DORA

Digital Operational Resilience Act

With the Digital Operational Resilience Act (DORA for short), the EU is focusing in particular on digital resilience. DORA aims to achieve this by implementing various requirements for the stability of digital systems in the financial sector.

In an interconnected Europe, where international cooperation between financial companies is widespread and digitalization-related risks potentially have cross-border impacts, DORA aims to provide a complementary common legal framework at EU level. Regulations that have so far applied specifically for institutions in Germany, such as BAIT, ZAIT, VAIT and MaRisk, will thus be supplemented by a set of regulations at EU law level.

For whom DORA applies

The requirements apply to different types of financial companies as well as to critical third-party ICT providers to financial companies:

• Data reporting service providers
• Insurance and reinsurance undertakings
• Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
• Institutions for occupational retirement provision
• Credit Rating Agencies
• Administrators of critical benchmarks
• Crowdfunding service providers
• securitisation repositories
• ICT third-party service providers

The requirements of DORA

DORA consists of a total of 45 articles, which are divided into the following chapters:

• ICT risk management
• Handling, classifying and reporting of ICT-related incidents
• Testing of digital operational resilience
• ICT third party risk management
• Agreements on the exchange of information

Harmonization with DORA: How do we proceed?

Preliminary Analysis

In a preliminary workshop, we build internal knowledge among all stakeholders. The workshop covers the general requirements of DORA as well as known risks, challenges, and best practices from similar regulatory-driven projects.

We transfer the definition of "critical and important functions" according to DORA to the functions of your company and determine which other security standards and national regulations might affect you. In most cases, the systems and processes implemented to comply with ISO 27001 or the BaFin circulars can be used as a basis.

Gap Analysis resulting in an Action Plan

The requirements affect institutions holistically. Therefore, a pure document review is not sufficient to ascertain the implementation status of the DORA requirements. We therefore recommend a combination of:

• Document review
• Interviewing key personnel
• Implementation check

The results of this detailed Gap Analysis provide a good picture of the expected costs. They provide implementation options that can be used to set the direction for implementation at the highest management level (Action Plan).

Harmonization Project

Implementation of harmonization with DORA in a comprehensive project tailored to the institute. We support you here at all levels, from the definition of the strategy and the drafting of guidelines to the operational implementation of the requirements in the organization.

We individually address the key areas identified in your gap analysis and, in addition to implementing the individual requirements, we also support you in change management and communication within the institution. During these types of harmonization projects, we support financial institutions often with, for example:

• Establishment or adjustment of IT governance
• Planning and implementation of appropriate risk management
• Establishment or optimization of service provider management in compliance with the applicable regulatory requirements
• Required Security Analysis, such as Red Team Assessments

More Informationen on the Digital Operational Resilience Act