To do list by 2025
It is up to organizations to keep these benefits in mind and position themselves for a secure future of operation in the EU. However, DORA is scheduled to go into full effect on January 17, 2025, and the to-do list may be long for some. Below, Kokhar offers top tips for organizations that need to make transformative changes.
“We encourage organizations to start early and take comprehensive action to comply with regulations to avoid being left behind.
“DORA is based on five resilience pillars that organizations should focus their preparations on: ICT risk management, ICT incident reporting, digital operational dependency testing, ICT third-party risk, and information and intelligence sharing. .
“ICT risk management is important to minimize the possibility of unexpected cyber-attacks by requiring a thorough risk assessment to proactively prevent and detect potential threats. The pillars encourage businesses to take appropriate measures, adhere to risk management, and establish a robust ICT risk management framework.
“To achieve this, agencies must first develop a comprehensive framework for identifying, classifying, and managing risks. Define strategies for risk prevention, response, and recovery. Management Develop a training plan for managers and staff.
“With ICT incident reporting, companies provide a detailed report on an incident, gathering information about affected users, data loss, severity of system impact, geographic spread, service criticality, and economic impact. It is mandatory.
“This will enable effective incident monitoring, management, and continuous improvement to enhance recovery. Companies will need to update how they classify incidents and establish internal and external notification channels. should be considered.
“The next one is probably the most difficult of the pillars: Digital Operational Resilience Testing, which requires financial institutions to undergo threat-based penetration testing every three years.
“And this process can take up to two years, meaning organizations need to prepare early for regulatory approval testing deadlines by the end of 2024.
“The ICT third-party risk pillar mandates that organizations integrate third-party risk management into their risk frameworks. Organizations must develop clearly defined strategies and policies.
“Companies should create comprehensive third-party registries and conduct regular third-party audits to avoid the risk of non-compliance.
“Finally, to foster collaboration between financial services organizations, companies are encouraged to deploy automated solutions to efficiently share information with other institutions and establish internal communication mechanisms for processing.” It has been.
“The first set of final draft technical standards under DORA was published on January 17 of this year and submitted to the Commission for adoption.
“Although the standards have not yet been finalized and will require review by the European Parliament and the Council before being published in the Official Journal of the European Union, these technical standards provide a strong foundation for classifying ICT incidents, Provides a regulatory framework for ICT third-party service agreements, standard templates for information registration and risk management tools and processes.
“Complete compliance with DORA by January 2025 will not be easy, but it is necessary for true operational resiliency. workstream, and may also require a restructuring of the technology architecture for some players.
“Addressing DORA will present challenges, but the rewards for businesses and the industry as a whole will be significant.”
