Security News > 2024 > March > What organizations need to know about the Digital Operational Resilience Act (DORA)
Lovejoy discusses the alignment between DORA and NIS2 directives, the timeline for DORA's implementation, and the imperative steps organizations must take to ensure compliance by the 2025 deadline.
How will DORA impact organizations across the EU, particularly regarding ICT risk management and cybersecurity?
To avoid overlaps, the regulators have specified that entities in scope of DORA would not need to comply with some of the key NIS2 provisions such as the risk management framework and the reporting obligations.
Prior to DORA, the EU operational resilience and cybersecurity risk management governance model for FEs was based on a disparate collection of national rules, guidelines, and practices that did not empower EU financial supervisors to impose uniform requirements on FEs nor to assess the risks arising from their dependence on TSPs. DORA tackles these disparities and uneven national regulatory or supervisory approaches.
Under DORA, FEs will also be required to undertake annual basic testing, such as vulnerability assessments and scenario-based testing, whilst those considered to have a critical role in the financial system and their ICT providers will also need to undergo additional threat-led penetration testing every three years.
DORA will require internal audit functions to review and potentially augment all their current plans and programs, as these will now need to pinpoint potential risks to FEs via third-party ICT providers.