URM, a prominent consultancy in information security and data protection, is raising awareness about the European Union’s Digital Operational Resilience Act (DORA), which comes into effect on 17 January 2025. The regulation requires financial entities within the EU to enhance their digital operational resilience, ensuring they can withstand, respond to, and recover from ICT-related disruptions and cyber threats effectively.
DORA introduces a unified regulatory framework designed to strengthen the ICT security of financial entities, such as banks, insurance companies, investment firms, and their critical ICT service providers. The Act is structured around five core pillars, addressing various aspects of ICT and cybersecurity. Together, these pillars create a comprehensive framework for improving the digital resilience of in-scope entities.
- ICT Risk Management and Governance: Comprehensive risk management frameworks must be developed which address ICT-related risks, ensuring robust governance and control mechanisms are in place.
- ICT-Related Incident Reporting: Processes need to be implemented to monitor, document and classify ICT-related incidents, and for the reporting of such incidents to the appropriate authorities, as well as to the organisation’s clients and users.
- Digital Operational Resilience Testing: ICT resilience must be periodically tested, and the extent of this testing needs to be commensurate with the entity’s size, business and risk profile. Any issues identified during the testing must be resolved.
- ICT Third-Party Risk: Any ICT services delivered by third parties must be consistently managed and monitored, governed by contractual documentation that contains an appropriate level of detail, and assessed for risk, with any risks identified effectively managed.
- Information Sharing: Finally, in-scope entities are encouraged to exchange cyber threat information and intelligence, raising awareness of ICT risks and threats across the finance industry and supporting the enhancement of organisations’ cyber security measures.
URM emphasises the importance of full compliance with DORA. Financial entities and their key ICT suppliers should assess their current ICT risk management practices, identify any gaps, and implement necessary measures to meet the Act’s requirements. Non-compliance could result in significant penalties and increased vulnerability to cyber threats.
“We believe this regulation represents a crucial step in securing Europe’s financial infrastructure against growing cyber threats.” – Lisa Dargan, Director at URM.
