Key Requirements of the EU DORA Act Framework

DORA (Digital Operational Resilience Act) changed everything for financial services - especially mid-market orgs that suddenly found themselves in its remit. Suddenly ,there were specific requirements about ICT third-party risk management, detailed reporting obligations, and real consequences for non-compliance. That regulatory pressure created the clearest use case I've seen for agents. The DORA agent monitors our ICT supplier relationships against the regulatory requirements. Concentration risk thresholds. Exit strategy documentation. Incident reporting timelines. Sub-contractor oversight. It doesn't replace the compliance team's judgment about whether we're meeting the spirit of the regulation. It ensures nothing falls through the cracks on the letter of it. When a supplier's status changes - new contract, renewed agreement, terminated relationship - the agent automatically reassesses our DORA exposure and updates the relevant registers. Before: quarterly manual reviews that took weeks and still missed things. After: continuous monitoring that catches changes as they happen. Financial services arrived first because the regulation forced them to. Everyone else will follow. Tomorrow: ESG assessment, and why third party data is the bottleneck everyone ignores.

Navigating Europe's New Digital Resilience Framework: NIS2 and DORA The EU's Digital Operational Resilience Act (DORA) and Network and Information Systems Directive (NIS2) are reshaping cybersecurity requirements across critical sectors. While DORA targets financial institutions with specific ICT risk management frameworks, NIS2 covers essential entities across eleven sectors including energy, transport, and healthcare. Both frameworks establish strict incident reporting timelines and emphasize senior management accountability. DORA requires notification within four hours of incident classification, while NIS2 mandates reporting within 24 hours. Non-compliance carries significant penalties, with NIS2 fines reaching EUR 10 million or two percent of global turnover for essential entities. The global implications extend beyond EU borders through third-party service provider requirements. Organizations worldwide working with covered entities must understand these obligations to maintain business relationships and competitive positioning. Even companies not directly subject to these requirements should consider adopting their risk management principles. Regular third-party assessments, penetration testing, and comprehensive audit practices represent emerging industry standards that strengthen operational resilience across all jurisdictions. The convergence of these frameworks signals a fundamental shift toward proactive risk management in our interconnected digital economy. Organizations that embrace compliance as a strategic advantage will build stronger, more resilient operations. #ISAA #Cybersecurity #RiskManagement #DORA #NIS2 #DigitalResilience #Compliance

📢 DORA: From Regulation to Documentation The Digital Operational Resilience Act is transforming how financial institutions across the EU approach #ICTrisk, #resilience, and #governance. While the regulation itself is ambitious, one of the most practical challenges is clear: the list of required documents, #policies, and #procedures that organizations must create and maintain. 🗂️ What’s Required Under DORA? The BaFin overview makes it clear that compliance is documentation-heavy. Entities must produce, maintain, and regularly update: Strategies: Digital operational resilience strategy (Art. 6 #DORA), ICT #riskmanagement framework, ICT #businesscontinuity strategy. Policies: ☑️ Information security & ICT risk management policies ☑️ Backup, patching, and vulnerability management policies ☑️ ICT change management, incident management, and encryption policies ☑️ ICT third-party & outsourcing policies Procedures: ☑️ Incident classification, reporting, and crisis communication plans ☑️ Identity & access management, capacity management, and system monitoring ☑️ Testing and validation methodologies for ICT #continuity & #resilience Registers & Inventories: ☑️ ICT assets, critical processes, and third-party providers ☑️ Certificates, incidents, and audit findings In total, organizations must demonstrate comprehensive governance, linking policies and procedures directly to ICT risk management, incident response, #resiliencetesting, and #thirdparty oversight. This is another great publication for organizations that fall under DORA. The structured list of requirements is invaluable — it shows exactly what needs to be in place. From strategies to policies, from ICT change management to third-party registers, organizations now have a clear view of what must be documented, implemented, and maintained. #cybersecurity #ITGRC #TheSOC2 #ITGRCAdvisory #BWAdvisory #AkademiaITGRC #FinancialServices CyberMadeInPoland ISACA Warszawa FinTech Poland

The Digital Operational Resilience Act (DORA) is a regulatory framework established by the European Union to ensure financial entities are resilient to cyber threats and operational disruptions. It requires firms to address various elements of cybersecurity, including Threat Intelligence and comes into force today. Below are some of the key Threat Intelligence related elements addressed in DORA: 1. Threat Monitoring and Detection • Financial entities must establish mechanisms to continuously monitor and detect threats. • Real-time monitoring of cybersecurity incidents and vulnerabilities affecting the organisation. 2. Cyber Threat Intelligence (CTI) Capabilities • Organisations are required to develop or acquire threat intelligence capabilities to understand emerging threats. • Intelligence should cover tactics, techniques, and procedures (TTPs) used by threat actors. • Entities must use CTI to predict, prevent, detect, and respond to cyber incidents. 3. Incident Reporting and Sharing • Entities must report significant cyber incidents to relevant authorities promptly. • Encourages sharing threat intelligence and incident reports with trusted networks to improve collective resilience across the financial sector. 4. Third-Party Risk and Threat Monitoring • Organisations must ensure third-party service providers comply with resilience standards, including monitoring their vulnerability to emerging threats. • Continuous assessment of risks from critical third-party ICT providers. 5. Scenario-Based Threat Testing • Financial entities are required to conduct regular stress testing using realistic cyber threat scenarios. • Threat intelligence is critical to developing these scenarios to ensure tests are comprehensive. 6. Vulnerability Management • Organisations must establish processes to identify, evaluate, and address vulnerabilities. • Threat intelligence is used to prioritise vulnerabilities based on their likelihood of exploitation and potential impact. 7. Collaboration and Information Sharing • Facilitates cooperation between financial entities, authorities, and other stakeholders through information sharing. • Promotes intelligence-sharing platforms to distribute actionable threat intelligence. 8. Governance of Threat Intelligence • Boards and senior management must ensure threat intelligence is integrated into decision-making. • Policies and procedures must outline how CTI is gathered, analysed, and applied to operational resilience. DORA places significant emphasis on using threat intelligence to inform and enhance operational resilience strategies, enabling financial institutions to proactively defend against evolving cyber threats.

Starting January 17, 2025, financial entities will need to adhere to the EU’s Digital Operational Resilience Act (DORA). This act, primarily targeting banks, insurance companies, and other financial institutions within the EU, aims to safeguard against cyber threats by implementing stringent measures: - **Assessment and Mitigation:** DORA mandates the establishment of robust frameworks for evaluating and managing risks effectively. - **Risk Monitoring:** Financial entities must monitor risks posed by Information and Communication Technologies (ICT) service providers. Annual assessments of these providers should cover security, financial stability, and operational aspects. - **Incident Reporting:** Prompt reporting of significant ICT incidents is obligatory. Major incidents necessitate immediate action within a 2-hour reporting window, including initial assessment and senior management notification. Significant incidents allow a 4-hour reporting timeframe. Comprehensive incident documentation, encompassing root cause analysis, business impact, and corrective actions, must be completed within a month. - **Recovery Objectives:** Critical functions are required to have a 2-hour recovery time objective (RTO) with a maximum 15-minute data loss window (RPO) for transaction and customer data systems. Full-service restoration, including customer access and data verification, should be achieved within 4 hours. - **Testing and Compliance:** Regular system and resilience testing, along with compliance checks, are enforced to ensure operational readiness. These regulations under DORA were adopted in November 2022, came into effect in January 2023, and will be applicable from January 17, 2025. For more information, visit: [DORA Overview](https://lnkd.in/gBNk6p7f)

The ESAs DORA guide explains the framework's objectives, principles, structure, activities, processes, and expected outcomes. It covers CTPP designation based on criticality, risk assessment, and detailed oversight activities including ongoing monitoring, requests for information, general investigations, and inspections. The document also outlines the issuance of non-binding recommendations for identified deficiencies and subsequent follow-up procedures to ensure compliance, ultimately aiming to enhance digital operational resilience and financial system stability across the EU. https://lnkd.in/d4KNQpV7

The EU's Digital Operational Resilience Act (DORA) deadline is coming up on January 17. It establishes a comprehensive legal framework for financial institutions and their relationship with IT service providers. As jurisdictions' security postures continue to mature, we can expect lawmakers to keep moving in a similar direction... DORA includes the following requirements for financial institutions: 🛡️ IT risk management using a structured approach (framework) ✒️ Third-party IT risk management with key contractual provisions 💣 Digital operational resilience testing (basic and advanced) ⚠️ General requirements for security incidents, including disclosure to authorities 📢 Information sharing and intelligence on cyber threats 🔍 Oversight of critical third-party providers With DORA it's no longer enough for EU financial institutions to allocate capital for potential losses from a cyberattack. Similar to the National Association of Insurance Commissioners (NAIC) Data Security model law recently adopted in Puerto Rico by Comisionado de Seguros de PR (OCS), it requires proactive security controls and resilience planning to actually, effectively, protect data. There is one big, important difference between the OCS ruling and DORA: the scope, complexity, and time required to amend them when they require an update. It's much easier to amend an agency rule than a law, especially one that governs all the EU. While DORA is certainly prescriptive —which, in my experience with technology-focused legislation, is something to beware of— its focus on operational resilience, cybersecurity, and risk management hits the nail on the head where organizations' priorities usually fall short (in industries across the board). As new IT-related laws are created around the world and cover technical topics, modern legislative bodies must learn to move faster, not only to pass these laws in time to protect those who need it, but to amend them once the standards they establish become obsolete. #GRC #TPRM #nowonboarding https://lnkd.in/e52zpSMd

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

🚨 A Must-Read for Risk & Compliance Teams: DORA Oversight of Critical Third Parties Just Got Serious If your organization relies on third-party technology providers (cloud, infrastructure, software, data services) and serves EU markets, you need to understand what this new DORA update means. Here’s a clear, no-fluff breakdown of the EU's new guide (July 2025) on how critical ICT service providers will now be designated, examined, and held accountable: What's the big deal? This is the first ever structured, EU-wide oversight framework for third-party ICT providers who are critical to the financial sector. Think AWS, Microsoft, Google Cloud, IBM, and many others. Under DORA, these providers will be: - Designated as critical if their failure could threaten financial stability. - Monitored year-round by joint EU supervisory teams. - Inspected on-site or off-site if risks emerge. - Given recommendations that, if ignored, may trigger public naming. This changes how financial institutions manage third-party risks, particularly in terms of concentration risks and systemic reliance on a few large technology providers. What DORA’s Oversight Involves ✔️ Annual designation process based on service criticality, substitutability, and systemic risk. ✔️ Joint Examination Teams (JETs) will actively monitor providers across the EU. ✔️ Investigations & inspections can be initiated if risks, incidents, or non-compliance are detected. ✔️ Non-binding recommendations will be issued, but if ignored, they’ll go public. ✔️ Competent Authorities will be informed, and may require firms to suspend or terminate services from non-compliant providers. ✔️ Third-country oversight is possible if the provider serves EU clients, even if based elsewhere. Why This Matters to You? Vendor due diligence just got heavier. You’ll need to understand not just your vendor’s controls, but how they interact with DORA regulators. More shared insight. Regulators can now share oversight findings with you if you use a critical provider. ICT concentration risks are under a microscope. Risk leaders will need to prove they understand and mitigate dependencies. EU or not, this affects global providers. If you’re outside the EU but serve EU clients, your oversight perimeter just expanded. DORA isn't just about resilience anymore, it’s about control, transparency, and accountability at the third-party level. If your key ICT vendors are designated as critical, expect more scrutiny and be ready for deeper oversight conversations. #DORA #ThirdPartyRisk #ICTRisk #CyberResilience #RiskManagement #EURegulation #VendorOversight #Compliance #FinancialServices #tprm

🇪🇺What Does #DORA Mean for the #EU Fintech Landscape? 📍What is the Digital Operational Resilience Act (DORA)? Cyberattacks on EU financial infrastructure more than doubled in 2023, and with the growth of AI, predictions point to a steady increase in cyberattacks in 2024. The thought of AI-powered cyberattacks is scary, and rightfully so. Cybersecurity is more important than ever, and digital resilience must be a top priority for European financial institutions. The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023 and will apply on 17 January 2025. DORA aims to ensure financial institutions such as banks, investment firms, trading platforms, among others, have a much more resilient and secure ICT infrastructure against potential cyber threats. DORA is aimed to prevent cases like the recent global IT outage. 📍What does DORA cover? First and foremost, the priority of the Digital Resilience Act is ensuring financial institutions’ ICT departments are resilient to these threats by focusing on several crucial areas such as: . ICT risk management: Institutions must account for their ICT department organisation, risk-management framework, protocols, and applications, among others. . IT third-party risk management: Financial institutions must monitor third-party risk and conduct analysis throughout the contract duration. . IT incident reporting: If an incident occurs, institutions must monitor, log, classify, and report the incident to the designated party. . Testing operational resiliency: Institutions must create testing programmes and constantly monitor their IT security resilience to establish a risk base. . Information exchanges: The DORA Act encourages financial institutions to share information and intelligence on cyber threats by notifying the authorities. 📍How will DORA impact the EU #fintech landscape? There are events most organisations don't plan for — from internet or electricity shortages to even cyberattacks as DORA wants to prevent. Creating a sturdy ICT security practice takes time and effort, but it also creates business resiliency and stability, which are very important but sometimes easily dismissed. New regulations always lead to challenges, like the MiCA Act, for example, which made crypto platforms just as compliant as any other financial platform. DORA will force management to take a much more proactive stance and constantly stress-test their IT operational resiliency. Conversely, fintech managers must ensure suppliers and business partners take their IT security seriously with their third-party risk management. Source: Louis Thompsett & FinTech Magazine Learn more: https://lnkd.in/dWBwD4Cy