The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. Following on to a long list of international regulations, DORA aims to help strengthen digital resiliency especially for the financial sector.
What does DORA cover?
As is made obvious by the body of the resolution’s text, DORA is focused primarily around what the official language calls ICT – information and communication technology. The different aspects of the act are slowly coming into effect in a rolling fashion, with the last – an oversight framework for critical ICT third-party providers – coming into power in 2025. The majority of the concerns involve risk management, oversight and analysis, and incident reporting.
ICT Risk Management
The proposals set requirements on risk management frameworks; ICT systems have to be resilient, with systems and tools in place to identify and mitigate risk. Prompt detection of any anomalies has to be ensured, ideally through strict monitoring. Finally, comprehensive business continuity and disaster recovery plans have to be in place in order to assure a smooth and prompt recovery from ICT-related incidents or other data breaches.
Mandatory incident reporting
DORA calls for the establishment of a management process to log incidents touching on ICT. The actual criteria for this will be handled by European supervisory authorities, adding on to existing supervisory regulations on the financial sector and establishing the first communication specific one.
Third-party risk assessment
The DORA seeks to ensure that contracts with ICT third-party providers contain all the necessary monitoring and accessibility details such as a full service level description, indication of locations where data is being processed, etc.
How do I start preparing for DORA?
Financial institutions have one year to reach a compliant status with the regulation’s requirements in a way that is proportionate to their size and business profile. For some, the effects will be minimal. Other institutions identified as more at-risk will need to take specialized steps, such as conducting advanced penetration tests (red or purple team assessments) to help guarantee their system security.
For still more organizations, the impact will be on their existing ICT infrastructure including currently implemented systems; with harsher requirements on monitoring, security, and reporting, some existing systems may no longer be in compliance. This affects a variety of systems, but especially archive and backups; these are on the one hand now mandated (both by existing legislation and by the new DORA requirement for disaster recovery plans, of which backups are a key component). On the other hand, the harsher measures mean that these systems may no longer pass muster and their users will be forced to seek replacements.
Ensure peace of mind with contentACCESS
TECH-ARROW’s contentACCESS Archive and Backup can offer a tried and proven solution in this case: Our archive supports all retention and deletion policies and needs, allowing you to set comprehensive policies for all your data storage. We can help guarantee compliance with GDPR and all other major regulations including DORA. Let us help you establish disaster response and recovery, and boost productivity – all in one package.
In addition to meeting retention and data handling needs, our contentACCESS Archive’s flexible and comprehensive full-text search makes identification and retrieval of required information simple. The same search is accessible through any of our entry systems – our online web portal, our Outlook integration, and our mobile app. Thanks to this, we can help your company take your employee productivity and efficiency to greater heights, without compromising on security.
Do you want to learn more about contentACCESS and what it can do for your company? TECH-ARROW is here to help! Contact us and schedule a free meeting with our team of specialists to discuss how we can best set your business up for success.
Archive your communications with contentACCESS
