The Digital Operational Resilience Act (DORA) took effect from 17th January 2025, ProAV financial services end-users are racing to comply, should AV bother?
What is DORA?
DORA is the Digital Operational Resilience Act (DORA), an EU regulation aimed at strengthening the information and communication technology (ICT) security of financial entities. It ensures that the financial sector in Europe can remain resilient in the event of severe operational disruptions. DORA covers a wide range of financial entities, including banks, insurance companies, and investment firms, as well as ICT third-party service providers. Specific compliance requirements include:
👍 ICT risk management: Establishing principles and requirements for managing ICT risks.
👍 ICT third-party risk management: Mitigating risks associated with third-party ICT service providers.
👍 Digital operational resilience testing: Implementing a testing program to ensure operational resilience.
👍 Incident reporting: Managing and reporting major ICT-related incidents to competent authorities.
👍 Information sharing: Facilitating the exchange of information and intelligence on cyber threats.
Does AV need to comply with DORA?
➡️ Yes - Although the regulation targets financial services sector including Banks, Insurance Companies, Investment Firms, Payment Institutions, DORA requires ICT Third Party Provider for the financial service sector to comply with the regulation. Article 28 of the regulation specifies requirements for managing ICT risk and require that ICT Third Party Service providers for the financial services sector meet the same cybersecurity and operational resilience standards as the financial institutions they serve.
Additionally, DORA is being localised in non-EU regions so even if your do not provide services in the EU, it is diligent to consider putting structures in place.
What you need to do?
😊 Develop and maintain robust risk management policies and procedures.
😊 Maintain a record of contractual agreements with financial institutions. and review contract regularly to ensure they meet DORA requirements.
😊 Maintain an active incident management and operational resilience readiness including tested mechanisms for incident management and reporting.
😊 Designate and train a team member or members to own and administer DORA compliance in your organisation.
😊 Implement Third Party Risk Management systems to govern Third-party engagement.
It's time to Unlock AV Value!