DORA - How to Comply with Regulatory Requirements and Effectively Establish Digital Operational Resilience in Your Company
scale(8.33333)%22%3E%3CclipPath%20id=%22a%22%3E%3Cpath%20d=%22M0%200h56.693v56.693H0z%22/%3E%3C/clipPath%3E%3Cg%20clip-path=%22url(%23a)%22%3E%3Cpath%20d=%22M28.346.0C12.795.0-.001%2012.796-.001%2028.347s12.796%2028.347%2028.347%2028.347%2028.347-12.796%2028.347-28.347C56.676%2012.803%2043.89.017%2028.346.0m-9.259%2042.735h-6.448V22.3h6.448zM15.7%2019.748h-.046A3.583%203.583.0%200111.8%2016.206c0-2.018%201.558-3.547%203.939-3.547q.156-.014.312-.014a3.6%203.6.0%20013.581%203.555c0%201.98-1.51%203.548-3.934%203.548m29.19%2022.987h-7.312V32.162c0-2.767-1.144-4.657-3.659-4.657a3.7%203.7.0%2000-3.492%202.5%204.7%204.7.0%2000-.157%201.67v11.06h-7.244s.093-18.729.0-20.432h7.244v3.207c.428-1.4%202.743-3.4%206.437-3.4%204.582.0%208.183%202.939%208.183%209.267z%22%20style=%22fill:%238a959b;fill-rule:nonzero%22/%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
%22%3E%3Cpath%20d=%22M12.12%201.176c5.846.0%2010.591%204.615%2010.591%2010.299.0%205.683-4.745%2010.298-10.591%2010.298-5.845.0-10.591-4.615-10.591-10.298.0-5.684%204.746-10.299%2010.591-10.299zM6.331%2017.264H17.91C18.308%2017.264%2018.649%2017.123%2018.932%2016.839%2019.216%2016.556%2019.358%2016.215%2019.358%2015.817V7.132C19.358%206.734%2019.216%206.394%2018.932%206.11%2018.649%205.827%2018.308%205.685%2017.91%205.685H6.331C5.932%205.685%205.592%205.827%205.308%206.11c-.283.284-.425.624-.425%201.022v8.685c0%20.398.142.739000000000001.425%201.022C5.592%2017.123%205.932%2017.264%206.331%2017.264zm0-8.684%205.789%203.618L17.91%208.58v7.237H6.331V8.58zm0-1.448H17.91l-5.79%203.619L6.331%207.132z%22%20style=%22fill:%238a959b%22/%3E%3C/g%3E%3C/svg%3E)
European Union Regulation No. 2022/2554 on digital operational resilience for the financial sector, known as DORA (Digital Operational Resilience Act), is a key regulation aimed at ensuring that financial institutions can withstand cyber threats and maintain the continuity of their services even in the event of severe operational disruptions. The regulation comes into effect on January 17, 2025, making it crucial to start implementing the necessary measures now.
In our law firm, we have been addressing this issue intensively and for a long time. Therefore, we have prepared clear and comprehensive documentation for you that complies with all DORA requirements and reflects the related interpretative materials and checklists provided by the Czech National Bank.
Key Areas of Solution According to DORA
1. Functions, Processes, and Overall Strategy for Digital Operational Resilience
The initial step in meeting the requirements of the DORA regulation is the proper identification of all critical and important business functions and processes within the company, along with creating documentation of the assets that support these functions and processes.
Following this step, a risk catalog is prepared, outlining the threats faced by the company, and a strategy is established. This strategy encompasses the company’s overall approach to identified risks and ensures operational resilience. The strategy defines long-term goals, rules, and responsibilities for maintaining operational resilience.
2. Framework for ICT Risk Management
To ensure the security of information and communication technologies (ICT), it is necessary to implement a robust risk management framework that includes:
Summary of the identification and assessment of assets and risks conducted in step one:
- List of Business Functions
- Description of Methods for Identifying and Managing Assets in the ICT Domain
- Catalog of Assets (Information and ICT) and Their Vulnerabilities
- Catalog of Identified Threats and Risks
- Impact Analysis
Description of implemented security measures to ensure the availability, confidentiality, and integrity of data:
- Communication Policy and Crisis Communication
- Policy and Procedures for Physical and Logical Security
- Policy and Protocols for Strong Authentication Mechanisms
- Procedures for Ensuring Data and System Security
- Log Management Procedures
- Environmental Security Policy
- Identity Management Policy and Procedures
- Access Management Policy
- Information Security Policy
- Policy, Procedures, and Protocols for Protecting Information During Transmission
- Description of ICT Infrastructure Management
- Capacity and Performance Management Procedures
- Vulnerability Management Procedures
Risk Management (Business Continuity) and Development Plans in the Company:
- Procedures for Business Continuity – ICT Response and Recovery
- Procedures for Activity Logging Before and During Outages
- Backup Policy and Procedures
- ICT Recovery Procedures and Methods
- ICT Change Management, Patching, and Update Policy and Procedures
- Policy for Procurement, Development, and Maintenance of ICT Systems
- Policy for ICT Project Management
- Awareness and Training Programs in ICT
3. ICT Incident Management and Reporting
As part of DORA requirements, the implementation of processes for incident management includes:
Incident Classification:
- Description of the method for classifying incidents (determining the severity of incidents based on their impact on operations).
Incident Management and Reporting:
- ICT Incident Management Policies and Procedures.
- Description of Incident Logging.
- Procedures for Monitoring, Resolving, and Following Up on ICT Incidents.
- Procedures for Reporting Incidents to Regulatory Authorities.
Communication Plans:
- Procedures for Communicating with Clients and Stakeholders.
4. Testing Digital Operational Resilience
Regular resilience testing is crucial to verify whether a company can respond to cyber threats. Testing includes:
Testing Plan, which defines the frequency and scope of individual tests (including potential penetration and stress tests):
- Program and Procedures for Testing Digital Operational Resilience
5. Third-Party Relationship Management
Companies must effectively manage risks associated with ICT service providers. This includes:
Vendor Register:
- Documentation of all external vendors and their roles.
- Security Assessment of ICT Vendors.
Risk Assessment and Management:
- ICT Third-Party Risk Management Policy.
- Strategies and Plans for Contract Termination.
- Transition Plans to Alternative Providers.
- Multi-Vendor ICT Strategy.
Contractual Agreements:
- Ensuring contracts with vendors include requirements for security and service continuity.
How can we assist you?
Our office will provide you with comprehensive support in implementing the DORA regulation. We offer:
- A ready-made set of documents containing all the aforementioned strategies, policies, guidelines, and plans necessary to meet DORA requirements.
- Legal support in setting up internal processes and contractual relationships with vendors.
- Tailored regulations – the documentation is designed to comply with the regulation’s requirements while remaining flexible and easily adaptable to the specific needs of your company.
Be Prepared
The DORA regulation will come into effect on January 17, 2025. The sooner you begin its implementation, the better prepared you will be for potential audits and inspections by the Czech National Bank as the supervisory authority.
Do not hesitate to contact us for more information and collaboration. With our assistance, you will be fully compliant with DORA requirements and ready for the future of the digital world.
