DORA Compliance Checklist – Summary

What is the DORA regulation in a nutshell? The Digital Operational Resilience Act (DORA) regulation outlines what financial institutions and their Information and Communicaiton Technology (ICT) vendors must perform to strengthen the financial services and supplier ecosystem to meet the DORA regulations. 

  1. Are you in scope for DORA?
  2. Conduct a gap analysis
  3. Develop a remediation plan to address the gaps
  4. Identify ICT vendors and execute a plan for ensuring their DORA compliance
  5. Conduct penetration test – threat led penetration testing (TLPT)
  6. Develop an incident response plan
  7. Implement continuous monitoring of ICT vendors
  8. Define and enact Board responsibilities

 

Explore the expanded details of the DORA compliance checklist below for specific actions and plans for each of the criteria. We have reviewed the Digital Operational Resilience Act pdf and extracted and interpreted the requirements for publishing here as a DORA regulation summary.

DORA Compliance Checklist – Expanded Detail

The Digital Operational Resilience Act regulation is a mandatory regulatory framework for finance entities and information and communications technology vendors to implement. The DORA compliance checklist outlines the actions to take to achieve DORA compliance.

 

1. Scope Determination:

Identify whether your organization falls within the scope of DORA, as outlined in Article 2. Are you a financial institution or an ICT third-party vendor?

 

2. Gap Analysis:

Conduct a DORA maturity assessment to identify the gaps in ICT systems that are non-compliant with DORA requirements.

Begin to continuously monitor ICT risks with third-party risk assessments

How FortifyData helps with DORA gap analysis assessments

The FortifyData platform has an embedded DORA questionnaire with these checklist items and compliance requirements. You can respond, upload evidence and begin the continuous technical assessments which are tied to appropriate questions for auto-validation of the technical control.

FortifyData automates compliance mapping and reporting for financial institutions and third-party ICT vendors.

3. Remediation Plan:

Develop a roadmap to address compliance gaps, based on the findings of the gap analysis.

How FortifyData helps with remediation efforts

FortifyData automatically provides remediation recommendations for technical and asset based findings. The FortifyData platform also supports workflow communications with team members and other technology systems (GRC, SIEM) for additional remediation management automation.

DORA compliance questionnaire section6 ICT third party risk FortifyData

4. Identify and Manage Critical Third-Party ICT Providers:

Identify third-party ICT providers deemed critical under Article 31 and ensure their compliance with DORA.

How FortifyData helps ICT vendor management

DORA compliance ICT third party portfolio assessment FortifyData

The FortifyData platform assess ICT vendors and lets you:

  • find, track and continuously assess the attack surface
  • Monitor their compliance with DORA questionnaire and gaps
  • track their changes in security posture over time
  • compare to other ICT vendors and industry benchmarks
  • Receive alerts when ICT vendors fall below a monitoring threshold

5. Threat-Led Penetration Testing (TLPT):

Implement a TLPT framework as required by Article 26, meeting the following criteria:

  • Use an approved framework (e.g., TIBER-EU)
  • Include critical functions of the financial entity
  • Define the scope and obtain approval from competent authorities
  • Conduct testing on live production systems
  • Perform testing every three years or as needed based on risk assessment
  • Document findings, corrective actions, and compliance with requirements

 

FortifyData’s continuous external attack surface and internal vulnerability assessments can help any financial institution or ICT vendor be more prepared for threat lead penetration testing. Our assessments do the reconnaissance and identification steps, but not the exploitation. More advanced threat scenarios can be tested during your TLPT exercise with a good risk-based vulnerability management program in place.

FortifyData can also recommend Penetration Testing partners that focus on red teaming or threat led penetration tests.

 

6. Incident Response Plan:

Establish an ICT incident management process as per Article 17, including:

  • Early warning indicators
  • Incident identification, tracking, and classification
  • Roles and responsibilities
  • Communication and notification procedures
  • Reporting of major incidents to senior management

 

7. Continuous ICT Monitoring:

Monitor ICT systems continuously to identify risks as specified in Article 8, including:

  • Identifying and documenting ICT assets and dependencies
  • Assessing cyber threats and vulnerabilities
  • Performing additional risk assessments for major changes
  • Maintaining inventories of information assets and third-party dependencies
  • Regularly assessing legacy ICT systems

How FortifyData helps with continuous ICT monitoring

The FortifyData platform was developed to conduct continuous cyber threat assessments of the external attack surface of vendors, just like a threat actor will. This gives you and your ICT partner valuable intelligence to stay ahead of threat actors by continuously monitoring – weekly, monthly or other client decided interval – the external exposures, translated into an ongoing security rating score, that could risk the resilience of your financial services.

8. Board Responsibilities:

Ensure that the board of directors and executive management fulfill their responsibilities under Article 5, including:

  • Setting security policies
  • Defining governance arrangements
  • Approving digital resilience strategy
  • Reviewing ICT plans and third-party services
  • Allocating resources for ICT security and training

How FortifyData helps with Board Responsibilities

FortifyData provides simple and clear reporting that can be shared with Board members and other auditing or oversight role entities. This can simply and effectively communicate your ICT vendor oversight program with options for granular reports on each ICT vendor or comparison reports among the ICT vendors. to meeting DORA requirements.

FortifyData is specifically suited to help your organization automate and meet Digital Operational Resilience Act regulation compliance requirements. Schedule a demo to learn how you can simplify and automate your DORA regulations compliance journey.

The DORA regulations are a comprehensive framework that financial institutions and third-party ICT vendors that support the financial service industry must meet to improve the cybersecurity resilience within the ecosystem. Following the checklist will get the identified organizations on a path to compliance and improved cyber resilience that will continue for years to come. Maintaining compliance will be mandatory and financial services organizations will have to communicate with their European Supervisory Authorities (ESAs) in their respective countries when an incident occurs. This will likely evaluate how the ICT and financial institution met and maintained DORA compliance and how the incident originated.

Who does the Digital Operational Resilience Act apply to?

It is European Union legislation that requires financial institutions and critical third-party providers to implement a comprehensive framework for managing operational risks related to information and communication technology (ICT).

Resources

New call-to-action

Webinar: Reduce Cyber Risk with Next Generation Cyber Ratings

Understand why older cyber rating methods are not as effective, and learn the see the benefits of next generation ratings in action.

New call-to-action

FortifyScore Methodology

Discover the factors that the FortifyScore identifies, analyzes and calculates from the FortifyData platform assessments.

New call-to-action

Webinar: Optimize Your Third Party Risk Management Program

Learn FortifyData’s approach to third party cyber risk management, which is based on live assessment data.

New call-to-action

Next Generation Third Party Risk Management Whitepaper

Understand the benefit of using the next generation of Third Party Risk Management Platforms that provide more accurate intelligence.