We care about your privacy!


We use cookies on this website to improve your browsing experience and make your interactions more meaningful. This includes analyzing website traffic, individual usage to tailor content to your preference and measure the effectiveness of ads and ad campaigns. You can learn more about how we use cookies and manage your preferences in our privacy statement and cookies policy.

How to prepare for Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a new EU directive that changes the IT security approach of organizations operating in the financial sector. It will come into force on 17 January 2025, so making the necessary changes now would be timely.
Adam Sima

4. 6. 2024

What is DORA and whom does it affect?

DORA, together with NIS2 and CER, is part of the EU’s efforts to improve the security and operational resilience of critical infrastructure in Europe. DORA is focused on financial institutions and entities. Organizations that need to give it their full attention include:

  • Banks
  • Investment Firms
  • Payment Institutions
  • Credit rating agencies
  • Insurance intermediaries
  • Cryptocurrency traders.

Unlike NIS2, DORA applies to all financial institutions operating in the EU, irrespective of company size or employee numbers.

What happens if you don't comply with DORA?

Failure to comply with DORA requirements can lead to fines, loss of reputation – which is crucial in the financial sector, and in the case of repeated violations, license revocation, which can be devastating for some institutions. Penalties vary with the situation, but can reach up to 10 million euros or 5% of an organization’s annual turnover. Therefore, DORA compliance is a crucial strategic priority for financial institutions, not an option.

Where to start and how?

To meet DORA compliance, an organization must implement and demonstrate appropriate changes in key areas of cybersecurity management. We have summarized what this means in practice, as follows:

Build an appropriate risk management, analysis and assessment system

  • Create your own risk register according to the requirements of the directive.
  • In the event of a specific type of outage or attack, have its severity, impact, and the person dealing with the situation defined.

Implement a unified system for reporting, resolving and recording incidents

  • Familiarize all employees with how to report security incidents – preferably in one standard way.
  • Ensure that reported incidents and security changes related requests have an audit trail and can be easily traced.
  • If the problem has a direct impact on customers, establish a procedure for immediate communication of the situation.

Provide regular information security training for staff

  • Organize regular staff training on safe and secure working – with sensitive data, reporting incidents or suspicious activities, etc.

Commensurately secure your ICT infrastructure

  • Ensure that systems are regularly tested for operational resilience and applications tested at least once a year, with penetration testing performed at least once every three years.
  • Secure corporate networks against external attacks (e.g. using a firewall).
  • Don’t forget about the physical security of infrastructure (for example, giving only a select few people access to company servers).
  • Stay on top of what software you’re using and its updates.
  • Ensure consistent monitoring, which is crucial for assessing threats, be they attacks, viruses, malware, unauthorized network access, and other cyber risks.

Work only with proven IT service providers

  • Have good knowledge of your suppliers, their services, and their scope. The new directive ‘encourages’ financial institutions by way of sanctions, to choose proven suppliers for their key ICT components.
  • If you keep some data stored with your suppliers, know exactly which data and how secured. Keep track of what data you have stored with your suppliers and how protected.
  • Maintain clearly set up contracts with ICT service providers that meet all the relevant requirements. This means an accurate and comprehensible description of all services provided, the conditions for terminating the contract or their obligation to provide assistance in the event of an ICT incident.

Set up appropriate processes to manage security and access to information

  • Have a clearly defined access policy to sensitive data of the organization and customers.
  • Give access to company systems and applications only within a precisely defined scope.
  • Ensure that access rights are correctly assigned and removed when an employee joins / leaves.
  • In the event of a change in an employee’s job position or place of work, always adapt access to current needs.
  • Keep track of access changes in order to trace back who received what access when, and why.

Ensure the security and protection of sensitive data and information

  • Set up a system to protect your data, such as backup, encryption, or other measures to prevent data leakage and misuse.
  • Document who has access to specific information and why, for how long, strictly in keeping with your internal security policy.

Create a contingency plan to maintain business continuity in the event of an attack or disaster

  • Define a workflow to maintain operations in the event of a system outage, including clearly defined rules
  • Stipulate where key data are backed up for eventual recovery.
  • Establish a clearly defined procedure for reporting incidents to supervisory authorities.
  • Prepare a crisis plan in both digital and paper form so that it is reliably available even in the event of data encryption or network failure.

Update the Information Security Directive

  • Ensure that your organization has basic internal security guidelines in place – such as a security policy, password policy, permission allocation rules, etc.
  • Have detailed documentation in place to prove your compliance with the DORA security directive.

ALVAO will help you meet DORA requirements

Organizations can find implementing DORA security processes to be both challenging and very costly. The good news is that we can help you with much of the security agenda mentioned above. You can cover most areas from one place thanks to ALVAO, i.e. through one system.

A one-stop shop for reporting, resolving and recording incidents

Consolidating reported incidents is an important DORA requirement. ALVAO Service Desk serves as a single point of contact for all employees, allowing them to report incidents quickly and in a standard manner.


Process automation

Much of DORA’s new security agenda is process-driven. ALVAO will help you partially or fully automate most of your work - whether it’s reporting incidents, resolving outages, or training employees.

Security of access to information

The security of sensitive data is crucial from the DORA perspective. ALVAO makes it easy to manage access rights across services, sites, and documents according to your security policy. Regarding requests for access, a process is set up that has a clear sequence of steps, and if approval is given, access can be granted automatically (e.g. via integration with Power Automate).

Likewise, you can set up a security policy when employees join and leave, which can otherwise often involve late allocation or withdrawal of access rights, in direct breach of the new directive.

Regular training according to current needs

Based on ALVAO data, you always know the most common security incidents and risks your employees face. This will help you better plan appropriate training and prevent security risks and incidents. In addition, you can easily automate the organization of regular training in ALVAO.

System Integration

By default, ALVAO integrates into the most commonly used Microsoft 365 applications. Thanks to this, employees can raise their requests/tickets in ServiceDesk directly from Teams or Outlook. System integration with monitoring systems (e.g. Zabbix) ensures maximum clarity for IT, both in terms of analysing the performance of infrastructure elements and in terms of security and suspicious activities in the corporate network (e.g. connecting an unknown device to the network).

IT Asset Management

A good overview of IT assets is crucial for the cybersecurity of the entire organization. ALVAO Asset Management will simplify and streamline your records. Automatic detection creates a comprehensive picture of all equipment (computers, monitors, servers, copiers, switches, etc.), including technical parameters. This makes it easy to get an overview of outdated hardware, unlicensed or malicious software, or unused devices.



Easy auditability

ALVAO provides a complete audit trail, whether it’s about an incident or specific device history. Ease of auditability is a prerequisite for compliance with the terms of the DORA directive.

Scheduling security tests

Whether you’re planning a regular security test or a comprehensive penetration test, ALVAO will help you organize and allocate tasks. The results of the testing are easily searchable under the ticket.

Security Change Management

When vulnerabilities are found in the ICT infrastructure, you can view the relationships between configuration items (CI) in the configuration database (CMDB) and find out which other configuration items need to be secured as well.


Risk Management and Assessment

The risk register is crucial for effective risk management. ALVAO helps to specify different levels of risk and define the appropriate steps. You can determine the severity of the outage, the probability, and the people responsible, which minimizes the impact of an attack or outage.

Build a contingency plan to ensure business continuity through ALVAO

Maintaining operations in the event of an attack or accident is one of the most important requirements of the new directive. Draw up a crisis plan and then implement the process in ALVAO so that in the event of an incident the respective steps are fully automated. 

For example, in the event of a server or service outage, an incident is automatically created and tasked to a specific solver for immediate alleviation of consequences (a quick fix) and at the same time an automatic report can be created about reduced user service availability. A request is then made to the infrastructure administrator to perform an in-depth analysis of the problem (problem management) and its elimination (change management). 

ALVAO will provide them with all the salient information, including operational history, configuration, links, and previous incidents.

Transparent IT service provider relationships management

ALVAO will help you keep track of IT services, suppliers, contracts, and deadlines. You can easily set a reminder to flag up a warranty or contract expiry or a license renewal. You can communicate with suppliers directly from ALVAO, giving you complete liaison history, and can evaluate the reliability of individual suppliers and set up effective and secure cooperation that meets DORA requirements.

We are a long-established partner for financial institutions


Conclusion

If you are still holding off or just preparing for the implementation of changes related to Digital Operational Resilience Act (DORA) and are looking for an effective solution that will help you meet the requirements of the directive, please do not hesitate to contact our specialists for a non-binding consultation. We will be happy to explain how ALVAO can help in your specific case with the implementation of new processes and changes arising from DORA. There is no time to waste.


Schedule a meeting