What is worth knowing about DORA?

DORA is an EU legal act that enhances cybersecurity requirements in the financial sector, fintechs, and ICT service providers operating within the EU.

The main objective of the new regulations is to bolster the resilience of these entities against threats related to operational disruptions (such as IT system failures or human errors) and cyberattacks.

Digital operational resilience, as defined by DORA, refers to the ability of financial institutions to ensure the continuity and quality of services based on ICT technologies, both internally and in collaboration with external organizations.

Financial entities must be prepared for potential crises and disruptions that could negatively impact their IT infrastructure and, consequently, the services they provide.

DORA establishes new frameworks regarding ICT operational capabilities, cybersecurity, effective risk management, and the management of external service providers. aiming to ensure the stability and security of the EU financial sector.

This regulation also introduces uniform oversight rules for the largest ICT service providers.

Financial institutions must comply with these requirements by January 17, 2025, meaning they need to start implementing new standards immediately.

DORA applies to a broad range of entities in the financial sector, including traditional financial institutions, fintech companies, and ICT service providers. The new regulations will affect more than 22,000 financial institutions across the EU.

A complete list of entities subject to DORA regulations includes:

  • banks and other credit institutions;
  • payment institutions;
  • service providers offering account information services;
  • electronic money institutions;
  • investment firms (brokerage houses and banks conducting brokerage activities);
  • crypto-asset service providers;
  • central securities depositories;
  • central counterparties (CCP);
  • trading systems (regulated markets, MTFs, OTFs);
  • trade repositories;
  • alternative investment fund managers;
  • fund management companies;
  • data reporting service providers;
  • insurance and reinsurance companies;
  • insurance intermediaries, reinsurance intermediaries, and providers of ancillary insurance services;
  • employee pension scheme institutions;
  • credit rating agencies;
  • critical benchmark administrators;
  • crowdfunding service providers;
  • securitization repositories;
  • external ICT service providers.

DORA focuses on five key areas:

1. Management of ICT risk within financial institutions.

DORA regulations require financial institutions to implement comprehensive and well-defined frameworks for managing ICT-related risks. These frameworks must include policies, key strategies, and mechanisms necessary to adequately protect the IT environment. Institutions are obligated to identify, categorize, and document business processes related to ICT.

DORA also mandates the development and adjustment of elements such as threat detection systems, data security policies, ICT continuity plans, backup creation procedures, and communication plans for cybersecurity incidents. Organizations are also required to conduct mandatory training for employees.

2. ICT incident management.

DORA standardizes the principles for managing ICT incidents, including their classification and impact assessment based on established criteria. These regulations impose an obligation to report significant incidents to the relevant supervisory authorities.

3. Testing digital operational resilience.

The regulation requires at least annual testing of key IT systems and applications. The testing plan should encompass various elements, such as network security assessments, penetration tests, scenario testing, and the analysis of open-source tools.

4. Managing risks from external ICT service providers.

DORA establishes rules for collaborating with external ICT service providers. Institutions must evaluate their providers, prepare an exit plan, and create a transition strategy. Additionally, it is necessary to identify key external providers in the area of IT services.

5. Arrangements for information sharing.

DORA requires financial institutions to share information regarding cyber threats and the results of their analysis. This obligation applies not only to indicators of potential system breaches but also to tools, methods, procedures, techniques, and cybersecurity warnings.

How to comply with DORA requirements?

Digital Operational Resilience Investigation and Analysis (DORIAN) – nasza oferta
DORA
AREAS
II
ICT risk management
III
ICT-related incident management
IV
Digital operational resilience testing
V
Managing of ICT third-party risk
VI
Information-sharing arrangements
Our
offer
DORIAN Digital Operational Resilience Investigation and Analysis
DORIAN is software designed to help institutions comply with DORA regulations by facilitating the assessment of operational risks through the investigation and analysis of ICT-related incidents. By providing actionable insights, DORIAN empowers organizations to enhance their resilience against potential threats.
SourceMation Additional Expert Services
Preliminary audit and readiness assessment Development of digital operational resilience frameworks Preparation of an ICT risk management system Implementation of information security policy Final compliance assessment and ongoing maintenance support
Implementation of an incident management system Cyber threat management procedure Establishment of reporting and communication processes Adjustment of contracts with ICT service providers Support for open-source components not covered by maintenance
Preparation of a digital resilience testing program Implementation of advanced TLPT tests Audit of contracts with external ICT service providers Development of business continuity and recovery plans Training

Digital Operational Resilience Investigation and Analysis (DORIAN) – our offer

DORIAN (Digital Operational Resilience Investigation and Analysis) is a modern software solution developed in response to the DORA regulation, designed to assist financial institutions in protecting against digital threats.

The system helps organizations meet regulatory requirements, minimize operational risk, and enhance resilience to ICT incidents through thorough analysis and effective risk management.

The system helps organizations meet regulatory requirements, minimize operational risk, and enhance resilience to ICT incidents through thorough analysis and effective risk assessment.

DORIAN automatically retrieves and identifies operational risks, sending notifications along with recommendations for corrective actions.

The solution features a customizable user interface that provides quick and comprehensive access to key information related to risk assessment.

DORIAN complements additional expert services in addressing all five areas of DORA regulation.

Import of Events and Objects

Importing events from various sources into a common data model facilitates their analysis. This is supported by tools recommended by DORIAN, as well as other user-preferred tools. The process includes preparing data from source systems such as ERP, CMDB, CRM, and others.

Risk event catalog management

Managing a catalog of identified risk events and associated objects, including IT systems and applications. The application’s features allow the categorization of events and adjustment of assessments based on automated rules. The system tracks the lifecycle of events, along with changes in their status within the workflow system.

Determining operational risk levels

DORIAN automatically determines the level of operational risk based on user-defined business rules. The open method of rule implementation allows for flexible risk assessment, enabling users to customize rules according to their needs and organizational requirements.

Risk impact assessment

The system automatically assesses the impact of risks on other objects, enabling the analysis of risk propagation across interconnected graphs. DORIAN conducts impact assessments based on configurable evaluation rules, allowing for precise determination of a risk’s impact across various points in the network.

Visualization of key information

DORIAN offers visualization of relationships between analyzed objects, making it easier to discover complex connections. Risk analysts can utilize a map (graph), which enhances their workflow. Clear presentation of key performance indicators (KPIs) aids in quick assessment of the situation and the impact of risks on individual objects and areas within the organization.

Reporting

The system enables reporting of data from catalogs and analysis results in the format chosen by the user. This functionality supports regulatory requirements for operational risk reporting. Users can also define custom reports, allowing them to efficiently leverage analysis as organizational knowledge.

Information access management

DORIAN provides information access management based on a role-based access control model (RBAC). This ensures complete control over access to specific areas of the investigated objects within the network.

  • Preliminary audit and readiness assessment.
  • Development of digital operational resilience frameworks.
  • Preparation of an ICT risk management system.
  • Implementation of information security policy.
  • Development of business continuity and recovery plans.
  • Implementation of an incident management system.
  • Cyber threat management procedure.
  • Establishment of reporting and communication processes.
  • Preparation of a digital resilience testing program.
  • Implementation of advanced TLPT tests.
  • Audit of contracts with external ICT service providers.
  • Adjustment of contracts with ICT service providers.
  • Support for open-source components not covered by maintenance.
  • Training.
  • Final compliance assessment and ongoing maintenance support.
  • Enhancing digital resilience by building more efficient and effective mechanisms for protection against cyberattacks.
  • Improving risk management through effective identification and minimization of technical and operational risks.
  • Maintaining business continuity through quicker response and recovery of organizational operations following disruptions.
  • Ensuring compliance with regulations and meeting legislative requirements by establishing clear and standardized legal frameworks.
  • Strengthening reputation among clients and business partners.
  • Integrated risk management through the development of a unified risk management system and the elimination of siloed approaches to information gathering within the organization.
  • Improved quality of analyses of non-systemic risks due to a holistic approach.
  • Enabling proactive incident management that allows for faster detection and resolution of issues.
  • Increased awareness of threats and better preparedness within the organization for incidents, including critical ones, enhancing overall operational resilience.
  • The ability to analyze incidents in terms of their impact on key business processes and the client’s operations.

Why is it worth using DORIAN?

Compliance with DORA regulations

DORIAN assists financial institutions in meeting the requirements of the DORA regulation by providing tools for ongoing analysis of risk incidents and their impact on IT resources and business functions.

Automatic assessment of operational risk levels

The system automatically identifies operational risks and sends notifications with recommendations for corrective actions.

Comprehensive integration of risk incident data

By importing incident data from various sources into a common data model, DORIAN enables comprehensive analysis from multiple perspectives, allowing for accurate risk assessment of the institution’s business functions.

Flexibility in adapting risk assessment methods

The open method of rule implementation allows for flexible shaping of the risk assessment process.

How can we help you?
Tell us about your needs.

    Our Clients