WHAT IS IT
The
Digital Operational Resilience Act, or DORA , is
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on
digital operational resilience for the financial sector.
The Regulation amends Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance).
The DORA Regulation, which entered into force on 16 January 2023,
establishes a set of binding and comprehensive requirements relating
to information and communication technology (ICT) risk management that
financial entities and their critical suppliers must implement in their ICT systems
by 17 January 2025.
The European supervisory authorities (ESAs), namely the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), have defined in detail the
technical standards (RTS and ITS) respectively Regulatory Standards and Implementing Standards. How can CSQA help your company comply with the DORA Regulation?
-
TRAINING AIMED AT TOP MANAGEMENT
CSQA training is aimed in the initial phase at Top Management with the aim of:
- provide a comprehensive understanding of the Dora Regulation and its impacts on cybersecurity for financial organizations,
- create awareness regarding the responsibilities of management (accountability),
- understand the scope of the regulation, evaluate its impact on the operations of financial organizations and implement effective strategies to ensure compliance,
- know any sanctions applicable in case of non-compliance.
-
GAP ANALYSIS
Through the use of a specifically designed checklist, CSQA defines the level of compliance of the organization with respect to the following reference standards:
- Dora Regulation,
- RTS and ITS for implementation of the DORA regulation,
- ISO 27001:2022 and ISO 22301.
The carrying out of the activity includes:
- the verification of the existing documentation and the adequacy and efficiency of the cyber policies adopted by the client financial organization,
- interviews with the staff involved on both organizational and technological aspects,
- identification of the cybersecurity positioning of the client financial organization,
- Identification of any eligible exclusions to be documented,
- identification of gaps to be resolved in the face of any critical issues and non-conformities.
Deliverables:
- report of the level of adequacy of regulatory requirements and security controls,
- list of areas for adaptation and improvement.
-
RETURN PLAN: RISK ANALYSIS, POLICY AND PROCEDURES, TECHNOLOGICAL COUNTERMEASURES
The client financial organization, based on the GAPs highlighted by CSQA, defines a recovery plan to mitigate them.
-
GAP ANALYSIS FOLLOW UP
Once all the countermeasures have been implemented by the client financial organization, CSQA carries out a Follow UP activity with respect to the GAPs highlighted in the first phase and returns a report highlighting the new Cybersecurity posture of the client financial organization.
Deliverables: report of the level of the state of adequacy of the improvement actions implemented.
-
CYBER TRAINING FOR ALL STAFF
If in the first phase CSQA training is aimed at Top Management and the first levels, in the second phase the training is addressed to all staff with the aim of providing participants with practical skills to evaluate and deal with cybersecurity risks in the face of threats to financial organizations, as well as third-party suppliers.
-
INTERNAL AUDIT MONITORING
The client financial organization independently monitors the processes and procedures implemented and implemented by the interested parties.
-
VERIFICATION OF THE CYBER SECURITY OF THE SUPPLY CHAIN
The national strategy for the cybersecurity of financial organizations provides for the verification of the cybersecurity of third-party suppliers used for the procurement of ICT products and services.
CSQA carries out part II audits with the aim of verifying that the supplier:
- complies with the cybersecurity requirements established in the contract,
- defines information security requirements,
- ensure the protection of accessible organization assets,
- formalize contractual documents in which the required security requirements are reported.
CSQA carries out both the verification of the existing contractual documentation, carrying out a document inspection, and an field audit at the suppliers which also includes interviews with the personnel involved with the aim of verify compliance with the cyber policies defined by the client in the contractual phase. The output of the inspection activities will highlight the supplier's level of compliance with the stipulated contract and compliance with the cyber policies and procedures shared at the signing of the contract.
-
ISSUE OF ISO 27001 AND ISO 22301 CERTIFICATIONS
CSQA recommends the importance of certifications according to the two standards ISO/IEC 27001 and ISO 22301, which, in addition to facilitating compliance with NIS 2 requirements, more generally for customers represent a framework available to organizations to deal with and above all prevent ever-evolving cyber risks,
The ISO 27001 and ISO 22301 certifications are not mandatory but represent tangible proof of compliance in terms of the adequacy of the technical and organizational measures adopted with a view to IT resilience.
Check if the DORA Regulation applies to your organization
REQUEST FOR FREE
