Inhalt
What is DORA and who does it affect?
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen digital resilience in the financial sector. Resilience refers to the ability to maintain operations and respond quickly to incidents such as cyberattacks or IT failures. DORA applies to financial institutions such as banks, insurance companies, investment firms and their critical IT service providers. The aim is to harmonize cybersecurity and reduce fragmentation in regulation across different EU countries.
What are the requirements of DORA?
DORA sets out five key requirements: a) ICT risk management: Companies must introduce a robust framework for ICT risk management that identifies and assesses risks and implements measures to reduce them. This includes both preventive and reactive security measures. b) Reporting of ICT incidents: Incidents affecting IT security must be classified and reported. Standardized processes are necessary in order to inform the relevant authorities promptly and initiate effective measures. c) Testing operational resilience: Regular tests, including threat-based penetration tests, are mandatory. These are intended to ensure that the ICT systems and processes are resistant to attacks. d) Management of third party risks: Companies must put in place strict controls and contracts with their ICT service providers to ensure that they also comply with the DORA standards. This includes regular audits and maintaining a register of service providers. e) Information sharing: Financial companies should share threat information and security incidents in industry associations and with authorities in order to collectively protect themselves against cyber threats.
What impact does DORA have on companies?
Companies in the financial sector must significantly expand their IT security strategies. In addition to the technical infrastructure, this also affects governance structures, e.g. by implementing control systems and regular risk reviews. For IT decision-makers, this means that both human and technical resources must be strengthened in order to meet the requirements. In particular, the management of third-party service providers will play a greater role, as outsourcing risks are often neglected. By focusing on regular testing and incident reporting, IT decision-makers must ensure that contingency plans are not only theoretical but also practical.
What are the penalties for violating DORA?
The penalties for breaches of DORA can be determined by the member states and include both criminal and administrative sanctions. Companies that do not report on time or do not comply with the ICT security requirements can expect to face severe fines. These can be imposed depending on the severity of the breach and the economic damage. DORA requires that the sanctions are effective, proportionate and dissuasive. For IT decision-makers, this means that compliance must be integrated into the corporate strategy as a priority in order to avoid high fines.
What does the implementation of DORA look like in practice?
In practice, companies need to fundamentally review their IT systems and processes. This begins with the introduction of an ICT risk management framework that covers not only the company’s own IT infrastructure, but also outsourced services. It is important to establish a structured plan for regular security testing, covering both internal systems and third-party providers. A particular focus is on the creation and maintenance of emergency plans and communication strategies in order to be able to react quickly and effectively in the event of a crisis. IT decision-makers must work closely with the legal departments to ensure that all regulatory requirements are met. The introduction of DORA will bring greater accountability for IT security to all levels of the financial sector. IT decision-makers are required to ensure continuous operation through appropriate prevention and recovery measures.
Zurück zur Übersicht des Glossars