In this e-guide, we cover the purpose, scope and key requirements of DORA, how it will impact your organisation, and what you can do to prepare.
What is DORA?
The Digital Operational Resilience Act (DORA) is an upcoming piece of legislation set out by the EU for the financial services industry, designed to strengthen the sector’s cyber resilience and risk management. It creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025.
Who Must Comply With DORA?
DORA applies to financial entities, as well as every organisation that provides IT services to them. In all, DORA will apply to more than 22,000 financial and ICT service operators functioning within the EU, as well as the ICT infrastructure supporting them from outside the EU. Critical third-country (outside the EU, e.g. UK and USA) ICT service providers to financial entities in the EU will also be required to establish a subsidiary within the EU to facilitate effective regulatory oversight.
How Do I Start Preparing For DORA?
and making requirements more concrete. Organisations should align their governance and practices to DORA’s resilience pillars and identify a roadmap with key deliverables to materialise their digital resilience strategy.
Organisations can do this through an initial gap assessment, starting with an analysis of the company profile. The gap assessment will also define the current level of maturity, including the compliance with existing guidelines (most common references include ESA Guidelines, NIS, CROE, etc.) and with existing IT risk management strategy and standards (such as ITIL, COBIT, NIST CSF, ISO, etc.). This will help identify a delta in DORA requirements and lay out a roadmap analysing the priorities and efforts needed to constitute a sound digital resilience strategy and framework.
In this guide, we also answer:
- What is the purpose and scope of DORA?
- How will DORA be enforced?
- - What are the the five pillars of DORA?
- - What are the key requirements of DORA?
Download the E-guide
Author
Chris Linnell
Data Privacy Principal Consultant
Bringing almost a decade of experience in data privacy across both public and private sector organisations, Chris leads Bridewell's Data Privacy team. In this role, he is responsible for the delivery and development of our range of data privacy services. Chris has also held positions as the Data Protection Officer (DPO) for an enterprise-scale organisation with over 25 million data subjects. He also holds certifications in: IAPP CIPP/E, IAPP CIPP/US, IAPP CIPPT, OneTrust Fellow of Privacy Technology, and more.