In the context where the digital transformation of the healthcare sector is accelerating, the protection of health data is an increasingly critical issue. In 2021, our article “Health Data Host Certification: Two Years Already!” by Laurent Guille and Alexandra Cuillerdier, provided a promising initial assessment of the HDS framework. Faced with growing concerns related to data sovereignty and cybersecurity, a redesign was necessary. This evolution towards HDS v2, which came into effect in 2024, marks a turning point in the approach to health data hosting in France, strengthening the protection and sovereignty of health data in an ever-evolving digital context. 

HDS v1: a first structuring but perfectible framework 

Since its introduction in 2018, the HDS framework has helped structure and professionalize the health data hosting sector. However, this first version of the framework had certain limitations. In particular, the initial framework presented gray areas regarding data sovereignty, especially concerning the location and control of health data. Additionally, the rapid evolution of cyber threats and technologies required a substantial update of security requirements to maintain a level of protection adapted to current risks. 

Overhaul of the Technical and Security Framework 

On the technical side, the new requirements of the ISO 27001:2023 standard are adopted within the new version of HDS. This update integrates security risk management adapted to new digital contexts, as well as new controls related to cybersecurity. The other normative references are rationalized. References to ISO 20000-1, ISO27017, and ISO27018 standards disappear in the HDS v2 framework, while 31 specific requirements are directly integrated into the framework, which also relies on the ISO/IEC-17021-1:2015 standard to govern conformity assessment. This new version also clarifies the articulation with the requirements of the SecNumCloud framework to facilitate obtaining HDS certification for hosts already qualified with SecNumCloud. 

A Major Strengthening of Digital Sovereignty 

One of the most significant developments in HDS v2 concerns the strengthening of digital sovereignty. The new framework now requires that the physical hosting of health data be carried out exclusively within the territory of the European Economic Area (EEA). This requirement reinforces guarantees in terms of data protection and contributes to the emergence of an ecosystem of European players in the field of digital health. 

This is complemented by enhanced transparency, which also becomes a central issue of the framework, with two major obligations: 

• Hosts must now publish on their website a map of any data transfers to countries outside the EEA, thus allowing data subjects and healthcare actors to have clear visibility on the journey of their data; 

• In the case of remote access to data from a third country or submission to non-European legislation that does not ensure an adequate level of protection within the meaning of Article 45 of the GDPR, the host must inform its clients in the contract. In particular, it must specify the associated risks and detail the technical and legal measures implemented to limit them. 

Strengthening of Contractual Requirements 

Subcontracting supervision receives particular attention in HDS v2. The associated measures are reinforced, and hosts must now: 

• Precisely detail the certified hosting activities in their contracts; 

• Maintain complete transparency regarding their subcontracting chain; 

• Ensure that their subcontractors comply with the same requirements for data security and location; 

• Implement mechanisms to control and audit their subcontractors. 

These new contractual obligations aim to ensure better control of the value chain and greater transparency for data controllers. 

Practical Consequences for the Ecosystem 

For health data hosts, these evolutions of the framework imply an adaptation of their infrastructures to guarantee the location of data within the EEA. They also require an upgrade of their security measures to meet the requirements of the 2023 version of the ISO 27001 standard and the review of contracts, both with their clients and with their subcontractors. 

Perspectives and Implementation 

This new modernized version of the HDS framework addresses the growing challenges of security, sovereignty, and transparency. Its implementation is spread over approximately two years, with immediate application for new certifications from November 16, 2024, and a transition period until May 16, 2026, for hosts already certified under HDS v1. 

In the longer term, several questions arise regarding the evolution of the framework. At a time when the NIS 2 directive already includes healthcare providers and the pharmaceutical industry among its essential sectors of activity, while classifying the manufacturing of medical devices and in vitro diagnostics in its important sectors, the emergence of HDS 2 raises a question: could European cooperation lead to an even more integrated framework for health data protection and harmonize practices across the continent? 

Cet article Evolution of the HDS Framework – Towards Enhanced Security and Sovereignty  est apparu en premier sur RiskInsight.

Definition of electronic voting

Electronic voting is a dematerialised, self-counting voting system in which voters use electronic devices to record their votes.

The system can be used remotely via internet voting, or in person where voters can visit polling stations equipped with voting machines.

History of electronic voting in France

The first traces date back to…1969!

The French Minister of the Interior, Raymond Marcellin, had the use of 100% mechanical voting machines authorised[i]. Due to major breakdown and the failure to reduce fraud, these machines fell into disuse, but the amendment made to the electoral code remained.

Use in professional elections

In the 2018 French public sector professional elections, 5.15 million public employees were asked to vote using an electronic voting solution.

In 2022, 5.6 million public employees in the three branches of the civil service are called upon to vote for their union representatives in the representative bodies. The ballot took place from the 1^st to the 8^th of December 2022. This was precedent in several respects, including the generalisation of electronic voting in the civil service and the establishment of new bodies for social dialogue[ii].

Experiments underway for voting by French citizens abroad

For the 2017 elections, the Ministry of Foreign Affairs and International Development had developed an online voting platform for French citizens living abroad to participate in the legislative elections.

Types of voting in French organisations

Since 2018 in the French private sector, it became compulsory for companies with more than 11 employees to hold elections for members of the staff delegation within the social and economic committees (CSE), by secret ballot

In all cases, the employer should inform the workforce every four years (unless the industry agreement provides for a shorter period of between two and four years) by posting notices of the elections.

How electronic voting works in the context of professional elections

Prior to the vote, the employer must call the professional elections specifying the date, place, and voting method (paper, electronic, or hybrid).

The organisation of elections is generally based on one or more centralised polling stations and regional polling stations, depending on the volume of votes and voters. The polling station members are trained, the solution is assessed, and test elections are held.

Once the solution has been validated it goes into production, and the election can begin:

1. The electoral lists are drawn up and unions or employees can check and report any errors or omissions.
2. Candidates can campaign to the voters and present their program.
3. On the day of the opening of the vote, the solution is sealed using private encryption keys, where 1/3 is held by the corporate administration and 2/3 by the trade unions.
4. Voters then vote according to the designated timetable, the polling stations monitor the counting of votes and assist the voters, the supervision unit monitors the process and manages any incidents, and the provider company is mobilised if necessary.
5. On the closing day of the elections, the integrity of the ballot box (urn) is checked, and the unsealing is carried out by the administration and the trade unions.
6. The counting of the votes is then carried out under the control of the centralising polling stations.
7. The results of the elections should be communicated to the voters, publicly displayed, and sent to the labour inspector (“Inspecteur du travail”).
8. The ballot box is sealed again, and the entire solution (including copies of source and executable programs, voting materials, vote count, results and backup files and files that keep track of interventions on the system) is archived under seal for a minimum of 2 years.
9. In the event of a dispute, an appeal may be lodged with the labour inspector or the district court.

What are the opportunities and risks in electronic voting?

Opportunities

Ease of implementation of the ballot

Electronic voting is generally more efficient to implement than paper voting, requiring less manual work for preparation (printing of propaganda posters, logistics, etc.), counting and reporting of results. This leads to a reduction in costs and an improvement in the efficiency of the electoral process.

Reducing the carbon footprint

Electronic voting greatly reduces the dependence on paper printing for electoral lists, propaganda documents, and especially ballot papers. It also drastically reduces travel depending on the geographical organisation of the company.

According to a study by Kercia[iv], the carbon footprint of a postal vote is more than twice that of an electronic vote.

Maximising participation and elected bodies with a broader electoral base

Electronic voting allows for greater voter participation.

A study conducted in Switzerland in 2011 showed that turnout increased by 2.2%[v] in cantons that implemented e-voting compared to those that did not use this method. Similarly, a study in Estonia in 2014 found that the use of e-voting increased voter turnout by 3-4%[vi].

Voters can vote remotely without having to physically travel to the polling station. This can increase voter turnout, especially in the context of the widespread use of remote work post-COVID-19.

Agreements with a stronger democratic basis

E-voting can help to strengthen social dialogue due to wider outreach and greater accessibility for voter participation. The results of elections are more convincing by increasing the participation in the polls.

Risks

Alteration of results

Electronic voting systems can be vulnerable to attacks such as the usurpation of voter accounts, multiple votes by the same voter in the same election, or the compromise of ballots.

Protection of personal data

The implementation of e-voting platforms should consider the risk of excessive collection of sensitive personal data such as voters’ political opinions.

Voters’ personal information may also be stored on vulnerable servers, exposing this data to the risk of compromised voting secrecy or data leakage.

Transparency of voting operations

It can be difficult for each stakeholder to understand how votes are recorded and how the results are tabulated, leading to mistrust of the solution and the election results.

These risks must be considered and mitigated in order to drastically reduce the probability of occurrence and/or their impact on the smooth running of the elections.

How to comply with the regulations?

CNIL deliberation 2019-053 of 25 April 2019

The CNIL (National Commission for Information Technology and Civil Liberties) deliberation n°2019-053 of 25 April 2019[vii] simplifies and clarifies the texts of 2010 and 2018. The process is as follows:

1. Choice of security level (1, 2 or 3) according to a questionnaire provided by the CNIL[viii].
2. Implementation of a test voting platform (iso-production) prior to the elections, with support from the independent expert in the event of questions relating to the conformity of the technical and organisational choices to be made.
3. Independent assessment of the solution to evaluate the compliance of the solution with the security objectives: depending on the defined risk level, the security objectives are more or less strict. These are cumulative, e.g., if a risk level of 3 is defined, the objectives of levels 1, 2 and 3 must be met.

Decree 2011-595 (public sector)

A regulation has been added to the CNIL deliberation 2019-053 for the public service and certain parastatal sector companies[ix] :

In addition to the CNIL security objectives, 18 articles composing this decree must be respected and checked by the independent expert. The control points include for example:

• “At least 2/3 of the keys are allocated to the list delegates and at least 1 key is allocated to the president of the polling station or his representative.”
• “The sealing is carried out by the combination of at least 2 encryption keys, including the one of the president of the polling station or his representative and the one of at least one list delegate”
• “A process ensures that the voters’ list is only modified by the addition of a ballot electronical paper, which is issued by an authenticated voter casting the vote.”
• “Each voter shall be provided at least fifteen days before the first day of the election with a means of authentication enabling him or her to participate in the election – the confidentiality of this means of authentication shall be guaranteed”
• “A process ensures that the electronic ballot box (urn) is only modified by the vote of an authenticated voter”

Independent expertise

Obligation

“Any data controller implementing an electronic voting system, in particular via the Internet, must have its solution assessed by an independent expert, whether the voting solution is managed internally or provided by a service provider.” – CNIL Deliberation 2019-053

Modalities

When?

This expertise must be carried out:

• Prior to the implementation of the electronic voting system
• In the event of a design change to the existing electronic voting system
• For every new election using the electronic voting system, even if it has already been audited

By whom?

By an independent expert, who must:

• Be an IT (Information Technology) specialist in security
• Not having an interest in the company that created the voting solution or in the organisation responsible for processing
• If possible, have experience in analysing voting systems, having assessed the voting systems of at least two different providers.

Why?

To ensure compliance with the fundamental principles governing electoral operations:

• The secrecy of the ballot
• The personal and free nature of voting
• The sincerity of the electoral operations
• Effective monitoring of the vote by the electoral commission
• A posteriori control by the election judge

Typical working approach

Our vision of independent expertise is illustrated by the main steps described in this chapter.

Initialisation and framing

To initiate the mission, a kick-off meeting is organised with the project contacts.

The purpose of this meeting is to introduce the teams, define the milestones and project schedule, specify the service monitoring procedures, the communication procedures between the parties (encryption of exchanges, etc.), collect the existing documentation, and set up the committee procedure.

Audit of the solution and expert support

This central phase of the assessment is based on a theoretical and practical analysis:

• Control of project documentation and specifications
  • From the “paper” phase onwards, it is necessary to ensure that all the points of compliance are present and in line with the regulations in force: technologies used and updates of the latter, hosting of the solution, physical security, architecture and high availability, partitioning between ballots, sealing and encryption techniques, means of compiling, correlating, communicating and deleting electoral lists, voter authentication scheme, etc.
• Support in expertise and safety advice
  • This involves providing ad hoc expertise on subjects relating to the legal and regulatory framework during the design and implementation phase of the solution and processes (g., choice of authentication factors, process for storing sealing keys, etc.).
• Technical audit of the solution
  • Architecture review to check the compliance of physical and logical partitioning, security of flows, hosting, high availability, etc.
  • Audit of the organisation and processes such as sealing, authentication communication, archiving, etc.
  • Technical configuration review of the key servers of the solution
  • Audit of the source code and encryption mechanisms of the solution based, among other security frameworks, on the RGS[x] (Référentiel Général de Sécurité)
  • Black-box and grey-box penetration testing of voting portals and the supervision back-office

Observation of test elections

This phase aims to simulate an election to check the correct application of the protocol and the processes verified beforehand on field:

• Validation of the compliance monitoring process
  • In this step, the aim is to verify that the technique used for the verification of the non-alteration of the system (fingerprinting) works.
• Checks on the solution on field
  • It is a matter of ensuring, in vivo, that all the points mentioned in terms of security and regulations are in place, for example through the analysis of application and system logs, or “random” checks: presence of temporary files containing sensitive information, capacity to collect data, etc.
• Expertise support during the voting process and assistance in adapting procedures in case of unforeseen events

Accompaniment during the actual election

The same checks as during the test elections are carried out, and specifically:

• System integrity check: Fingerprinting of essential system components (libraries, code, encryption libraries, etc.) and comparison of the fingerprints with those obtained beforehand.
• Compliance with the regulatory framework: sealing process, access, and use of encryption/decryption keys, counting process, etc.

What are the pitfalls and how can they be avoided?

Limited access to systems

The high expertise market context of voting solutions may make vendors reluctant to share confidential information about their technology, such as source code, in the interests of industrial secrecy, which may limit the ability of experts to assess system compliance.

In order to avoid this pitfall, it is essential to implement regular communication and full transparency of the actions of the independent expert. Guarantees must be provided for the protection of the confidentiality of the data collected and processed via processes and an IS certified by SMSI or II 901[xi] (French norm for “Restricted Distribution” classified information).

Furthermore, we recommend that independent experts are flexible in their organisation, for example by agreeing to consult the source code exclusively on the provider’s premises.

Finally, it should be recalled that CNIL deliberation 2019-053 requires the service provider to make available “the source code corresponding to the version of the software actually implemented ” to the independent expert.

Distrust of trade unions and voters

Trade unions and voters can legitimately question the independence of the expert and the guarantees provided by the expertise, leading to mistrust of the electronic voting solution.

These fears are well-founded and must be addressed through transparency and the provision of factual and verifiable evidence for each observation reported during the assessment.

Furthermore, no findings should be ambiguous, conditional, or omitted.

Finally, it is essential to present the limits of the expertise exercise, and the logical impossibility of providing a 100% guarantee that the system cannot be attacked.

Interpretation of the regulations

The available regulations are not always clear and explicit, including

• Non-standard architectures are not subject to specific rules
  • Ex: An architecture based on an IS straddling the SaaS (Software as a Service) solution publisher and the employer’s IS
• Some terms may be ambiguous
  • g.: “A voter’s vote must be an atomic operation” – atomicity being a functional rather than a technical notion, e.g., Internet communication protocols do not allow the entire ballot to be contained in a single network packet

The application of security standards and frameworks (such as RGS), direct consultation with the CNIL, and the implementation of a solution that responds to the risk in substance are all ways of remedying this pitfall.

Conclusion and recommendations

To make the most of the independent expertise and to factualise it, we recommend combining the regulatory compliance approach with a risk-oriented approach, based on the technical audit (penetration tests, configuration reviews, etc.) in a logic of practical and pragmatic securing of the solution within the regulatory framework.

This exercise can only be carried out effectively and efficiently if all project stakeholders, including the publisher and trade unions, are involved and made aware of the project as early as the design phase.

Finally, it is necessary to bear in mind that e-voting is a constantly evolving technology. It is likely that new methods and technologies will emerge in the future, leading to an evolution of the regulations. Therefore, technical and regulatory monitoring is and will remain an essential subject for election organisers, publishers, and independent expertise companies alike.

For any information or quotation request on the subject of the independent expertise of electronic voting systems, we invite you to contact us via the following form: https://www.wavestone.com/fr/contact/

We wish you every success in organising your professional elections!

[i] https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000000511691/

[ii]h ttps://www.economie.gouv.fr/elections-professionnelles-2022-quelques-minutes-pour-quatre-annees

[iii] https://fr.wikipedia.org/wiki/Comit%C3%A9_social_et_%C3%A9conomique

[iv]h ttps://www.kercia.com/vote-electronique

[v]h ttps://www.admin.ch/gov/fr/accueil/documentation/communiques.msg-id-37639.html

[vi]h ttps://www.smartmatic.com/fr/actualites/article/lestonie-atteint-des-taux-records-de-vote-par-internet-grace-a-une-nouvelle-technologie/

[vii] https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000038661239

[viii] https://www.cnil.fr/fr/securite-des-systemes-de-vote-par-internet-la-cnil-actualise-sa-recommandation-de-2010

[ix] https://www.legifrance.gouv.fr/loda/id/JORFTEXT000024079803/

[x] https://www.ssi.gouv.fr/entreprise/reglementation/confiance-numerique/le-referentiel-general-de-securite-rgs/

[xi] https://www.ssi.gouv.fr/guide/recommandations-pour-les-architectures-des-systemes-dinformation-sensibles-ou-diffusion-restreinte/

Cet article Independent expertise of electronic voting systems est apparu en premier sur RiskInsight.

Why Digital Operational Resilience Act (DORA)?

DORA is part of an EU-wide “Digital Finance Package”, aimed at making sure the financial sector can leverage opportunities brought by technology and innovation whilst mitigating the new risks associated. This package involves regulation on crypto assets, blockchain technology, and digital operational resilience.  

With the Digital Operational Resilience Act, the EU aims to make sure financial organisations mitigate the risks arising from increasing reliance on ICT systems and third parties for critical operations. Organisations need to be able to “withstand, respond and recover” from the impacts of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and for the financial system. This means establishing robust measures and controls on systems, tools and third parties, having the right continuity plans in place, and testing their effectiveness.  

This global, large scope regulation is coming in to rationalise an increasingly fragmented regulatory landscape on the topic, with a number of local regulatory initiatives in member states and smaller scope EU guidelines on related topics (e.g. testing requirements, management of ICT third party dependencies, cyber resilience). Setting up a global regulatory framework will ensure there are no overlaps or gaps in regulation and maintain good conditions for competition in the single market.  

DORA also fits into a worldwide trend in regulation on resilience for the financial sector, pioneered by the Bank of England’s (FCA and PRA) consultation papers on operational resilience and impact tolerances, and followed by principle-based papers on operational resilience from the Bank of International Settlements (BIS) and the Federal Reserve.  

DORA in a nutshell: what does it change?

Contrary to the FCA/PRA, the Federal Reserve and the BIS, DORA focuses on solely resilience to ICT-related incidents and introduces very specific and prescriptive requirements. It is not just a set of guidelines but rather criteria, templates and instructions that will shape how financial organisations manage ICT risk. It demonstrates that EU regulators want to be very hands-on on the topic, with a lot of reporting, communication and assessments that need to happen frequently, enabled by standardised MI and reporting.  

DORA introduces requirements across five pillars:  

• ICT risk management 
• ICT incident reporting 
• Digital Operational resilience testing 
• ICT third-party risk management  
• Information and intelligence sharing 

Some of the requirements are straight-forward and largely built on what is already being done in organisations (for example, the risk management framework that needs to be developed is similar to industry standards like NIST); but some are also challenging and will mean organisations need to launch some work to be compliant. We have summarised the requirements and these key challenges to start addressing now for each of the 5 pillars.  

1. ICT risk management

Why? Ensure specific measures and controls are in place to limit the disruption to the market and to consumers caused by incidents, and ensure accountability of the management body on ICT risk management.   

Key requirements: Firms will need to follow governance principles around ICT risk, with a focus on accountability of the management body. They will need to identify their risk tolerance for ICT risk, based on the risk appetite of the organisation and the impact tolerance of ICT disruptions. They will also need to have a risk management framework in place that includes identification of critical and important functions, risks associated and a mapping of the ICT assets that underpin them; as well as specific protection, prevention, detection, response and recovery plans and capabilities, continuous improvement processes and metrics, and a crisis communication strategy with clear roles and responsibilities.  

Biggest challenge: As part of the continuous improvement processes, DORA introduces compulsory training on digital operational resilience for the management body but also for the whole staff, as part of their general training package.  

2. ICT incident reporting

Why? Harmonise and centralise reporting of incidents to enable the regulator to react fast to avoid spreading of the impact, and to promote collective improvement and firms’ knowledge of current threats to the market. 

Key requirements: DORA introduces a standard incident classification methodology with a set of specific criteria (number of users affected, duration, geographical spread, data loss, severity of impact on ICT systems, criticality of services affected, economic impact) with thresholds that are yet to be published. Following this methodology, incidents classified as major will have to be reported to the regulator within the same business day, following a certain template. Follow-up reporting will also be required after a week, and after a month. These reports will all be anonymised, compiled, and released regularly to the whole community.  

Biggest challenge: Firms will need to change their incident classification methodology to fit with the requirements. They will also need to set up the right processes and channels to be able to notify the regulator fast in case a major incident occurs. Based on what gets classified as “major”, this might happen frequently. To help organisations prepare, we anticipate that the incident classification methodology will align with the ENISA Reference Incident Classification Taxonomy.  

3. Digital Operational Resilience testing

Why? Ensure that financial entities test the efficiency of the risk management framework and measures in place to respond to and recover from a wide range of ICT incident scenarios, with minimal disruption to critical and important functions, in a way that is proportionate to their size and criticality for the market. 

Key requirements: With DORA, all firms must put in place a comprehensive testing programme, including a range of assessments, tests, methodologies, practices and tools, with a focus on technical testing. The most critical firms will also have to organise a large-scale threat-led live penetration test every 3 years (red team type exercise), performed by independent testers, covering critical functions and services and involving EU-based ICT third parties. The scenario will have to be agreed by the regulator in advance and firms will receive a compliance certificate upon completion of the test. More guidance for these tests, as well as the criteria which defines a critical firm, will be published in 2021. 

Biggest challenge: It is likely that critical firms will need to organise this threat-led penetration test by the end of 2024 and this type of test requires a lot of preparation. The fact that it needs to involve critical ICT third parties will also mean they need to be involved in the preparation. Firms that believe they will be in scope (might be firms already in the scope of NIS regulation) should start thinking about the scenario as soon as possible to enable validation with the regulator at least 2 years before the deadline.  

4. ICT third party risk management

Why? Ensure that financial organisations have an appropriate level of controls and monitoring of their ICT third parties, especially the ones that underpin critical functions; and set up specific oversight on providers that are critical to the market as a whole.  

Key requirements: With this regulation, the EU introduces requirements on both financial organisations and critical ICT providers.  

• Financial organisations will need to have a defined multi-vendor ICT third-party risk strategy and policy owned by a member of the management body. They will need to compile a standard register of information that contains the full view of all their ICT third-party providers, the services they provide and the functions they underpin; and report on changes to this register to the regulator once a year. They will need to assess ICT service providers according to certain criteria before entering a contract (e.g. security level, concentration risk, sub-outsourcing risks), and they will need to plan for an exit strategy in case of failure of a provider. DORA also contains guidelines for contract contents and reasons for termination of contract, which has to be linked to a risk or evidence of non-compliance at the provider level.  
• Under a new Oversight Framework, critical providers will be the subject of annual assessments against resilience requirements such as availability, continuity, data integrity, physical security, risk management processes, governance, reporting, portability, testing… These assessments will be performed directly by the regulator and will result in penalties for non-compliance.  

Biggest challenge: Collating information on all ICT vendors (not only the most critical), with the services provided and functions they underpin for the register of information will be a very big task for large financial organisations that typically rely on thousands of big and small providers and legacy contract management systems that make it difficult to mine data from.  

5. Information and intelligence sharing

Why? Promote sharing of information and intelligence on cyber threats between financial organisations to enable them to be better prepared.  

Key requirements: DORA introduces guidelines on setting up information sharing arrangements between firms for cyber threats, including confidentiality requirements and the need to notify the regulator.  

Biggest challenge: We do not see any particular challenge in this space as many organisations already have such agreements in place. It will be an opportunity to make local initiatives, networks or associations visible and encourage more companies to become part of them.  

What happens next?

DORA is currently going through the EU legislative process and it is expected to take 6-12 months before it becomes law. A few questionable topics might lead to some debates and slow down the process, especially on third-party management: restrictive criteria for organisations to terminate contracts, banned non-EU based critical third parties, penalty system and financing of the Oversight framework by the critical providers. There are also details that still need to be published to clarify some of the requirements (e.g. templates, criticality criteria and thresholds…), which might also create some debates.  

Once DORA is passed, firms should have one year to get into compliance with most of the requirements (i.e. probably by the end of 2022 – but this one-year deadline is short and we anticipate it may shift to 18 months following market feedback) and 3 years to organise a large-scale penetration test if required (i.e. probably by the end of 2024).  

In order to be ready, we recommend organisations take the following steps in 2021:  

• Perform a maturity assessment against the DORA requirements, with associated gap analysis and mitigation plan to reach compliance by the end of 2022 
• Begin thinking about a scenario for the large-scale penetration test, aiming to get it validated by the regulator by mid-2022 
• Start work on consolidation of the register of information for all ICT third party providers 

Cet article Decrypting DORA: what does it mean for Resilience of financial organisations? est apparu en premier sur RiskInsight.