DORA Digest

With only four months left until the January 2025 deadline, it's crucial that board members and senior management understand their roles and responsibilities in ensuring compliance with the Digital Operational Resilience Act (DORA). 

This month, we delve deeper into one of the joint technical standards on major incident reporting and the implications for organisations within scope of DORA.  

The joint technical standards are a combination of the RTS designed to specify the reporting of major ICT-related incidents and the ITS designed to establish the reporting details for major ICT-related incidents: Article 20(a) and (b).   

The recent developments regarding the Digital Operational Resilience Act (DORA) and its associated threat-led penetration testing (TLPT) have been significant. Ed Starkie and Shreeji Doshi look at the key points to note from a requirements point of view, and Hassan M, Senior Analyst, Threat Simulation provides his insights into TLPT based on his numerous experiences of undertaking such missions. 

The Digital Operational Resilience Act (DORA) takes full effect in less than six months, so it’s time to look at the compliance roadmap and get your bearings. Ed Starkie and Shreeji Doshi set out the technical standards that are now approved and ready for the January 2025 deadline, what will be in the second tranche (which closed for submissions today), and what to keep an eye on.  

This month’s DORA Digest arrives just as the European Central Bank (ECB) is conducting its first-ever round of cybersecurity stress testing on 109 banks. Ed Starkie looks at what these exercises aim to achieve, what all financial services firms can learn from the outcomes, and what they should be doing now to take the stress out of stress testing.

This month, we present our DORA Digest webinar, Is anyone ready for DORA?

Hosted by Shreeji Doshi, GRC Director of Cyber Risk, and moderated by Phoebe Jordan, Managing Director of TPRM, the session is a lively one that covers a lot of ground!

Something a bit different for DORA Digest this month, as we launch DORA Talks – five episodes dedicated to talking about all things DORA. Shreeji Doshi, a director of cyber governance, risk and compliance (and editor of DORA Digest) met with experts from the worlds of banking, funds, risk management, and cyber security to get their different perspectives on what DORA’s impact will be.

All episodes are available now, each with fascinating insights for anyone interested in DORA and the wider issues of cyber risk management.

Starting over or from scratch is one way to approach DORA compliance – another option is to leverage existing tools to smooth your path to January 2025.

One of the most useful tools available is the recently updated Cybersecurity Framework from the US’s National Institute of Standards and Technology (the NIST CSF).

In the latest DORA Digest, Shreeji Doshi (Director, GRC Cyber Risk) explains how aligning DORA’s prescriptive requirements to this latest version of the NIST CSF can accelerate the DORA compliance process.

The purpose of this monthly DORA Digest is to outline what most of these organisations will need to do to achieve the desired results. With less than a year to go until DORA takes effect, the DORA compliance journey should be well mapped out by now. This month, we cover:  

• Understanding DORA requirements in more detail 
• How Thomas Murray’s DORA assessment questionnaire can help 
• Challenges that organisations are likely to face 

The countdown to the Digital Operational Resilience Act (DORA) has begun in earnest. With only one year to go, each month we’ll be looking at the key issues and events you need to be aware of as the final implementation date of 17 January 2025 approaches.  

In this first issue of the DORA DIGEST, we’ll be looking at why the regulation was created, what it is, who it affects, and suggestions for planning your journey to DORA compliance.