What are the 5 requirements of DORA?
DORA’s comprehensive framework for strengthening the cybersecurity and operational resilience of the EU’s financial sector is structured around 5 key requirements.
DORA’s comprehensive framework for strengthening the cybersecurity and operational resilience of the EU’s financial sector is structured around five key requirements:
DORA requires financial entities to have a robust ICT risk management framework with strategies, policies, and procedures for protecting information, software, and physical assets. Additionally, entities must conduct business impact analyses, create response and recovery plans, and test them regularly. They must also implement security awareness programmes for all staff and management.
Entities must be able to quickly classify, address, and report ICT-related incidents and cyber threats to regulators and affected parties. Incidents must be reported within four hours of becoming aware, with a more detailed report provided within a week. This requires entities to have robust incident response plans and processes for root cause analysis.
DORA requires entities to conduct regular tests on their ICT systems and infrastructure to assess vulnerabilities and the effectiveness of protective measures. This includes basic tests annually and more comprehensive threat-led penetration testing every three years to identify gaps and weaknesses in the entity’s resilience capabilities.
DORA mandates entities to actively manage the ICT risks posed by third-party service providers, including conducting due diligence and audits. Contracts with third parties must include provisions for security, incident reporting, and exit strategies. Entities are also responsible for ensuring third parties comply with DORA’s requirements.
To help build collective awareness and develop best practices for preventing and responding to cyber threats, entities are encouraged to participate in voluntary cyber threat intelligence sharing with other financial institutions. Information sharing must comply with data protection regulations and avoid disclosing sensitive customer information.
By implementing these five requirements, financial entities in the EU can bolster their overall digital operational resilience and better withstand and recover from severe ICT-related disruptions.