Start Your Expedition
The Digital Operational Resilience Act
With the Digital Operational Resilience Act (DORA), the EU is responding to the increasing threat to the financial sector from cyberattacks on information and communication technology (ICT) service providers.
The EU's Digital Operational Resilience Act
With the DORA Regulation, the EU aims to strengthen the resilience of financial services institutions to ICT and cyber risks.
DORA explicitly refers to ICT risks and sets out rules for risk management, incident reporting, operational resilience testing and third-party monitoring of ICT risks. DORA requires financial institutions and their management bodies to comply with these rules.
What's new?
As part of the Digital Operational Resilience Act, companies are now more responsible for ensuring effective ICT risk management. The responsibility for complying with regulatory-compliant ICT risk management now also lies personally with the management bodies.This includes the establishment and ongoing maintenance of robust ICT systems that remain functional even under stressful conditions. The establishment of processes for recognising, handling, monitoring and logging ICT-related incidents is also essential.
The use of standardised templates for reporting serious incidents is prescribed, as are intensified tests to check operational stability. In addition, continuous monitoring of the risk posed by third parties is necessary throughout the entire outsourcing life cycle. The monitoring of critical third-party ICT service providers will be harmonised through new powers of the European supervisory authorities.
What do financial service providers need to do now?
Creating a resilient digital infrastructure requires a clearly defined strategy for digital operational resilience and the implementation of a business continuity policy for information and communication technology (ICT). Systematic measures for recognising ICT incidents and a process for constantly updating and adapting early warning indicators are also necessary.
The establishment of an ICT incident management process and the definition of assessment criteria for ICT incidents are further critical fields of action. A comprehensive test programme for ICT tools ensures that weaknesses are identified at an early stage. In addition, the strategy and documentation for IT outsourcing needs to be adapted in order to strengthen the management of third-party risks. Furthermore, annual penetration tests for ICT systems must be successfully completed, potentially even with the support of specialized service providers, through a program for "Advanced Threat Led Penetration Tests (TLPT)."
" At 4C, we understand the requirements that DORA places on financial services institutions and support companies in overcoming associated challenges. "
Daniel Lovric | Patner CCO Advisory 4C GROUP
Your Benefits
- The use of the 4C maturity model enables the determination of the maturity level according to the DORA requirements.
- Mapping all DORA requirements and comparing them with additional specifications.
- Our dynamic teams stand out for their ability to provide independent and objective consultation on an equal footing.
- The ideal combination of industry expertise, regulatory knowledge, and IT management allows us to offer tailored solutions that meet the specific needs of our clients.
Our Scope of Service
" The Banking industry is already following strong compliance and regulatory standards, however compliance management systems are yet not so established in other industry sectors. Dr. Heiko Mauterer and Daniel Lovric from 4C GROUP joined my team to give us a presentation on the recent market developments and [..] offering the opportunity to make professional Compliance Management a real asset."
- Anna Issel Head Anti-Financial Crime International Private Bank | Deutsche Bank
Our Approach
1. Review
- Relevant current/planned governance structures & processes
- Consideration of target structures (regulatory) implementation project
- Prioritisation of DORA focal points according to business model
2. GAP-Analysis
- Individualisation 4C maturity model
- Selection of additional relevant regulatory requirements
- Documentation of the perceived actual state
- Assessment of the maturity level as the distance to the target status ("new requirement" to already "fulfilled")
3. Definition of measures
- Joint, risk-oriented prioritisation of adaptation needs
- Derivation of measures from maturity level per identified GAP
- Content-related target definition together with the implementing department incl. indicative cost estimate
- Development of decision templates for committees
4. Operationalisation
- Comparison with actual project portfolio and prioritisation
- Integration into existing projects/ setting up implementation initiatives
- Progress and success monitoring (via trend in the maturity model) and visualisation in the 4C dashboard
- Support with change management incl. communication
