Expediente DORA

As the Digital Operational Resilience Act (DORA) approaches its implementation date of 17 January 2025, recent surveys in Luxembourg, Ireland and the Netherlands have revealed that many financial institutions across Europe are facing significant challenges in meeting the required changes in time.

Thomas Murray is a leader in global risk, due diligence and cyber security solutions, and has worked with many of the world’s leading financial institutions, and organisations of every size over the last 30 years to ensure their security and compliance.

Recognising the complexity and importance of achieving compliance, we have meticulously curated a comprehensive suite of DORA resources over the past few months. These resources are specifically designed to enhance your understanding of DORA, track your compliance journey, and provide support at every stage.

With only four months left until the January 2025 deadline, it's crucial that board members and senior management understand their roles and responsibilities in ensuring compliance with the Digital Operational Resilience Act (DORA). 

This month, we delve deeper into one of the joint technical standards on major incident reporting and the implications for organisations within scope of DORA.  

The joint technical standards are a combination of the RTS designed to specify the reporting of major ICT-related incidents and the ITS designed to establish the reporting details for major ICT-related incidents: Article 20(a) and (b).   

The recent developments regarding the Digital Operational Resilience Act (DORA) and its associated threat-led penetration testing (TLPT) have been significant. Ed Starkie and Shreeji Doshi look at the key points to note from a requirements point of view, and Hassan M, Senior Analyst, Threat Simulation provides his insights into TLPT based on his numerous experiences of undertaking such missions. 

The Digital Operational Resilience Act (DORA) takes full effect in less than six months, so it’s time to look at the compliance roadmap and get your bearings. Ed Starkie and Shreeji Doshi set out the technical standards that are now approved and ready for the January 2025 deadline, what will be in the second tranche (which closed for submissions today), and what to keep an eye on.  

This month’s DORA Digest arrives just as the European Central Bank (ECB) is conducting its first-ever round of cybersecurity stress testing on 109 banks. Ed Starkie looks at what these exercises aim to achieve, what all financial services firms can learn from the outcomes, and what they should be doing now to take the stress out of stress testing.

This month, we present our DORA Digest webinar, Is anyone ready for DORA?

Hosted by Shreeji Doshi, GRC Director of Cyber Risk, and moderated by Phoebe Jordan, Managing Director of TPRM, the session is a lively one that covers a lot of ground!

Something a bit different for DORA Digest this month, as we launch DORA Talks – five episodes dedicated to talking about all things DORA. Shreeji Doshi, a director of cyber governance, risk and compliance (and editor of DORA Digest) met with experts from the worlds of banking, funds, risk management, and cyber security to get their different perspectives on what DORA’s impact will be.

All episodes are available now, each with fascinating insights for anyone interested in DORA and the wider issues of cyber risk management.

Starting over or from scratch is one way to approach DORA compliance – another option is to leverage existing tools to smooth your path to January 2025.

One of the most useful tools available is the recently updated Cybersecurity Framework from the US’s National Institute of Standards and Technology (the NIST CSF).

In the latest DORA Digest, Shreeji Doshi (Director, GRC Cyber Risk) explains how aligning DORA’s prescriptive requirements to this latest version of the NIST CSF can accelerate the DORA compliance process.