The aim of DORA
DORA aims to establish a comprehensive EU framework with rules for all regulated financial institutions by streamlining and upgrading existing financial legislation and introducing new requirements where gaps exist for better aligning their business strategies and performance of ICT Risk management, harmonising and streamlining the reporting of ICT-related incidents, applying testing requirements proportionately, strengthening their oversight and ensuring their sound monitoring of third-party ICT providers to better manage risks stemming from dependency on providers, raising awareness of ICT risk and minimising its spread though information sharing and creating more coherent and consistent incident reporting mechanisms.
According to DORA proposal, for keeping pace with a quickly evolving cyber threat landscape, it is important to set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk.
For this purpose,
- identify on a continuous basis all sources of ICT risk
- set-up protection and prevention measures
- promptly detect anomalous activities
- put in place dedicated and comprehensive business continuity policies and disaster recovery plans as an integral part of the operational business continuity policy
- place capabilities and staff, according to size, business and risk profiles of the organisation, for gathering information about vulnerabilities, cyber threats, ICT-related incidents and cyber-attacks, and analyse their likely impacts on digital operational resilience
- implement communication policies and have in place communication plans that enables responsible disclosure of ICT-related incidents or major vulnerabilities
Which entities are impacted by the regulation?
There are a wide range of entities that are affected by DORA. It covers banks, payment institutions, investment firms, crypto assets service providers and more.
Impacted Entities are summarised in the following diagram.
What are some of the key obligations under DORA?
The regulation requires a comprehensive ICT Risk Management Framework for managing ICT risks. A summary of the key requirements for financial entities are divided into the following areas of cyber security and operational resilience.
How can KPMG help?
Financial entities and ICT Service Providers are advised to start familiarising themselves with the vast range of proposed requirements of the regulation.
Some of the requirements will not pose major changes to current frameworks and arrangements whereas others will require a lot of time, coordination, and effort from very different professionals within organisations.
KPMG can assist with:
Gap analysis for checking readiness for compliance with DORA
Review of strategies, policies, procedures, ICT protocols and tools Defining a well-documented ICT Risk Management Framework
Establishing an information security management system to protect confidentiality, integrity and availability of information assets
ICT Third party risk management
Reviewing and enhancing Security Incident Management procedures
Implementing policies, procedures and controls for ICT change management
Establishing and reviewing ICT Business Recovery Mechanisms (e.g., BCP, DR, BIA)
Security Awareness Training
We at KPMG frequently provide cross-functional professional advice in the field of ICT risk management, cyber security and data protection and are used to bringing together different stakeholders in our client organisations.
Technology offers opportunities to rebuild your business around the customer to create a truly connected and highly profitable enterprise.
Technology offers opportunities to rebuild your business around the customer.
IT Advisory Lead, Digital Solutions
KPMG in Malta