In the context of increasing cyber threats, strict adherence to and implementation of corresponding compliance regulations is becoming increasingly important. As providers of critical infrastructure, it is particularly important for financial organisations to prevent IT outages and security incidents in order to ensure business continuity. With the Digital Operational Resilience Act (DORA), the EU has issued a set of regulations to ensure digital operational stability and prevent systemic risks in the financial sector.
The new requirements harmonise and tighten the existing regulatory requirements for ICT management and interfere with IT operations and outsourcing to third parties. At the same time, the verification and reporting obligations are increasing, which means a considerable amount of additional work.
Which organisations are affected?
DORA affects a large number of organisations in the financial sector. These include not only banks and insurance companies, which are already familiar with such regulations through the EBA/EIOPA guidelines on ICT security and outsourcing, but also trading venues, occupational pension schemes, providers of crypto services, insurance intermediaries and many other financial companies.
The categorisation of the service is important for ICT providers, including cloud service providers, in the financial sector. If the services provided are considered „critical“ for financial organisations, the scope of DORA is applied directly to the ICT provider. This requires compliance with high security standards to ensure the resilience of the financial market. In addition, some of these large ICT providers fall directly within the supervisory framework.
Where should business leaders start?
To successfully fulfil the requirements of DORA, a proactive approach is crucial. Companies should carry out a comprehensive analysis promptly in order to identify and prioritise the necessary measures. Close collaboration between IT and business units is essential. The implementation and operation of the measures require continuous monitoring and regular adjustments. The support of external experts can speed up the process and ensure that all requirements are met on time.
Furthermore, it is important that companies not only fulfil the regulatory requirements, but also establish a culture of cyber security throughout the entire company. Awareness-raising and training for managers, key roles and all other employees are therefore essential to strengthen digital resilience at all levels.
DORA requires further development of the risk management system
The implementation of the Digital Operational Resilience Act (DORA), which will be mandatory from 2025, requires a comprehensive review and further development of various aspects of the risk management system. This includes in particular:
- Risk identification and assessment: extension to digital risks and vulnerabilities.
- Cybersecurity and technological resilience: strengthening cybersecurity measures to detect attacks and defend against digital threats such as malware and the encryption of sensitive data.
- Emergency management and incident response: Develop effective procedures to manage digital incidents. This includes process plans for identifying, reporting and responding to digital incidents in order to be able to react quickly and in a targeted manner to acute threats.
- Third party and supplier management: Critically reviewing third party and supplier dependencies and ensuring they fulfil DORA requirements.
- Continuity planning and recovery: Developing robust continuity plans to ensure business continuity in the event of digital disruption or outages.
- Monitoring and reporting: Establishing effective continuous monitoring of digital activities and risks and establishing a corresponding reporting system.
- Communication and cooperation: Establishing mechanisms for sharing information on digital risks and disruptions with other financial institutions, supervisory authorities and relevant stakeholders.
- Training and awareness-raising: Raising employee awareness of digital risks in order to promote conscious behaviour when handling digital systems and data.
Implement DORA with the help of PATECCO’s Risk-OptimAIzer
Risk management is nothing new, but the risk view must be extended to the corporate ecosystem. In other words, the risks that exist or arise for the company through the procurement of services must be factored in. For this purpose, we have developed a tool to implement the requirements of DORA at PATECCO. The new tool Risk-OptimAIzer is able to perform the following functions:
- Systematic evaluation of external service providers
- Support of the risk process through generative AI
- Development and maintenance of suitable protective measures
PATECCO can help your company implement the DORA requirement by setting up a comprehensible IT risk management system. As a first step we create a GAP analysis of the status of your risk management in comparison to the DORA requirements and based on the results, we create a customised implementation offer.
By leveraging Risk-OptimAIzer, organizations can establish a structured approach to IT risk management that aligns with DORA regulations. The tool enables organizations to assess, monitor, and mitigate risks effectively, while also ensuring compliance with regulatory requirements and driving continuous improvement in software delivery performance.
The DORA Regulation is an important step towards strengthening digital resilience in the financial sector. Cybercrime remains a constantly growing threat, regardless of DORA, which is why sustainable and cyclical cybersecurity planning is necessary. With an early and strategic approach, companies can strengthen their digital resilience and effectively protect themselves against cyberattacks. The implementation of DORA should not be seen as an obligation, but as an opportunity to sustainably strengthen security and resilience to digital risks.