The Digital Operational Resilience Act (DORA), which took effect on January 16, 2023, is a crucial piece of legislation designed to bolster the digital resilience of the financial sector.
Corlytics, which offers a risk-based approach to regulatory compliance, recently offered a guide to DORA.
With a full enforcement date slated for January 17, 2025, DORA provides a 24-month preparation period. It broadly targets various financial services entities, including banks, pension funds, insurance companies, payment institutions, and investment firms. The Act also extends its reach to third-party ICT service providers, such as cloud services and data centres, ensuring that the financial ecosystem is fortified against digital disruptions and cybersecurity threats.
DORA Compliance Checklist
- Understanding and Awareness
Financial entities are urged to familiarize themselves with DORA’s text and stay abreast of updates from regulatory bodies, distributing pertinent information to stakeholders.
- Assessment and Gap Analysis
An in-depth review of existing digital resilience capabilities should be conducted alongside a gap analysis to pinpoint any shortfalls. It’s also vital to evaluate ICT-related risks, including those posed by third-party providers.
- ICT Risk Management Framework
Organizations should develop a detailed ICT risk management framework that encompasses risk identification, assessment, mitigation, and monitoring, with clearly defined roles and responsibilities.
- Incident Reporting Procedures
Procedures for identifying and reporting ICT-related incidents must be established, adhering to the specific timelines and requirements set by DORA, including a comprehensive system for incident documentation and management.
- Operational Resilience Testing
Regular testing schedules for vulnerability assessments, penetration testing, and continuity exercises should be implemented, ensuring all critical ICT systems are covered.
- Third-Party Risk Management
Reviewing and reinforcing agreements with third-party providers is essential to ensure compliance with DORA, coupled with a robust system for monitoring and assessing third-party risks.
- Information Sharing
Participation in industry information-sharing initiatives is encouraged, along with establishing internal processes for the dissemination of information regarding cyber threats.
- Policy and Procedure Development
Update existing or develop new policies to align with DORA’s requirements, ensuring comprehensive coverage of digital resilience aspects and widespread policy awareness among staff.
- DORA Training and Education
Training programs should be established to educate employees about DORA requirements, including regular updates and integrating DORA compliance into new employee onboarding.
- Governance and Oversight
A governance framework should be established to monitor DORA compliance, with clearly assigned responsibilities and accountability at all levels.
- Monitoring and Review
Regular audits of the digital operational resilience framework are crucial, with continuous improvement based on audit findings and evolving regulatory demands.
- Engagement with Regulators
Maintaining open communication with regulatory bodies and collaborating with industry peers is critical to gaining insights and staying compliant with DORA.
Read the full guide here.
Keep up with all the latest FinTech news here
Copyright © 2024 FinTech Global
Copyright © 2018 RegTech Analyst