Enhancing the digital landscape with EU's DORA
Digital Operational Resilience Act
- Offers a framework for enhanced security to institutions dealing with sensitive data.
- Increase the understanding on how to withstand and prevent cyber threats.
- Minimise risks related to the IT infrastructure through continual improvement.
An Introduction to the Digital Operational Resilience Act
In today’s world, cybersecurity is an important aspect of many institutions’ day-to-day operations. The Digital Operational Resilience Act, called DORA in short, looks at enhancing cybersecurity to make the digital landscape of agencies dealing with sensitive data safer.
The Digital Operational Resilience Act (DORA) is part of the European Union’s efforts in making institutions, especially those in the financial sector, digitally safer. Through DORA, institutions can better understand the various types of IT related threats, risks and disruptions and get a more objective view of how to prevent and mitigate certain cyber threats.
The new set of regulations bundled with the Digital Operational Resilience Act (DORA) was launched on the 17th of January 2023 and will come into affect on the 17th of January 2025.
An Introduction to the Digital Operational Resilience Act
In today’s world, cybersecurity is an important aspect of many institutions’ day-to-day operations. The Digital Operational Resilience Act, called DORA in short, looks at enhancing cybersecurity to make the digital landscape of agencies dealing with sensitive data safer.
The Digital Operational Resilience Act (DORA) is part of the European Union’s efforts in making institutions, especially those in the financial sector, digitally safer. Through DORA, institutions can better understand the various types of IT related threats, risks and disruptions and get a more objective view of how to prevent and mitigate certain cyber threats.
The new set of regulations bundled with the Digital Operational Resilience Act (DORA) came into effect on the 17th of January 2023.
What are the pillars of DORA?
The Digital Operational Resilience Act (DORA) will help financial firms, amongst other institutions which deal with sensitive data, to identify IT related risks, take preventive action
and enhance measures to withstand any risks that might bypass any security measures.
ICT RISK MANAGEMENT REQUIREMENTS
ICT risk management requirements revolve around identifying business functions and determining what type of information assets are needed to support these functions.As an organisation, the best possible actions must be taken to ensure that such assets are protected. Given that DORA is a framework for the prevention of incidents, there is also a focus on detecting anomalous activities – ideally before the incident occurs. The Digital Operational Resilience Act asks of the organisations to maintain adequate communication with the relevant stakeholders, and including clients, should there be the need for recovery strategies.
ICT INCIDENT REPORTING
The Digital Operational Resilience Act (DORA) seeks to make incident reporting more streamlined through a rigorous process that tackles the how-to for monitoring, reporting and classifying all IT based incidents. DORA seeks to make this possible through a management process that will follow criteria set out by regulatory bodies.
DIGITAL OPERATIONAL RESILIENCE TESTING
Hiring a 3rd party company to perform a vulnerability test or a penetration test is critical for shedding light on any downfalls within the systems of the organisation. To do this effectively DORA strongly recommends that tools for ICT are used to assist with penetration testing and should be based on the risks and threats available. Moreover, resilience testing requires that parameters for success are altered to satisfy the entity's size and its respective risk profiles. Note that a penetration test is to be carried out at least once every 3 years.
ICT 3RD PARTY RISK MANAGEMENT
An extremely important part of ISO 27001:2022 as defined within Annex A of the controls is the management of third parties. The Digital Operational Resilience Act follows up on this by putting emphasis on the need of having a register of ICT suppliers, having risks determined for each and every supplier and ensuring that assessments are carried out to all ICT suppliers prior to engaging in service with them.
INFORMATION AND INTELLIGENCE SHARING
The Digital Operational Resilience Act promotes the idea of having firms exchange data and information between them relating to cyber threats. Such communication will lead to organisations enhancing their knowledge of the new risks that are being developed and thus, be well prepared to minimise such threats if they ever surface within the organisation. Information sharing can be done through arrangements that will protect the sensitive nature of the information being stored by the organisations.
RECEIVE FUNDING FOR YOUR JOURNEY TOWARD REGULATORY COMPLIANCE
As a Malta Enterprise approved advisor, Luke can help his clients reap the full benefits of currently available funding. Applicable to any business based in Malta, the Government of Malta’s current funding schemes have never been better. The precise amount depending on your company’s size and ownership structure.
For more information, simply get in touch for a free consultation session! Luke will help you to make the most of the best available funding incentives applicable to your business.
RECEIVE FUNDING FOR YOUR JOURNEY TOWARD REGULATORY COMPLIANCE
Funding Opportunities
For pioneering companies, getting ISO 9001 certification is a crucial milestone. Recognizing the importance of working towards this standard, there are various funding opportunities to be found in Malta. These include:
- 50% Tax Credits by the Government of Malta.
- cash grants by Malta Enterprise, JobsPlus, & other entities.
Which entities are impacted by DORA?
The obligations that come with the Digital Operational Resilience Act are mostly felt by financial institutions and other entities that deal with sensitive user data. As an Act, DORA is an add-on and hence must work hand-in-hand with the likes of GDP regulations and other preceding initiatives.
- Banks
- Payment service providers
- Capital market entities
- Cloud/SaaS providers
- Insurance providers
- Brokers
- Data storage solutions providers
- Software providers
How can Luke Desira assist you with DORA?
If you are a financial entity or some other institution which deals with sensitive data, it is recommended to seek help to coordinate changes to the current IT framework of the organisation.
Luke Desira can help by:
- Performing Gap Analysis to identify any gaps in the current framework
- Reviewing and implementing policies and controls
- Reviewing incident management procedures
- Auditing ICT related processes
Digital Operational Resilience Act (DORA) Articles
Frequently Asked Questions
What is Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is part of the European Union’s efforts in making institutions, especially those in the financial sector, digitally safer.
When will DORA come into effect?
The new set of regulations bundled with the Digital Operational Resilience Act (DORA) was launched on the 17th of January 2023 and will come into affect on the 17th of January 2025.
Which institutions will be affected by DORA?
The obligations that come with the Digital Operational Resilience Act will be mostly felt by financial institutions and other entities that deal with sensitive user data
Once DORA comes into force what will happen to the MFSA ICT guidelines?
Although it is still early to tell, official guidelines are set to be evaluated and official word will be communicated through the official channels.