, and ensure that your third-party providers are aligned. Failure to do so can result in fines if your organization is audited or an incident report shows that it does not follow the regulation.
This is why it is crucial to work with trusted third-party providers who understand this regulation as well as you do.
However, if you are ISO27001 certified or follow those guidelines, you are generally well prepared but may have to adjust to specific demands within the DORA directive.
At the same time, if your organization is also affected by the upcoming NIS2 directive, having done all the work for DORA compliance will make it much easier to comply with that regulation.
At Pointsharp, we work with several financial industry organizations to help them meet compliance demands. We have a long history of providing solutions to high-security environments and adhering to complex regulations, such as the DORA directive.
We know there are many details on the journey to DORA compliance, but you can follow four overarching steps.
Conduct a risk assessment to identify your organization’s most critical assets, systems, and data that require your attention and protection. Also, identify which of these rely on third-party solutions.
Develop policies and procedures that align with the DORA directive requirements and industry best practices.
Research your third-party providers and their position on DORA compliance. If some solutions need to be replaced, choose compliant alternatives that are quick to deploy and flexible enough to fit into your existing infrastructure.
Train employees and raise awareness of the importance of security and DORA compliance. Conduct ongoing assessments of your infrastructure to always keep everything in top shape.
If you need help navigating the DORA regulation or solving specific needs to become compliant, you are very welcome to contact us, and we will help you on your journey. Naturally, we can also help you with other regulatory compliance, like NIS2, or your specific needs for increased cybersecurity in a user-friendly way.
