The DORA regulation decrypted: what you need to know

The DORA regulation defines four key operational requirements to ensure digital resilience. Organisations must conduct an ongoing risk assessment, deploy a comprehensive Business Continuity Plan, carry out regular resilience testing of their systems and maintain proactive vulnerability management.

To ensure digital resilience, DORA imposes three key requirements. Management must be actively involved in risk management, guaranteeing cybersecurity and continuity of services. Regular training on cyber security and incident management must be provided at all levels of the company. Finally, internal audits must be carried out to verify compliance with DORA requirements and the application of security policies.

Managing the risks associated with third-party suppliers is a key element of digital resilience, according to DORA. Financial players need to identify and assess the risks associated with critical service providers, particularly those providing essential technologies. Strict contracts must be drawn up, incorporating cybersecurity and service continuity requirements, with an obligation for providers to comply. Finally, continuous monitoring must be carried out to assess performance and limit the risk of disruption.

An incident is considered major if it leads to significant disruption of financial services or major financial loss, which may also affect customers and partners. Institutions must notify the relevant authorities within 24 to 72 hours of detecting the incident, depending on its severity. Finally, a detailed report must be provided, specifying the impact, the corrective measures put in place and the preventive actions taken to avoid future incidents.

Securing digital assets and systems security involves a number of essential measures. A complete and up-to-date inventory of assets, including software, systems and critical infrastructures, must be maintained. Network segmentation is necessary to isolate sensitive systems and limit the spread of attacks. Strict access control must be applied, incorporating the principle of least privilege and multi-factor authentication. Finally, ongoing maintenance is required to correct vulnerabilities and guarantee a secure environment.