Security & Compliance
Be proactive with DORA compliance
Ensure compliance with EU's Digital Operational Resilience Act by January 2025 with VENZO's proactive, sensible, and proportional approach.
DORA will add to the regulatory workload of most financial institutions.
The European Commission introduced the Digital Operational Resilience Act (DORA) to set a baseline for digital resilience for financial entities. Financial entities will have to comply with new obligations, including maintaining third-party risk management as well as ensuring updated routines for incident reporting.
If you need or want to ensure DORA compliance, VENZO can help build out your current security controls, no matter your point of departure, by re-using and re-thinking current controls to help you get the DORA requirements implemented quickly and efficiently.
Our approach to DORA in a nutshell
Be proactive. Be sensible. Be proportional.
Define your maturity baseline
Establish the current maturity level and decide on what level of maturity you want your organisation to achieve, using a relevant framework (ISO 2700x / CIS).
Gap analysis & Planning
Establish the current maturity level and decide on what level of maturity you want your organisation to achieve.
Remediation
Closure of identified gaps through creation of relevant documentation and planning of organizational implementation.
Proportional implementation
Organizational implementation and anchoring of updated policies, processes & procedures – relying on the proportionality principal (Art. 4 in DORA).
Get people on board
Anchor updated policies, processes, and security measures in the organization, so employees are familiar with the rules and requirements.
ICT Governance / Monitoring
Design, assign and maintain accountability for the development and maintenance of your DORA Risk Management framework as well as the approvals, controls and reviews to complement, for example, ICT audit plans.
What are your blind spots? What are you missing? Where should you start?
Relevant sectors and industries
DORA applies to all financial entities listed here. However, entities not directly named under DORA may be involved in a supply chain with an in-scope entity, and thus may be required to implement some or all of the requirements for DORA.
Financial Entities
All Financial Entities – meaning ANY company that provides financial services including:
- Banks / Payments / e-money providers for example…..
- Insurance providers / Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Capital markets entities
- Brokers / Central Securities Depositories / Central Counterparty Clearing parties – for example…
- Investment Firms
- Pension Funds / Institutions for occupational retirement pensions
- Credit Institutions / Credit rating agencies
- Trading venues / Trade repositories
- Crypto-asset service providers, issuers of crypto-assets, issuers of asset- referenced tokens and issuers of significant asset-referenced tokens
- Management companies of alternative investment funds
- Financial Management companies
ICT Service Providers
Any critical ICT* services provider to financial entities, including:
- Cloud providers / SaaS / outsourcers
- Software providers
- Critical Independent Software Vendors & Systems integration providers
- GRC / Risk management providers
- Fraud management providers
- Penetration testing providers
- Collaborative tools providers
- Data storage providers
- Information management systems / CRM solution providers / Administrators of critical financial benchmarks
- Payment solution providers
- ICT third-party service providers
- Data reporting service providers
*) The European Supervision Authorities (ESA) will designate and annually update a list the ICT third-party service providers that they view as critical for financial entities.
VENZO can assess and help implement all requirements
DORA Requirements
Risk Management
Re-use and re-purpose existing risk management processes, but make sure you have a process for continuous risk identification and mitigation using controls like BCP & DRP.
Incident Reporting
Implement processes to ensure a consistent & integrated monitoring, handling and follow-up of ICT-related incidents, including the identification and eradication of root causes.
Digital Operational Resiliency Testing
Plan periodical assessments to identify weaknesses, deficiencies and gaps and implementation of corrective measures to solve these. Specific attention must be given to “Threat-Led Pen Testing” (TLPT).
Contract Compliance
Manage ICT third-party risk throughout the lifecycle, from contracting until termination and post-contractual stages.
Information intelligence
Share information and collaborate with peer organizations to raise awareness. Take advantage of the fact that DORA gives financial entities the possibility to exchange cyber threat information and intelligence.
ICT Governance / Monitoring
Includes designing, assigning and maintaining accountability for the development and maintenance of the DORA Risk Management framework, approvals, controls, audit plans, etc. It isn't, strictly speaking, a DORA requirement, but it is necessary for a successful implementation.
FREE DOWNLOAD
VENZO's DORA Check List
Don’t waste time or resources on over-implementation. Be proactive, be sensible, and be proportional in your approach to DORA.
Book a free 30-minute strategy session with VENZO to learn more about our approach to DORA, and what you need to do to get compliant.
VENZO’s security and compliance services offer our clients an end-to-end approach to advising, implementing and anchoring security and privacy initiatives.
Click the button, to find a day and time that suits you now. You can cancel or reschedule the appointment at any time.
