What is the scope of DORA?
The bases are laid down in the ICT risk management framework (Chapter II). The framework must encompass strategies, policies, procedures, ICT protocols, and tools essential for the proper protection of information assets and ICT assets. This includes safeguarding computer software, hardware, servers, as well as ensuring the protection of pertinent physical components and infrastructures, such as premises, data centers, and sensitive designated areas. The primary objective is to ensure comprehensive protection against risks, including damage and unauthorized access or usage, for all information assets and ICT assets.
The ICT risk management framework must also encompass mechanisms for detection, response, and recovery, interlinked with the second pillar – ICT-related incident management (Chapter III). This section focuses on evaluating current measures for recognizing, categorizing, and reporting IT-related incidents to assess the need for modifications to existing procedures and potential investments in additional tools.
As part of the ICT risk management framework also the digital operational resilience testing programme (Chapter IV) must be integrated. The aim is to assess readiness to deal with ICT-related incidents, to identify weaknesses, deficiencies and gaps in digital operational resilience, and to take prompt corrective action. This program involves conducting various tests, including vulnerability assessments, scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, scanning software solutions, source code reviews when feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.
Moreover, certain financial entities are obligated to undergo advanced testing of their ICT tools, systems, and processes through Threat-Led Penetration Testing (TLPT). Entities subject to this requirement will be identified by the competent authorities.
Finally, within the ICT risk management framework, the policy for managing third-party ICT risk (Chapter V) must be incorporated. This involves evaluating the services offered by ICT third-party service providers to ascertain whether additional regulatory and control measures are necessary concerning the current third-party IT providers.
Several standards, aiming to provide more detailed insights into the requirements of DORA, are still in the negotiation phase – the regulatory technical standards (RTS) and the implementing technical standards (ITS). The challenge is to prepare for full compliance with the Regulation while awaiting further clarification on many crucial issues.
Despite the seemingly long timeframe of one year, it is prudent to start preparations now. Although the RTS and ITS are yet to be adopted, proactive preparation is essential. Once these standards are officially approved, adjustments can be made to existing policies to align them with the newly specified requirements.
DORA places responsibility on the management of financial institutions, requiring them to play a central and active role in guiding and adapting the ICT risk management framework and overall digital operational resilience strategy.