DORA Compliance Checklist

The Digital Operational Resilience Act (DORA) aims to boost IT security in the EU’s financial sector. It sets requirements for managing technology risks, ensuring continuity, and safeguarding data. 

These measures ensure continuity in critical business operations and help companies withstand and recover from ICT-related disruptions. However, many organizations struggle with DORA’s complex requirements. They often lack clear guidance on where to begin. 

This DORA checklist will help organizations identify potential vulnerabilities, mitigate risks, and implement necessary measures to meet DORA’s rigorous standards.

Key steps to comply with DORA

To effectively comply with DORA, read the regulatory text and the European Supervisory Authorities (ESAs) guidelines. A thorough understanding of the regulation will make the compliance process smoother and more manageable.

All organizations subject to DORA must:

• Ensure operational resilience through risk management measures.
• Identify, assess, and mitigate ICT (Information and Communication Technology) risks.
• Maintain a comprehensive ICT security framework.
• Ensure business continuity in the event of an ICT failure.

Determine if DORA applies

• Review Article 2 of the DORA legislation to confirm whether your organization qualifies as an in-scope entity, such as a financial institution or a critical ICT service provider to a financial institution.

If your organization falls under any of these categories, proceed to step one.

Also read: Streamlining compliance: DORA’s path to cyber resilience

Step 1: ICT risk management

To ensure compliance with DORA, financial institutions must focus on managing ICT risks across their operations. The following steps are essential:

• Document critical ICT assets and business functions: Identify and classify critical ICT assets based on their importance to business operations and regulatory compliance.
• Conduct a gap analysis: Assess exposure risks, vulnerabilities, and weaknesses in security defenses that could impact the integrity, availability, and security of ICT systems and services.
• Define risk appetite and tolerance levels: Establish detection thresholds and processes that align with the institution’s desired risk tolerance, ensuring appropriate risk management.
• Ensure resilience of business-critical systems: Implement measures to secure critical ICT systems and data, ensuring they are available, backed up, and recoverable in the event of failure.
• Establish a continuous learning cadence: Regularly review and update the ICT risk management framework to adapt to emerging risks and evolving regulatory requirements.

Technical controls:

Financial institutions must implement specific technical measures to secure their ICT systems and data:

• Implement technical security measures: Apply appropriate technical controls to safeguard ICT systems, including encryption, strong access management, multi-factor authentication (MFA), and network security protocols.
• Regularly assess and update security measures: Continuously review and enhance security measures in response to emerging risks and cyber threats. This may include firewall updates, intrusion detection systems (IDS), and anti-malware defenses.
• Conduct security audits and penetration testing: Perform regular audits and simulated attacks (e.g., penetration testing) to identify vulnerabilities within the ICT infrastructure and take corrective actions to mitigate risks.
• Establish and maintain an ICT Risk Management Framework: Develop and maintain a comprehensive ICT governance framework that defines roles, responsibilities, and processes for managing ICT risks, ensuring that all staff are aligned with DORA’s resilience objectives.

Third-party service providers supplying essential services to financial institutions also adhere to similar risk management practices and technical controls. 

Step 2: ICT-related incident management, classification, and reporting

Financial institutions must implement and maintain comprehensive systems for managing ICT-related incidents, ensuring resilience and regulatory compliance.

1. Establish an incident management strategy:

Develop a strategy integrating technology, people, and processes to handle ICT incidents and cyber threats effectively.

2. Streamline incident detection and classification:

Implement clear procedures for detecting and classifying incidents, including specific information-gathering requirements and a reporting cadence.

3. Define thresholds for incident classification:

Set criteria to categorize incidents as minor, major, or critical based on impact, downtime, and affected services.

4. Define cyber threat categorization and impact analysis:

Evaluate cyber threats’ likelihood and business impact, especially on critical financial systems and services.

5. Harmonize ICT management processes:

Continuously review and optimize incident management, classification, and reporting processes to ensure they remain effective.

6. Maintain documentation and retention:

Retain records of incidents, risk management actions, and compliance measures for at least five years or as required by DORA.

Ensure documentation is accessible for regulatory inspections and audits.

7. Incident reporting and notification:

Establish a clear process for reporting ICT-related incidents and notifying competent authorities of significant incidents within the required timeframes.

8. Maintain detailed records:

Keep detailed records of incidents, including actions to resolve them, follow-up measures, and lessons learned.

9. Business continuity and disaster recovery:

Implement Business Continuity Plans (BCPs): Develop and implement BCPs for critical ICT systems and processes.

Establish Disaster Recovery Plans (DRPs): Ensure DRPs are in place for rapid recovery after ICT disruptions.

Regularly test BCPs and DRPs: Conduct regular tests to verify the effectiveness of continuity and recovery plans.

10. Financial-specific incident management protocols:

Financial institutions should implement protocols specific to the financial sector to manage risks and comply with ICT incident regulations, including DORA and PSD2.

Third-party providers play a key role in financial institutions’ operational resilience. They must also develop and follow similar plans. These plans must be regularly tested. They should also notify financial institutions of incidents and collaborate on cyber threat analysis to ensure risk management transparency.

Step 3: Digital operational resilience testing

Financial institutions must adhere to specific DORA-compliant testing requirements to ensure their ICT systems and security measures meet operational resilience standards, reflecting the critical nature of their services.

1. Define the scope of DORA testing:

Identify the systems, tools, protocols, processes, and attack surfaces that need to be tested for operational resilience and security.

Ensure that all financial systems, including payment systems, transaction infrastructures, and customer data protection mechanisms, are part of the testing scope.

2. Conduct regular DORA-compliant resilience testing:

Implement regular resilience testing that meets DORA-specific requirements. This may involve more frequent or stringent testing due to the importance of their operations and customer data.

3. Test operational resilience in the context of financial services:

Tailor resilience testing to address the unique risks within the financial industry, including threats related to financial transactions, customer data protection (e.g., PSD2 compliance), and the stability of financial services.

4. Engage in Threat-Led Penetration Testing (TLPT):

Engage in TLPT to simulate advanced, targeted threats aimed explicitly at financial systems such as payment infrastructure, trading platforms, and financial transaction systems.

TLPT should assess vulnerabilities that could directly impact financial services’ security and operational resilience.

5. Adhere to regulatory reporting after testing:

After conducting resilience testing, financial institutions must report the results and any vulnerabilities to regulatory authorities. They must also share their mitigation strategies in compliance with DORA and any additional industry-specific regulations.

Critical third-party service providers supporting financial institutions must follow similar practices. They must collaborate closely with third-party ICT service providers to improve risk analysis, refine testing procedures, and establish communication practices that ensure alignment on resilience goals.

Step 4: ICT third-party risk management

Financial institutions must manage third-party risks rigorously to ensure compliance with DORA and other financial industry regulations. This includes assessing and monitoring third-party providers that support critical financial services.

1. Create a third-party ICT service provider register:

Maintain an up-to-date register of all third-party ICT service providers, identifying the associated risks they may pose to business continuity and resilience.  

2. Ensure third-party compliance with DORA and financial regulations:

Financial institutions must ensure that their third-party ICT service providers comply with DORA’s operational resilience requirements as well as financial sector-specific regulations, such as those concerning payment security and customer data protection.

3. Conduct enhanced third-party risk assessments:

Perform detailed risk assessments of third-party ICT providers, focusing especially on critical services like payment systems, cloud services, and cybersecurity. These assessments should address potential vulnerabilities, service disruptions, and compliance failures.

4. Incorporate financial sector-specific resilience requirements in contracts:

Contracts with third-party service providers must explicitly outline financial industry-specific regulations and resilience requirements, including those related to payment security, transaction processing, customer data protection, and regulatory reporting.

5. Conduct regular third-party resilience testing:

Include third-party vendors in regular resilience testing as part of the broader operational resilience framework. Regularly monitor the performance and compliance of third-party providers. 

Step 5: Information-sharing arrangements

Information sharing and governance arrangements are crucial to ensure compliance with DORA.

1. Ensure robust compliance management frameworks for DORA:

Financial institutions must ensure their Governance, Risk, and Compliance (GRC) teams are equipped to handle the specific requirements of DORA, including compliance with financial sector resilience standards. The GRC framework should integrate both operational and regulatory resilience requirements.

2. Share information within the financial sector:

Foster partnerships with other financial entities, regulators, and third-party vendors to exchange intelligence on ICT resilience, emerging threats, and compliance challenges. This collaborative effort strengthens sector-wide resilience.

3. Collaborate with specialized consultative partners:

Engage consultative partners with expertise in both DORA compliance and the financial sector’s specific regulations. This collaboration can help enhance operational security, especially in areas like transaction systems, customer data protection, and cyber resilience.

4. Compliance updates for the financial sector:

Stay informed on DORA’s evolving impact on financial institutions, including changes that may affect transaction systems, payment processing, and customer data security. Implement regular monitoring to ensure compliance with both general and financial-specific requirements.

5. Staff training on financial sector regulations:

Ensure staff are regularly trained on both general DORA compliance and specific financial regulations related to operational resilience. This training should include industry-specific scenarios, threats, and regulatory updates.

Critical third-party providers must ensure DORA compliance by sharing ICT risks, security vulnerabilities, and resilience practices with their clients. Service contracts should include clauses on incident reporting, disaster recovery, and risk management. 

Providers need to monitor their own compliance and performance, offering transparency and regular updates. They should collaborate with financial institutions to align resilience efforts and ensure coordinated risk management and testing.

Also read: DORA Steps: A Comprehensive Guide to the Digital Operational Resilience Act

Need help with DORA compliance?

The Scrut Platform can help you navigate DORA and other regulatory requirements efficiently. Here’s how our platform supports DORA compliance:

• Automates compliance tasks: Reduces manual processes, simplifying DORA management.
• Enhances risk management: Provides real-time visibility into risks and controls.
• Centralized platform: Manage DORA and other frameworks in one place.
• Continuous monitoring: Keeps you up-to-date on evolving DORA requirements.
• Simplified reporting: Generates clear, audit-ready compliance reports.

With Scrut, you can stay compliant, strengthen your operational resilience, and confidently prepare for audits. Get in touch to learn more. 

FAQs