10 KEYS TO SUCCESS
WITH DORA COMPLIANCE
PAUL C DWYER
1. UNDERSTAND DORA:
Familiarise yourself with the regulation and its requirements. Consider taking specialist training such as DCCS - Dora Certified Compliance Specialist to deepen your knowledge. This will enable you to understand the regulation in detail and how it applies to your organisation.
2. ASSESS CYBER RISKS:
Understand the cyber risks across your extended supply chain. Utilise solutions such as CyberPrism.com to help identify and assess these risks. This will enable you to identify potential vulnerabilities and take proactive steps to mitigate them.
3. ADOPT A PRINCIPLE OF PROPORTIONALITY:
Take into account the scale, complexity, and importance of ICT-related dependencies and risks that arise from the contractual arrangements in place with ICT third-party service providers. This will enable you to make informed decisions on risk management, and ensure that your organisation is aligned with the regulation's requirements.
4. INVOLVE MULTIPLE TEAMS:
Ensure that the compliance process involves multiple teams such as IT security, legal, compliance, and risk management teams, as well as management and external counter parties. This will enable you to get a comprehensive view of the organisation's cyber risks and take a holistic approach to compliance.
5. EMPOWER LEADERSHIP:
DORA establishes responsibility for a firm's operational resilience at the Board and CxO-level, therefore, senior management should take a leading role in the implementation of DORA's requirements. To support this, it is important that leadership receives adequate training such as CCRO - Certified Cyber Risk Officer, which will enable them to understand the subject matter and make informed decisions.
Familiarise yourself with the regulation and its requirements. Consider taking specialist training such as DCCS - Dora Certified Compliance Specialist to deepen your knowledge. This will enable you to understand the regulation in detail and how it applies to your organisation.
2. ASSESS CYBER RISKS:
Understand the cyber risks across your extended supply chain. Utilise solutions such as CyberPrism.com to help identify and assess these risks. This will enable you to identify potential vulnerabilities and take proactive steps to mitigate them.
3. ADOPT A PRINCIPLE OF PROPORTIONALITY:
Take into account the scale, complexity, and importance of ICT-related dependencies and risks that arise from the contractual arrangements in place with ICT third-party service providers. This will enable you to make informed decisions on risk management, and ensure that your organisation is aligned with the regulation's requirements.
4. INVOLVE MULTIPLE TEAMS:
Ensure that the compliance process involves multiple teams such as IT security, legal, compliance, and risk management teams, as well as management and external counter parties. This will enable you to get a comprehensive view of the organisation's cyber risks and take a holistic approach to compliance.
5. EMPOWER LEADERSHIP:
DORA establishes responsibility for a firm's operational resilience at the Board and CxO-level, therefore, senior management should take a leading role in the implementation of DORA's requirements. To support this, it is important that leadership receives adequate training such as CCRO - Certified Cyber Risk Officer, which will enable them to understand the subject matter and make informed decisions.
Empty space, drag to resize
Empty space, drag to resize
6. REGULARLY REVIEW AND UPDATE PLANS:
Regularly review and update your digital operational resilience strategy and policy on ICT Third Parties (TPs) as per the DORA regulation requirements. This will ensure that your organisation stays aligned with the regulation's requirements and is prepared for any potential disruptions.
7. PRIORITISE REMEDIATION ACTIONS:
Decide how to prioritize remediation actions in order to address operational vulnerabilities that are identified. This will enable you to take proactive steps to mitigate potential risks.
8. PRODUCE EVIDENCE:
Be able to demonstrate to supervisors that your firm is resilient to firm-specific threats as well as broader sectoral threats. This will demonstrate your organisation's compliance with the regulation.
9. FACTOR EXTERNAL ENVIRONMENT:
Regularly factor in management information on threats and vulnerabilities emanating from the external environment into the overall resilience of the firm in a dynamic manner. This will enable you to stay informed about potential risks and take proactive steps to mitigate them.
10. IDENTIFY CRITICAL OR IMPORTANT FUNCTIONS (CIFs):
Identify the functions that are critical to the firm's operations as per the DORA regulation requirements, this will be a focal point for the work the firm must do to build its resilience.
It is worth mentioning that all of these points are interrelated and training for leadership is an important aspect in ensuring that the organisation can understand the regulation and its requirements, assess cyber risks, adopt a principle of proportionality, involve multiple teams, empower leadership, regularly review and update plans, prioritise remediation actions, produce evidence, factor external environment and identify critical or important functions.
Regularly review and update your digital operational resilience strategy and policy on ICT Third Parties (TPs) as per the DORA regulation requirements. This will ensure that your organisation stays aligned with the regulation's requirements and is prepared for any potential disruptions.
7. PRIORITISE REMEDIATION ACTIONS:
Decide how to prioritize remediation actions in order to address operational vulnerabilities that are identified. This will enable you to take proactive steps to mitigate potential risks.
8. PRODUCE EVIDENCE:
Be able to demonstrate to supervisors that your firm is resilient to firm-specific threats as well as broader sectoral threats. This will demonstrate your organisation's compliance with the regulation.
9. FACTOR EXTERNAL ENVIRONMENT:
Regularly factor in management information on threats and vulnerabilities emanating from the external environment into the overall resilience of the firm in a dynamic manner. This will enable you to stay informed about potential risks and take proactive steps to mitigate them.
10. IDENTIFY CRITICAL OR IMPORTANT FUNCTIONS (CIFs):
Identify the functions that are critical to the firm's operations as per the DORA regulation requirements, this will be a focal point for the work the firm must do to build its resilience.
It is worth mentioning that all of these points are interrelated and training for leadership is an important aspect in ensuring that the organisation can understand the regulation and its requirements, assess cyber risks, adopt a principle of proportionality, involve multiple teams, empower leadership, regularly review and update plans, prioritise remediation actions, produce evidence, factor external environment and identify critical or important functions.
Paul C Dwyer is the ICTTF President, recognised as one of the world’s foremost experts on cyber security, risk and privacy.
Connect to Paul here.
Connect to Paul here.
HEAD OFFICE
-
ICTTF Ltd
Unit 8, Kinsealy Business Park,
Kinsealy Lane,
Malahide,
Co Dublin
K36 CX92 -
info@icttf.org
support@icttf.org -
+353 (0)1 905 3263
Copyright © - All Rights Reserved - ICTTF Ltd. - Registered Company in Ireland: 567446 - VAT No IE3395678DH