Digital Operational Resillience Act (DORA)
The Digital Operational Resilience Act (DORA) was officially adopted in December 2022 and is set to be enforced from January 2025. DORA was created in response to the growing digitalisation of financial services and the increasing frequency and sophistication of cyber threats. The primary goals are to:
- Enhance the operational resilience of financial entities
- Ensure the integrity, security, and continuity of critical operations
- Provide a unified regulatory framework across the EU, reducing fragmentation and enhancing cooperation among member states
“Oh no, not another one! Do I need to comply?!”
We get it! You already comply with ISO 27001, you have Cyber Essentials Plus, SOC 2, PCI, the list goes on, and here comes another compliance requirement.
If you’re a UK-based company that provides services to EU-based financial entities, a UK Financial entity that operates in the EU or a UK subsidiary of an EU based firm then you would likely need to comply.
But there is some good news. We believe DORA is a well written regulation with an emphasis on taking a risk based approach. The articles focus on sensible requirements that will help financial services and their critical suppliers keep peoples and countries resources safe.
How we help you comply
Step 1 - Assess your risk
Let’s keep things real! We don’t want you to fix a £1 problem with a £1000 solution and neither does DORA. We will either use your existing risk asessment or conduct our own quantified risk analysis in order to ensure that the actions we provide you with to comply with the rules detailed in DORA are proportionate to your size and risk.
Our risk assessment will also help us understand the controls you already have in place and the effectiveness of those controls against the requirements in DORA.
Step 2 - Understand the gap
Work smart, not hard! Remember all those accreditations we mentioned above? Well they are all time well spent.
We understand where DORA requires you to go above and beyond, this information combined with everything we learnt at the risk analysis stage means we can focus on the areas that we believe will need an uplift, conduct an efficient gap analysis and give you clear achievable actions, which when complete will help you prove compliance.
Step 3 - Doing what needs to be done
We don’t like nasty surprises and we doubt you do too. That’s why we communicate our findings to you regularly throughout the gap analysis exercise.
Our approach is to allow you to have constant access to the gap analysis workbook so you can see our methodology and detail, summarise our findings, convert them into actions, feed them back weekly and give you the advice you need to get stuff done.
That way, by the end of the engagement you can already be well on your way to blissful compliance!
Step 4 - Evidence baked in
At each stage we keep tabs on your compliance and how you can evidence it. That way, when we finish, you will have an evidence register linking to your controls and the evidence we have seen to the rules detailed in DORA. Your action plan will do the same.
No more scrambling. No more trying to find evidence at the last minute. Just “here you go dear auditor, everything you need is in this register”. Happy auditor, happy life. You’re welcome :-)