Get ready for
DORA

Digital Operational Resilience Act (DORA)

DORA – the Digital Operational Resilience Act – is a European Union regulation aimed at enhancing the digital resilience of the financial sector.

Get Ready for DORA

Karer Consulting combines theoretical and practical knowledge for assessing and implementing DORA requirements.

 

As a TRUSTED ADVISOR we will guide YOU through the assessments and the implementation process – whether banking or insurance processes we have experience in both. Besides, you can be sure, we will integrate further regulations (e.g., EBA), if wished or needed.

 

  • With the assessment we identify strategic and operative gaps. Concrete projects and measures will be defined and prioritized, and will be allocated to a DORA Roadmap.
  • According to the DORA Roadmap projects or measures will be implemented. Karer Consulting will guide you through every step of implementation with current best practices and its nearly 30 years of experience in IT Service Management.

DORA at a Glance

DORA – the Digital Operational Resilience Act – is a European Union regulation aimed at enhancing the digital resilience of the financial sector.

DORA aims to ensure that financial entities can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) disruptions and threats in a synchronized way.

DORA is crucial for safeguarding the integrity and stability of the financial system in the EU in the face of increasing cyber threats. Compliance will help prevent financial disruptions and enhance trust in digital financial services.

Financial entities are expected to comply with DORA requirements by January 2025.

OBJECTIVE

The regulation on the digital operational resilience in the financial sector (DORA) is the European response to the digital change in the area of financial services and to the increasing danger of cyber threats in the financial sector.

FOCUS

Appropriate handling with the increasing dependence of the financial sector on third party providers

Union's financial system to enable the operational stability in the event of a serious disruption maintained

 

CORE

Comprehensive harmonized IT risk management framework

Expansion and standardization of the reporting obligations for serious IT incidents

Creation of a European monitoring framework for critical third-party IT service providers

 

Is my company in scope of DORA?

The requirements of the regulation apply to financial service providers and third-party ICT service providers that have contracts with those financial companies. The scope of DORA defines 20 different types of any financial service providers (exceptions could apply).

Please get in touch with us for further information.

DORA Key Aspects – What are the main fields of action?

In the light of DORA four major fields of action are defined for fulfilling the compliance requirements.

  • ICT-Risk Management

    ICT-Risk Management

    (Art. 5 - 6)


    • Responsibility remains on management body
    • ICT Risk management and –governance
    • Technical requirements (identify, protect, detect, response recover etc.
    Kreis 1
    ICT-Risk Management
  • ICT-related incidents & management

    ICT-related incidents and their management

    (Art. 17 - 23)


    • ICT Incident Reporting
    • Classification of ICT related incidents and Cyber risks
    • Reporting of major ICT Incidents (and voluntary notification of significant cyber threats)

     

    Kreis 1
    ICT-related incidents and their management
  • Testing of digital resilience

    Testing of digital operational resilience

    (Art. 24 - 27)


    • General requirements for the testing of digital operational resilience
    • Basic tests (Vulnerability tests, entire financial sector)
    • Advanced testing (Threat Led Penetration Tests (TLPT)èTIBER-EU / TIBER-DE as a blueprint / method)
    Kreis 1
    Testing of digital operational resilience
  • Mgmt. of third-party risks

    Management of ICT third-party service provider risks

    (Art. 28 - 44)


    • General principles (including keeping an information register on ICT third-party contractual relationships and minimum contractual clauses
    • EU monitoring framework for critical ICT third-party service providers
    Kreis 1
    Management of ICT third-party service provider risks

DORA and ITSM

Karer Consulting recommends to close gaps from the regulation via a proper IT Service Management. Therefore, we use standardized assessments for defining ITSM maturity and identifying DORA gaps.

Requirements from DORA can be fulfilled with adjustments to (or introduction of) IT service management on the IT service provider side. ITIL as industry best practice provides an appropriate framework for this.

 


DORA adresses requirements for many IT-services and ITSM processes 

  • Service Configuration and IT Asset Management | Change Management
  • IT Service Continuity Management | Security Management
  • Major Incident Management | IT Risk- & Knowledge Management
  • Service Validation and Testing | Supplier Management | Measuring and Reporting

Our Approach

Karer Consulting will guide you through the assessment and implementation process. The assessments are split into interviews and workshops with various stakeholders across the board to ensure compliance in the day to day business and a process and documentation review to cover the legal compliance required by DORA.

This will derive projects and measures for the implementation. Implementation of prioritized projects and actions are accompanied by Karer Consulting.

By following this approach, we ensure that a compliance with DORA can be achieved.