Services
Services

DORA directive

DORA directive

The Digital Operational Resilience Act (DORA) aims to create a uniform framework for the management of information and communication technology (ICT) risks across the EU financial sector. It came into force on January 16, 2023 and will apply from January 17, 2025.

The Digital Operational Resilience Act (DORA) aims to create a uniform framework for the management of information and communication technology (ICT) risks across the EU financial sector. It came into force on January 16, 2023 and will apply from January 17, 2025.

DORA is an EU directive that aims to strengthen digital operational resilience in the financial sector. It includes requirements in the areas of ICT risk management, ICT incident management, digital operational resilience testing, third party risk management and cyber threat information sharing.

accompio supports you in the implementation of DORA and offers assistance for affected financial companies and service providers.

Successfully mastering the DORA directive for financial companies with IT service provider accompio

  • Directive to strengthen cyber resilience

  • Protection of the European financial sector
  • Implementation by January 2025

  • Operational stability in the event of a serious disruption such as a cyberattack
  • accompio as DORA IT service provider for the realization and implementation of necessary measures

Mastering the DORA directive together

Understand the basics: What is the DORA directive?

The Digital Operational Resilience Act (DORA) directive was introduced to strengthen digital resilience in the EU’s financial sector. It is intended to ensure that financial companies are able to cope with ICT-related disruptions.

The directive requires financial firms to implement robust ICT systems and controls to ensure that they are able to manage ICT-related disruptions and maintain their critical functions. They must also ensure that contracts with third-party providers of ICT services contain appropriate safeguards.

What are ICT incidents?

ICT-related incidents include any disruption or impairment of a company’s ICT systems, services or processes that could potentially have a significant impact on the continuity of financial services or the security of customer data.

Reporting procedure in accordance with DORA:

  1. Detection of the incident including assessment of the severity and potential impact
  2. Internal reporting to the responsible departments to initiate immediate measures.
  3. External reporting of relevant incidents to the responsible supervisory authority.

Putting DORA in the right context

The DORA directive complements existing regulatory frameworks such as the NIS-2 directive (network and information security). While DORA specifically targets financial institutions, the NIS-2 Directive covers a broader range of sectors and focuses on the general improvement of cybersecurity in critical infrastructures.

Both directives emphasize the importance of resilience to ICT-related threats and the need for a rapid and coordinated response to incidents. The harmonized implementation of these regulations helps to strengthen digital security and stability within the EU.

Which companies are affected by the DORA directive?

DORA is applicable to all financial companies regulated in the EU. These include banks, payment service providers, electronic money institutions, investment firms, providers of crypto services, central securities depositories, central counterparties, trading venues, trade repositories, insurance and reinsurance undertakings, insurance intermediaries and others.

The specific requirements vary depending on the business model, company size, risk profile and systemic importance of the respective companies.

DORA: What requirements and measures must be implemented by the financial companies concerned?

The implementation of DORA entails different requirements in terms of coordination, training and implementation for the companies concerned – depending on the current status of the systems. If new technical solutions are required, these should be classified as IT projects with a high level of complexity and criticality.

Our recommendation: Carry out a comprehensive gap analysis to check the requirements demanded by DORA within the company. Based on this, targeted projects can be planned and implemented.

Additional security checks can also be expected, for example by checking service providers and potentially also through technical analyses such as threat-oriented pentests.

Requirements for financial companies

  • Reporting ICT-related incidents

  • Testing the digital operational stability

  • Risk monitoring by third-party ICT providers

  • Reporting ICT-related incidents

  • Testing the digital operational stability

  • Risk monitoring by third-party ICT providers

Measures for digital resilience

  • Specification of the management of digital risks (as a supplement to the previously applicable single “rulebook” of the European Banking Union)

  • Creation of a thorough audit of ICT systems
  • New powers for financial supervisory authorities to monitor risks associated with third-party ICT providers
  • Reporting procedure for ICT-related incidents
  • Specification of the management of digital risks (as a supplement to the previously applicable single “rulebook” of the European Banking Union)
  • Creation of a thorough audit of ICT systems
  • New powers for financial supervisory authorities to monitor risks associated with third-party ICT providers
  • Reporting procedure for ICT-related incidents

Specifications for messages

  • ICT-related incidents must be reported to the competent authority within 72 hours of their discovery so that information flows and action plans can be put in place.

  • Particularly critical incidents that have a significant impact on financial stability or data security must be reported immediately.

  • The DORA directive allows a subsequent submission if not all relevant information is available within the 72-hour period. However, the first report must contain the essential details.

  • ICT-related incidents must be reported to the competent authority within 72 hours of their discovery so that information flows and action plans can be put in place.

  • Particularly critical incidents that have a significant impact on financial stability or data security must be reported immediately.

  • The DORA directive allows a subsequent submission if not all relevant information is available within the 72-hour period. However, the first report must contain the essential details.

Failure to comply with reporting obligations can lead to significant sanctions, including fines and regulatory action. It is therefore crucial that financial institutions have efficient processes in place to ensure compliance with DORA requirements.

How accompio can support you as an IT service provider in the implementation of DORA

With the DORA directive implementation date approaching, financial organizations are faced with the task of strengthening their digital resilience and implementing comprehensive security practices. accompio understands the complexity and urgency of this challenge and is positioning itself as your trusted partner to guide you through this process. Our goal is not only to help you meet the requirements of DORA, but also to build a more secure and resilient digital future for your organization.

The DORA directive requires financial institutions to conduct regular audits to ensure the resilience of their ICT systems. This includes specific requirements such as vulnerability scans and penetration tests. Vulnerability scans (red-teaming exercises) simulate targeted attacks on the systems in order to uncover weaknesses in the defense mechanisms and test the ability to respond. Penetration tests (pentests), on the other hand, aim to identify and eliminate security vulnerabilities through controlled attacks.

Our approach at accompio includes a range of tailored services specifically designed to facilitate and secure DORA compliance. We offer individual solutions that not only ensure compliance, but also strengthen confidence in your IT security. Let’s tackle this challenge together and create a solid foundation for your digital future.

The DORA directive for inspection

In Germany, the Federal Financial Supervisory Authority (BaFin) provides information on the implementation of DORA and offers assistance for affected companies.

The companies and authorities concerned have 24 months until January 17, 2025 to implement the 79-page DORA directive. At the same time, a related regulation amending the existing regulations regarding digital operational resilience in the financial sector was also published with similar implementation deadlines.

Your message to accompio

* Required

Your message