DORA is a new EU regulation designed to improve the cybersecurity and operational resilience of firms in the financial services sector, covering more than 22,000 financial entities and Information Communications and Technology (ICT) service providers operating within the EU.
The DORA regulation comes into force on January 17, 2025, with state- level mechanisms expected to be in place and financial entities will be expected to be compliant with the regulation.
Businesses may underestimate the amount of work required to become DORA compliant, and those based outside the EU may not realize that they also need to pay attention to the changes. This could put organizations at risk of failing to meet the new DORA requirements.
To prevent this and ensure that they are ready for the impending changes, businesses should take strategic action now.
ICT Risk Management | ICT Related Incident Reporting | Digital Operational Resiliency Testing | ICT Third-Party Risk | Information Sharing |
---|---|---|---|---|
Embed a comprehensive risk management framework for ICT systems. | Standardize reporting of ICT related incidents. Incident management processes and templates for reporting of incidents. | Testing and assurance of technology resiliency through a combination of techniques and harmonization of data collected by financial organizations. | Stricter controls and processes for third-party risk management and oversight. | Mechanisms for sharing information on threat actor activity. |
Organizations may find similarities between NIS2 and DORA given its focus on Digital Resilience, however, it is important to understand that there are key differences in terms of scope and application:
NIS2 | DORA | |
---|---|---|
Type | Directive – EU Member States are responsible for implementing national laws | Regulation – directly applicable to financial services companies |
Implementation Date | October 17, 2024 | January 17, 2025 |
Applies To | Critical Sectors (energy, transportation, health, space, internet etc.), MSPs, MSSPs in EU Member States | Financial Entities (banks, insurance, crypto, etc.) and ICT service providers in EU member states |
Overlap | Part of the broader cybersecurity regulatory framework | Takes precedence where sector-specific rules apply (‘Lex Specialis’ exemption)
|
Areas of Focus | Strengthening overall security and incident reporting requirements | Complements NIS2 by providing specific provisions around ICT frameworks, incident response and third-party ICT contracts |
Testing Requirements | Variable depending on country |
|
Incident Reporting |
| Classification of ‘major’ incidents and subject to the following:
|
From our experience of helping organizations in the financial services industry in addressing cybersecurity, governance, risk and compliance challenges, we anticipate businesses may underestimate the amount of work required for DORA compliance. More specially, it’s important to consider some of the most common challenges that will need to be addressed:
Kroll has a long track record of working with financial institutions to enabling them to achieve their security and regulatory goals. We leverage knowledge of Kroll experts who are our expertise consisting of former DORA consultation group members and former SEC, FCA and AMF regulators, along with our frontline intelligence from thousands of incident response cases a year, to provide in-depth support and help prepare your organization prepare for and to fully meet DORA requirements.
Understand Key Gaps in Your DORA Compliance | Have a Clear Path to DORA Compliance While Reducing Longer Term Risk | Implement Solutions to Maintain Operational Resiliency |
---|---|---|
Quantitative measure of DORA compliance status highlighting key weaknesses by carrying out a gap assessment of operational resilience with DORA and RTS standards | Clear roadmap towards DORA compliance with priority tasks and timeframes. An action tracker is also provided with recommended owners to help stakeholders for effective project management | With our portfolio of advisory, transformation and managed services, we can assist you with the implementation of DORA-aligned policies and procedures, controls, testing and services across ICT risk management, incident management, business continuity, third-party risk management, and digital resiliency testing |
Our DORA Compliance Assessment, along with many other cybersecurity and compliance services, can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer. In addition to prioritized access to Kroll’s elite digital forensics and incident response team ahead of and in the event of an incident, the Retainer can also be used for services like penetration testing, risk assessments and tabletop exercises to name just a few.
Our team consists of experts involved in the preparatory consultation work that led to DORA as well as former-FCA, SEC and AMF regulators with a deep understanding of relevant legislation and standards in your industry to provide real insight and value.
700+ skilled and certified cybersecurity experts across the globe, experienced in not only helping clients comply with multiple regulations but staying resilient ahead of the changing landscape.
Our solutions can address all aspects of DORA compliance and maturity; from assessing all possible gaps/weaknesses and advising on remediation with our consultancy expertise to implementing the right controls and providing remote- managed services.
With unrivalled exposure to thousands of incident response cases each year, we know what’s needed to stay resilient to cyber threats.
We leverage our 50+ DORA-tailored policies and procedures templates to provide immediate value as we roll out your tailored program.
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
by Grainne O' Farrelly, Hannah Rossiter, Eoin Devlin
by Colleen Corwell, Hannah Rossiter, Alasdair Putt, Eoin Devlin, Rose Kaufman, Dimitri Parraud, Ana D. Petrovic, Andrew Poole, Rajiv Philip, Gurpreet Kaur, Josh Parker, Karar Kadhim, Kyle Larson
by Aaron Weiss, Colleen Corwell, Hannah Rossiter, Eoin Devlin, Rose Kaufman, Ana D. Petrovic, Andrew Poole, Alasdair Putt, Josh Parker, Rajiv Philip, Amrita Michael