What is DORA’s 5 Basic Steps?

The European Union established the DORA regulation in September 2020 to harmonise network and information systems security in the financial sector. It contains a single set of requirements on digital business resilience. It covers a wide range of sectors such as credit institutions, insurance companies, credit rating agencies and third-party ICT service providers. The Regulation will be enacted on 17 January 2025 in all member states.

The requirements based on DORA are divided into five pillars. The proposed solutions for each pillar are summarised as follows:

1 — ICT Risk Management:

This pillar mandates the comprehensive identification, assessment and mitigation of ICT risks, requiring organisations to establish robust internal governance and control frameworks.

2-CT Incident Reporting:

Rapid and effective management of cyber incidents and operational disruptions underpins this pillar. Organisations must develop a consistent process to detect and manage significant cyber incidents and duly report them.

3- Third Party Risk Management:

Third-party service providers play a critical role in today’s interconnected financial ecosystem. This pillar emphasises the importance of carefully managing the risks arising from these external partnerships. It requires organisations to conduct thorough assessments and develop sound contractual relationships with third parties.

4-Holistic Approach:

With DORA’s guidance, organisations can establish a harmonious and flexible structure while integrating with standards. This approach opens the door to continuous improvement by encouraging comprehensive risk management and innovative solutions. Information sharing and collaboration strengthen organisations’ digital resilience.

5-Digital Operational Resilience:

Requires organisations to conduct drills, cyber exercises and simulations to test their digital resilience and identify weak points. This is important for revealing weak points and creating action plans to address them.

It is only a matter of time before DORA becomes fully applicable. Before you start working towards compliance, it is essential to understand two things:

Compliance can only be achieved with a solid understanding of your current risks and a solid plan for responding to threats. An effective Cyber Security Incident Response Plan is vital to this step. It would help if you were prepared for threats specific to your organisation. You must identify and assess what your most valuable assets are for operational continuity and ensure that your Incident Response Plans and are adapted to protect your business continuity.

Before you can achieve compliance, you need to fully understand DORA, its philosophy, and its core objectives. A thorough understanding of DORA’s five core principles is critical to this task.

The five core principles summarise what DORA envisages to achieve and the workflow it aims to create.

DORA is a revolutionary development in the financial and IT sector that encourages organisations to increase their operational resilience in the digital space. As CFECERT, we offer more information on Certification and Training to organisations wishing to overcome DORA’s complexities. You can reach us at info@cfecert.co.uk.