DORA - what is it and what to do?

What does DORA stand for?

that Digital Operational Recilience Act - DORA for short - is a draft law from the EU Commission for the financial sector, which has been discussed in the European Parliament and Council ever since. A resolution is expected to be passed in 2021, and the law is expected to come into force in 2022.

Which companies does DORA affect?

DORA is a regulation on the subject of “operational stability of digital systems” and is aimed at all participants in the financial system, including banks, insurance companies and critical third-party providers of information and communication technologies (ICT) for financial companies (e.g. cloud service providers). As early as 2021, it is important that affected companies analyse their current situation in this regard and plan to implement the necessary measures in order to be prepared when the regulation comes into force. In doing so, proportionality (e.g. depending on the size and business profile of the company), costs and existing (and implemented in the company) regulatory requirements at national and European level must be taken into account.

What is DORA about?

Basically, the DORA regulation was adopted with the aim of harmonising the existing rules on operational stability of digital systems in the financial sector across the EU and improving information and communication technology (ICT) throughout the EU financial sector. In the area of cybercrime, financial companies have increasingly been targeted by attacks that have caused serious financial and reputational damage to both customers and companies. DORA should now ensure that the operational stability of digital systems in the financial sector is improved and that companies ensure that their IT and communications technology (ICT) withstands all operational disruptions and threats so that trouble-free operations can be maintained.

Specific requirements of DORA for companies

The industry regards the impact of DORA on financial market infrastructure and players as fundamental. The requirements have an impact on the roles and activities of the 1st and 2nd line of defense in the areas of risk management, information security, business continuity management and outsourcing management. Existing roles are being adapted, and new and additional activities are being added. Content and organizational integration and cooperation within and between the mentioned subject areas is being promoted.

The focus is on fundamental topics such as governance, awareness, policies and framework conditions as well as, more specifically, on tasks such as controls, monitoring mechanisms, testing and exchange of information.

An unstructured implementation of DORA across all organizations, processes and IT systems is not efficient and does not achieve the desired goal. Instead, a planned and focused approach, taking into account a risk-based approach (derived from the VAIT approach), is recommended in three steps:

  1. Analysis of the current situation with regard to the new additional requirements
  2. Comparison between target and actual situation
  3. Implementation of an appropriate and economically justified recommendation for action

Interested in learning more about DORA?

Presentations and further information (in English) can be found at ServiceNow home page.

Would you like help with the task of making your company DORA compliant?

Our colleagues will be happy to help you:

  • guidance
  • Concept and recommended action
  • Support in implementing the recommended action

Please contact us!

Any more questions?