Managed Detection and Response
The State of Cyber Defense: Manufacturing Cyber Resilience
July 31, 2024
DORA Compliance Assessment
Understand your gaps and prioritize key requirements for DORA compliance with guidance from Kroll experts.
Contact Us
Join the webinar to learn about top tips in achieving DORA compliance for your organization. Register Now.
DORA is a new EU regulation designed to improve the cybersecurity and operational resilience of firms in the financial services sector, covering more than 22,000 financial entities and Information Communications and Technology (ICT) service providers operating within the EU.
The DORA regulation comes into force on January 17, 2025, with state- level mechanisms expected to be in place and financial entities will be expected to be compliant with the regulation.
Businesses may underestimate the amount of work required to become DORA compliant, and those based outside the EU may not realize that they also need to pay attention to the changes. This could put organizations at risk of failing to meet the new DORA requirements.
To prevent this and ensure that they are ready for the impending changes, businesses should take strategic action now.
Key Focus Areas of DORA Regulation
ICT Risk Management | ICT Related Incident Reporting | Digital Operational Resiliency Testing | ICT Third-Party Risk | Information Sharing |
|---|---|---|---|---|
Embed a comprehensive risk management framework for ICT systems. | Standardize reporting of ICT related incidents. Incident management processes and templates for reporting of incidents. | Testing and assurance of technology resiliency through a combination of techniques and harmonization of data collected by financial organizations. | Stricter controls and processes for third-party risk management and oversight. | Mechanisms for sharing information on threat actor activity. |
What is the difference between DORA and NIS2 ?
Organizations may find similarities between NIS2 and DORA given its focus on Digital Resilience, however, it is important to understand that there are key differences in terms of scope and application:
NIS2 | DORA | |
|---|---|---|
Type | Directive – EU Member States are responsible for implementing national laws | Regulation – directly applicable to financial services companies |
Implementation Date | October 17, 2024 | January 17, 2025 |
Applies To | Critical Sectors (energy, transportation, health, space, internet etc.), MSPs, MSSPs in EU Member States | Financial Entities (banks, insurance, crypto, etc.) and ICT service providers in EU member states |
Overlap | Part of the broader cybersecurity regulatory framework | Takes precedence where sector-specific rules apply (‘Lex Specialis’ exemption)
|
Areas of Focus | Strengthening overall security and incident reporting requirements | Complements NIS2 by providing specific provisions around ICT frameworks, incident response and third-party ICT contracts |
Testing Requirements | Variable depending on country |
|
Incident Reporting |
| Classification of ‘major’ incidents and subject to the following:
|
Navigating the Most Common Barriers to DORA Compliance
From our experience of helping organizations in the financial services industry in addressing cybersecurity, governance, risk and compliance challenges, we anticipate businesses may underestimate the amount of work required for DORA compliance. More specially, it’s important to consider some of the most common challenges that will need to be addressed:
How Kroll Can Help You Achieve DORA Compliance
Kroll has a long track record of working with financial institutions to enabling them to achieve their security and regulatory goals. We leverage knowledge of Kroll experts who are our expertise consisting of former DORA consultation group members and former SEC, FCA and AMF regulators, along with our frontline intelligence from thousands of incident response cases a year, to provide in-depth support and help prepare your organization prepare for and to fully meet DORA requirements.
Key Outcomes:
Understand Key Gaps in Your DORA Compliance | Have a Clear Path to DORA Compliance While Reducing Longer Term Risk | Implement Solutions to Maintain Operational Resiliency |
|---|---|---|
Quantitative measure of DORA compliance status highlighting key weaknesses by carrying out a gap assessment of operational resilience with DORA and RTS standards | Clear roadmap towards DORA compliance with priority tasks and timeframes. An action tracker is also provided with recommended owners to help stakeholders for effective project management | With our portfolio of advisory, transformation and managed services, we can assist you with the implementation of DORA-aligned policies and procedures, controls, testing and services across ICT risk management, incident management, business continuity, third-party risk management, and digital resiliency testing |
How it works:
Our four-phased approach help organizations of all sizes address any stage of DORA compliance:
Planning
Our experts determine the ICT risk management framework that is applicable to your organization under DORA, for example, whether we need to apply the full scope, a simplified framework or a microenterprise regime.
Assessment
Having determined the appropriate framework, our consultants conduct a gap assessment covering the core DORA requirements and draft RTS. By leveraging our own risk analysis tooling and experience of supporting financial services firms with operational resilience programs, we provide a clear risk rating against DORA requirements, whilst giving a quantitative measure of compliance status.
Roadmap
Off the back of the assessment, we provide you with a roadmap report along with an action tracker for effective project management including:
- Target levels of compliance and maturity in each assessment area
- Actionable tasks with effort ratings
- Reasonable timeframes for completion of individual tasks
- Recommend task owners
Implementation
Having identified DORA compliance key gaps, Kroll can assist with the implementation of repeatable and evergreen programs and software with our comprehensive portfolio of industry-leading services to support you in going beyond just DORA compliance and towards achieving sustainable operational resiliency as new regulations and threats evolve. Our offerings include:
- Program Design and Assessments
- Business Continuity/Disaster Recovery
- Security Risk Assessments (Software Supply Chain, Cloud, SDLC, Compliance etc.)
- Third-party Risk Management (Due Diligence Assessments, Third Party Monitoring, Contractual Risk Review etc.)
- Managed Detection and Response
- Threat-Led Penetration Testing/Red Teaming
- Threat Intelligence Assessment
- Vulnerability and Penetration Testing
- Implementation of Governance, Risk and Compliance software
DORA Compliance Assessment in Your Cyber Risk Retainer
Our DORA Compliance Assessment, along with many other cybersecurity and compliance services, can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer. In addition to prioritized access to Kroll’s elite digital forensics and incident response team ahead of and in the event of an incident, the Retainer can also be used for services like penetration testing, risk assessments and tabletop exercises to name just a few.
Why Kroll?
- Ex-DORA and Financial Services Regulatory Experts
Our team consists of experts involved in the preparatory consultation work that led to DORA as well as former-FCA, SEC and AMF regulators with a deep understanding of relevant legislation and standards in your industry to provide real insight and value.
- Experienced, Accredited Cybersecurity Professionals
700+ skilled and certified cybersecurity experts across the globe, experienced in not only helping clients comply with multiple regulations but staying resilient ahead of the changing landscape.
- Solutions Across the DORA Maturity Lifecycle
Our solutions can address all aspects of DORA compliance and maturity; from assessing all possible gaps/weaknesses and advising on remediation with our consultancy expertise to implementing the right controls and providing remote- managed services.
- Unrivalled Frontline Intelligence
With unrivalled exposure to thousands of incident response cases each year, we know what’s needed to stay resilient to cyber threats.
- Fast Implementation, Built on Previous Engagements
We leverage our 50+ DORA-tailored policies and procedures templates to provide immediate value as we roll out your tailored program.
Talk to a Kroll Expert
Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page.
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.
Financial Services Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.
Cyber Governance and Strategy
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Threat Exposure and Validation
Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.
Incident Response and Litigation Support
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
The State of Cyber Defense: Manufacturing Cyber Resilience
Repulatory Updates
Navigating the Digital Age: DORA’s Role in Financial Services
August 30, 2024
by Grainne O' Farrelly, Hannah Rossiter, Eoin Devlin
Regulatory Updates
Proactive Compliance: Cooperation Considerations in an SEC Exam
September 17, 2024
by Ken C. Joseph, Esq., Ana D. Petrovic, Jonathan "Yoni" Schenker, Jack Thomas
Enterprise Risk
Deepfakes and Misinformation: What Have We Learned About GenAI and Elections?
September 12, 2024
by Joshua Tucker, Paul Connolly, George Vlasto
Webinar – AI Security Testing: Prompt Injection Everywhere
Cyber
Webinar – AI Security Testing: Prompt Injection Everywhere
September 25, 2024|Online
Kroll offers a glimpse into the security vulnerabilities faced by businesses adopting Artificial Intelligence (AI), Machine Learning (ML) and Large Language Model (LLM) following eight months of LLM penetration testing.
Cyber
Navigating DORA Compliance: Preparing for the EU’s New Digital Operational Resilience Regulation
October 17, 2024|Online
Our cybersecurity and compliance experts share top tips in achieving DORA compliance for your organization.
Kroll Recognized in 2024 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services for the Fifth Consecutive Year
Press Release
Kroll Recognized in 2024 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services for the Fifth Consecutive Year
September 12, 2024
Press Release
Kroll Expands AI Risk Consulting Services
August 27, 2024
Press Release
Kroll Launches AI-Powered Document Review At A Fixed Fee Cost
May 16, 2024
Press Release
Kroll named as Major Player in IDC’s Worldwide Cybersecurity Consulting Services 2024 Vendor Assessment
April 25, 2024
Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.