DORA Digest December 2024

The DORA Readiness Landscape

Recent surveys from a number of European financial authorities have highlighted the current state of preparedness.

The Luxembourg Financial Sector Supervisory Commission (CSSF)’s survey highlights how financial institutions in the region are feeling ahead of the January deadline.

• Only 1 entity out of 389 surveyed considers itself fully ready
• 71% perceive themselves as partially ready
• 23% believe they are mostly ready
• 6% admit to being not ready

Ireland’s Central Bank found that organisations had poor data quality in initial dry runs highlighting a need for comprehensive testing programs and establishing clear governance and reporting mechanisms.

The Malta Financial Services Authority have found a similar situation with financial entities still addressing 2023 gaps and grappling with ongoing implementation. 

Thomas Murray conducted their own survey across 18 countries to see which areas required the most effort to comply with DORA legislation.

Thomas Murray’s data reveals that most institutions are working towards addressing challenges with cross-group coordination, comprehensive documentation, and strategic third-party management in their DORA preparation efforts.

The message is clear: financial entities must take tangible steps towards DORA compliance, with time running short before the January 2025 implementation date.

Key Areas of Focus for Financial Institutions 

Financial institutions are navigating the complexities of DORA implementation and the significant transformations needed in their risk management frameworks. Thomas Murray recommends focusing on the following areas to meet baseline expectations by the January 17, 2025, deadlinel;

1. ICT Incident Reporting: 

Financial entities must establish a robust reporting mechanism for major ICT-related incidents, including creating specific roles like "IT Incident Notifier" and notifying competent authorities through designated platforms. Currently, 53% of entities are fully or mostly prepared for incident management, indicating significant progress in implementing these requirements.

2. Critical Function Identification: 

Organisations need to comprehensively map critical business functions, identifying associated ICT assets and third-party service providers with a detailed inventory of critical information systems and potential vulnerabilities. Only 30-40% of entities feel adequately prepared for this comprehensive mapping requirement.

3. Register of Information: 

Entities must submit an annual record of ICT service agreements by 30 April 2025, detailing new ICT service arrangements, third-party provider categories, contractual types, and specific ICT services and functions. This registration process aims to enhance transparency and oversight of technological service relationships.

4. Governance Setup: 

The regulatory framework mandates a robust three lines of defence for digital resilience, with board-level involvement requiring direct engagement from operations management, risk management and internal audit functions. This will require a cultural shift towards cybersecurity and clear accountability for ICT risk management to effectively implement these governance requirements.

5. Comprehensive Risk Management Documentation: 

Organisations must develop a comprehensive documentation which covers plans, policies and procedures which involve continuous monitoring of cyber threats, regular testing of cyber security measures, and periodic review of risk management strategies. This includes the following list of policy and procedure documentation needed.

Policies:

• Encryption & cryptographic controls
• ICT project management
• Physical and environmental security
• Human resources
• Identity management
• Access control
• ICT-related incident management

Procedures:

• Capacity and performance management
• Vulnerability and patch management
• Data and system security
• Logging
• ICT change management
• Identity management

Policies and procedures:

• ICT Assessment Management
• ICT Operations
• Network Security Management
• Security information in transit
• Acquisition, development, and maintenance of ICT systems
• Backup and restore
• ICT Asset Management

Plans:

• ICT Response and Recovery
• Crisis communication

6.  DORA Compliance Roadmap

With just a month remaining until DORA's deadline, financial institutions must escalate their efforts to ensure compliance and strengthen operational resilience. At Thomas Murray, we recommend focusing on these key areas as a minimum, while actively working towards full DORA compliance in 2025. This includes establishing a well-documented compliance roadmap and allocating the necessary resources effectively.

How Thomas Murray Can Help With DORA

Thomas Murray stands uniquely positioned to help financial institutions with DORA, leveraging their Orbit Risk Platform's integrated approach of continuous cyber security monitoring, comprehensive risk assessment, and multi-dimensional intelligence gathering across security, diligence, and risk domains.

Some of the key areas that Thomas Murray can help you get on top of include;

• DORA compliance progress check 
• Executive Readiness DORA workshop
• DORA Compliance Roadmap definition
• DORA Compliance Programme Management
• Policies, procedure and Digital Operational Resilience Strategy documentation
• ICT Risk Assessments
• ICT Incident Readiness and Tabletop exercise
• ICT Third Party Risk Assessment
• Technology and process implementation
• DORA related change management