{"id":14837,"date":"2020-12-18T15:51:32","date_gmt":"2020-12-18T14:51:32","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=14837"},"modified":"2020-12-18T16:03:09","modified_gmt":"2020-12-18T15:03:09","slug":"decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/","title":{"rendered":"Decrypting DORA: what does it mean for Resilience of financial organisations?"},"content":{"rendered":"<p style=\"text-align: justify;\"><span data-contrast=\"auto\">With the release of the Digital Operational Resilience Act (DORA), the European Union is taking a strong stan<\/span><span data-contrast=\"auto\">d<\/span><span data-contrast=\"auto\">\u00a0to strengthen<\/span><span data-contrast=\"auto\">\u00a0the financial sector\u2019s<\/span><span data-contrast=\"auto\">\u00a0resilience to ICT<\/span><span data-contrast=\"auto\">-related<\/span><span data-contrast=\"auto\">\u00a0major incidents. With prescriptive requirements on both financial entities and critical ICT services provider, and an aggressive timeline for compliance (estimated at the end of 2022), organisations must start planning now.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\n<h2 style=\"text-align: justify;\">Why Digital Operational Resilience Act (DORA)?<\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">DORA is p<\/span><span data-contrast=\"auto\">art of\u00a0<\/span><span data-contrast=\"auto\">an\u00a0<\/span><span data-contrast=\"auto\">EU-wide \u201cDigital Finance Package\u201d, aimed at\u00a0<\/span><span data-contrast=\"auto\">making sure the financial sector can\u00a0<\/span><span data-contrast=\"auto\">levera<\/span><span data-contrast=\"auto\">ge<\/span><span data-contrast=\"auto\">\u00a0opportunities brought by technology<\/span><span data-contrast=\"auto\">\u00a0and innovation<\/span><span data-contrast=\"auto\">\u00a0whilst mitigating\u00a0<\/span><span data-contrast=\"auto\">the\u00a0<\/span><span data-contrast=\"auto\">new risks<\/span><span data-contrast=\"auto\">\u00a0associated.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">This package involves regulation on crypto assets, blockchain technology, and digital operational resilience.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">With\u00a0<\/span><span data-contrast=\"auto\">the Digital Operational Resilience Act<\/span><span data-contrast=\"auto\">, the EU aims to make sure financial organisations mitigate the risks arising from increasing reliance on ICT systems and third parties for critical operations<\/span><span data-contrast=\"auto\">. Organisations<\/span><span data-contrast=\"auto\">\u00a0need to be able\u00a0<\/span><span data-contrast=\"auto\">to\u00a0<\/span><span data-contrast=\"auto\">\u201c<\/span><span data-contrast=\"auto\">withstand, respond and recover<\/span><span data-contrast=\"auto\">\u201d<\/span><span data-contrast=\"auto\">\u00a0from\u00a0<\/span><span data-contrast=\"auto\">the\u00a0<\/span><span data-contrast=\"auto\">impacts of ICT incidents<\/span><span data-contrast=\"auto\">, thereby continuing to deliver\u00a0<\/span><span data-contrast=\"auto\">critical and important functions\u00a0<\/span><span data-contrast=\"auto\">and minimising<\/span><span data-contrast=\"auto\">\u00a0disruption for customers and for the financial system.<\/span><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">This means establishing\u00a0<\/span><span data-contrast=\"auto\">robust\u00a0<\/span><span data-contrast=\"auto\">measures and controls on systems<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">tools<\/span><span data-contrast=\"auto\">\u00a0and third parties,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">having the right continuity plans in place, and testing their effectiveness.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">This global, large scope regulation\u00a0<\/span><span data-contrast=\"auto\">is coming in<\/span><span data-contrast=\"auto\">\u00a0to rationalise an increasingly fragmented regulatory landscape on the topic<\/span><span data-contrast=\"auto\">, with a number of\u00a0<\/span><span data-contrast=\"auto\">local regulatory initiatives\u00a0<\/span><span data-contrast=\"auto\">in member states\u00a0<\/span><span data-contrast=\"auto\">and smaller scope EU guidelines\u00a0<\/span><span data-contrast=\"auto\">on related topics (e.g. testing requirements,\u00a0<\/span><span data-contrast=\"auto\">management of ICT third party dependencies<\/span><span data-contrast=\"auto\">, cyber resilience<\/span><span data-contrast=\"auto\">)<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0Setting up a global regulatory framework will\u00a0<\/span><span data-contrast=\"auto\">ensure<\/span><span data-contrast=\"auto\">\u00a0there are no overlaps or gaps in regulation and\u00a0<\/span><span data-contrast=\"auto\">maintain good conditions for<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">competition in the single market.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">DORA\u00a0<\/span><span data-contrast=\"auto\">also\u00a0<\/span><span data-contrast=\"auto\">fits into\u00a0<\/span><span data-contrast=\"auto\">a\u00a0<\/span><a href=\"https:\/\/uk.wavestone.com\/en\/insight\/navigating-through-the-resilience-frameworks-how-to-identify-the-right-frameworks-to-use\/\"><span data-contrast=\"none\">worldwide\u00a0<\/span><span data-contrast=\"none\">trend\u00a0<\/span><span data-contrast=\"none\">in regulation on resilience<\/span><span data-contrast=\"none\">\u00a0for the financial sector<\/span><\/a><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">pioneered by the\u00a0<\/span><a href=\"https:\/\/www.bankofengland.co.uk\/prudential-regulation\/publication\/2018\/building-the-uk-financial-sectors-operational-resilience-discussion-paper\"><span data-contrast=\"none\">Bank of England<\/span><span data-contrast=\"none\">\u2019s\u00a0<\/span><span data-contrast=\"none\">(FCA and PRA)\u00a0<\/span><span data-contrast=\"none\">consultation papers<\/span><\/a><span data-contrast=\"auto\">\u00a0on operational resilience and impact tolerances, and\u00a0<\/span><span data-contrast=\"auto\">followed<\/span><span data-contrast=\"auto\">\u00a0by<\/span><span data-contrast=\"auto\">\u00a0principle-based papers\u00a0<\/span><span data-contrast=\"auto\">on operational resilience\u00a0<\/span><span data-contrast=\"auto\">from the\u00a0<\/span><a href=\"https:\/\/www.bis.org\/bcbs\/publ\/d509.htm\"><span data-contrast=\"none\">Bank of International Settlements<\/span><span data-contrast=\"none\">\u00a0(BIS)<\/span><\/a><span data-contrast=\"auto\">\u00a0and the\u00a0<\/span><a href=\"https:\/\/www.federalreserve.gov\/newsevents\/pressreleases\/bcreg20201030a.htm\"><span data-contrast=\"none\">Federal Reserve<\/span><\/a><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\n<h2 style=\"text-align: justify;\">DORA in a nutshell: what does it change?<\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Contrary to the FCA\/PRA<\/span><span data-contrast=\"auto\">, the Federal Reserve<\/span><span data-contrast=\"auto\">\u00a0and the BIS,\u00a0<\/span><span data-contrast=\"auto\">DORA focuses on\u00a0<\/span><span data-contrast=\"auto\">solely\u00a0<\/span><span data-contrast=\"auto\">resilience to I<\/span><span data-contrast=\"auto\">CT-related incidents and\u00a0<\/span><span data-contrast=\"auto\">introduces very specific and prescriptive requirements. It is not just a set of guidelines but rather criteria, templates and\u00a0<\/span><span data-contrast=\"auto\">instructions that will shape how financial organisations manage ICT risk. It demonstrates that EU regulators want to be very hands-on\u00a0<\/span><span data-contrast=\"auto\">on<\/span><span data-contrast=\"auto\">\u00a0th<\/span><span data-contrast=\"auto\">e<\/span><span data-contrast=\"auto\">\u00a0topic, with a lot of reporting, communication and assessments that need to happen frequently<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0enabled by standardised MI and reporting.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">DORA<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">introduces requirements<\/span><span data-contrast=\"auto\">\u00a0across\u00a0<\/span><span data-contrast=\"auto\">five pillars:\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"7\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">ICT risk management<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"7\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">ICT incident reporting<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"7\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Digital Operational resilience testing<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"7\" aria-setsize=\"-1\" data-aria-posinset=\"4\" data-aria-level=\"1\"><span data-contrast=\"auto\">ICT third-party risk management\u00a0<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"7\" aria-setsize=\"-1\" data-aria-posinset=\"5\" data-aria-level=\"1\"><span data-contrast=\"auto\">Information and intelligence sharing<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"post-14838 media-14838\" class=\"align-none\" style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-14838 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2020\/12\/Image-1-1.png\" alt=\"\" width=\"539\" height=\"568\" \/><\/figure>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">S<\/span><span data-contrast=\"auto\">ome of the requirements are straight-forward and largely built on what is already being done in organisations<\/span><span data-contrast=\"auto\">\u00a0(<\/span><span data-contrast=\"auto\">for example,\u00a0<\/span><span data-contrast=\"auto\">the risk management framework that needs to be developed is similar to\u00a0<\/span><span data-contrast=\"auto\">industry standard<\/span><span data-contrast=\"auto\">s like<\/span><span data-contrast=\"auto\">\u00a0NIST<\/span><span data-contrast=\"auto\">)<\/span><span data-contrast=\"auto\">; but some are also challenging and will mean organisations need to launch some work to be compliant.\u00a0<\/span><span data-contrast=\"auto\">We have summarised the<\/span><span data-contrast=\"auto\">\u00a0requirements and the<\/span><span data-contrast=\"auto\">se key challenges<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">to start addressing now\u00a0<\/span><span data-contrast=\"auto\">for each of the 5 pillars<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\">1. ICT risk management<\/h3>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Why?<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">E<\/span><span data-contrast=\"auto\">nsure<\/span><span data-contrast=\"auto\">\u00a0specific measures\u00a0<\/span><span data-contrast=\"auto\">and controls\u00a0<\/span><span data-contrast=\"auto\">are in place to limit the disruption<\/span><span data-contrast=\"auto\">\u00a0to the market and to consumers<\/span><span data-contrast=\"auto\">\u00a0caused by incidents<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0and ensure accountability of the management body<\/span><span data-contrast=\"auto\">\u00a0on ICT risk management<\/span><span data-contrast=\"auto\">.\u00a0<\/span><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Key<\/span><\/b><b><span data-contrast=\"auto\">\u00a0requirements:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Firms will need to follow\u00a0<\/span><span data-contrast=\"auto\">governance\u00a0<\/span><span data-contrast=\"auto\">principles\u00a0<\/span><span data-contrast=\"auto\">around ICT risk, with\u00a0<\/span><span data-contrast=\"auto\">a focus on\u00a0<\/span><span data-contrast=\"auto\">accountability of the management body<\/span><span data-contrast=\"auto\">. They will need to i<\/span><span data-contrast=\"auto\">denti<\/span><span data-contrast=\"auto\">fy their<\/span><span data-contrast=\"auto\">\u00a0risk tolerance for ICT risk, based on<\/span><span data-contrast=\"auto\">\u00a0the<\/span><span data-contrast=\"auto\">\u00a0risk appetite of the organisation and the impact tolerance of ICT disruptions<\/span><span data-contrast=\"auto\">. They will also need to\u00a0<\/span><span data-contrast=\"auto\">have a risk management framework in place that\u00a0<\/span><span data-contrast=\"auto\">includes identification of critical and important functions<\/span><span data-contrast=\"auto\">, risks associated\u00a0<\/span><span data-contrast=\"auto\">and\u00a0<\/span><span data-contrast=\"auto\">a mapping of the<\/span><span data-contrast=\"auto\">\u00a0ICT assets that underpin them<\/span><span data-contrast=\"auto\">;<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">as well as\u00a0<\/span><span data-contrast=\"auto\">specific<\/span><span data-contrast=\"auto\">\u00a0protectio<\/span><span data-contrast=\"auto\">n,\u00a0<\/span><span data-contrast=\"auto\">prevention<\/span><span data-contrast=\"auto\">, detection, response and recovery<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">plans and\u00a0<\/span><span data-contrast=\"auto\">capabilities<\/span><span data-contrast=\"auto\">, continuous improvement processes and metrics, and a crisis communication strateg<\/span><span data-contrast=\"auto\">y<\/span><span data-contrast=\"auto\">\u00a0with clear roles and responsibilities<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Biggest challenge<\/span><\/b><b><span data-contrast=\"auto\">:\u00a0<\/span><\/b><span data-contrast=\"auto\">As part of the continuous improvement processes,<\/span><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">DORA introduces compulsory training on digital operational resilience for the management body but also for the whole staff, as part of their general training package.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\">2. ICT incident reporting<\/h3>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Why?<\/span><\/b><span data-contrast=\"auto\">\u00a0Harmonise and centralise reporting of incidents to enable the regulator to react fast to avoid\u00a0<\/span><span data-contrast=\"auto\">spreading of the impact, and to promote collective improvement and<\/span><span data-contrast=\"auto\">\u00a0firms\u2019<\/span><span data-contrast=\"auto\">\u00a0knowledge of\u00a0<\/span><span data-contrast=\"auto\">current\u00a0<\/span><span data-contrast=\"auto\">threats to the market<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Key requirements:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">DORA introduces a standard incident classification methodology with a set of\u00a0<\/span><span data-contrast=\"auto\">specific\u00a0<\/span><span data-contrast=\"auto\">criteria<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">(<\/span><span data-contrast=\"auto\">number of users<\/span><span data-contrast=\"auto\">\u00a0affected<\/span><span data-contrast=\"auto\">, duration,\u00a0<\/span><span data-contrast=\"auto\">geographical spread<\/span><span data-contrast=\"auto\">, data loss, severity of impact on ICT systems, criticality of services affected, economic impact) with thresholds\u00a0<\/span><span data-contrast=\"auto\">that are yet to be published.\u00a0<\/span><span data-contrast=\"auto\">Following this methodology, incidents classified as m<\/span><span data-contrast=\"auto\">ajor will have to be reported to the regulator within the same business day, following a certain template.\u00a0<\/span><span data-contrast=\"auto\">Follow-up reporting will also be required after a week, and after a month.\u00a0<\/span><span data-contrast=\"auto\">These reports will all be anonymised, compiled, and released regularly to the whole community.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Biggest challenge<\/span><\/b><b><span data-contrast=\"auto\">:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">F<\/span><span data-contrast=\"auto\">irms will need to change their incident classification\u00a0<\/span><span data-contrast=\"auto\">methodology<\/span><span data-contrast=\"auto\">\u00a0to fit with the requirements. They will also need to set up the right processes<\/span><span data-contrast=\"auto\">\u00a0and channels<\/span><span data-contrast=\"auto\">\u00a0to be able to notify the regulator fast in case a major incident occurs. Based on what gets classified as \u201cmajor\u201d, this might happen frequently.\u00a0<\/span><span data-contrast=\"auto\">To help organisations prepare, w<\/span><span data-contrast=\"auto\">e anticipate that the incident classification methodology will align with the\u00a0<\/span><a href=\"https:\/\/www.enisa.europa.eu\/publications\/reference-incident-classification-taxonomy\"><span data-contrast=\"none\">ENISA Reference Incident Classification Taxonomy<\/span><\/a><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\">3. Digital Operational Resilience testing<\/h3>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Why?<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Ensure that\u00a0<\/span><span data-contrast=\"auto\">financial entities t<\/span><span data-contrast=\"auto\">est the efficiency of the risk\u00a0<\/span><span data-contrast=\"auto\">management framework and measures in place<\/span><span data-contrast=\"auto\">\u00a0to respond\u00a0<\/span><span data-contrast=\"auto\">to\u00a0<\/span><span data-contrast=\"auto\">and recove<\/span><span data-contrast=\"auto\">r from<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">a wide range of<\/span><span data-contrast=\"auto\">\u00a0ICT<\/span><span data-contrast=\"auto\">\u00a0incident\u00a0<\/span><span data-contrast=\"auto\">scenario<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0with minimal disruption to critical and important functions<\/span><span data-contrast=\"auto\">, in a way that is proportionate to their size and criticality for the market.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Key requirements:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">With DORA, all firms must put in place a c<\/span><span data-contrast=\"auto\">omprehensive testing programme,\u00a0<\/span><span data-contrast=\"auto\">including a range of assessments, tests, methodologies, practices and tools<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">with a focus on technical testing<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0The most critical firms<\/span><span data-contrast=\"auto\">\u00a0will also have to organise a l<\/span><span data-contrast=\"auto\">arge-scale threat-led live\u00a0<\/span><span data-contrast=\"auto\">penetration\u00a0<\/span><span data-contrast=\"auto\">test<\/span><span data-contrast=\"auto\">\u00a0every 3 years<\/span><span data-contrast=\"auto\">\u00a0(red team<\/span><span data-contrast=\"auto\">\u00a0type exercise<\/span><span data-contrast=\"auto\">)<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">performed by independent testers<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">covering critical functions and services and involving EU<\/span><span data-contrast=\"auto\">-based<\/span><span data-contrast=\"auto\">\u00a0ICT\u00a0<\/span><span data-contrast=\"auto\">third parties<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">The scenario will have to be agreed by the regulator in advance and\u00a0<\/span><span data-contrast=\"auto\">firms will receive a compliance certificate upon\u00a0<\/span><span data-contrast=\"auto\">completion of the test<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">More guidance for these tests, as well as the criteria which defines a critical firm,<\/span><span data-contrast=\"auto\">\u00a0will be published in 2021.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Biggest challenge<\/span><\/b><b><span data-contrast=\"auto\">:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">It is likely that c<\/span><span data-contrast=\"auto\">ritical firms will need to organise this threat-led penetration test by\u00a0<\/span><span data-contrast=\"auto\">the end of\u00a0<\/span><span data-contrast=\"auto\">2024 and this type of test<\/span><span data-contrast=\"auto\">\u00a0requires a lot of preparation.\u00a0<\/span><span data-contrast=\"auto\">The fact that it needs to involve critical ICT third parties will also mean they need to be involved in the preparation.\u00a0<\/span><span data-contrast=\"auto\">Firms\u00a0<\/span><span data-contrast=\"auto\">that believe they will be in scope\u00a0<\/span><span data-contrast=\"auto\">(<\/span><span data-contrast=\"auto\">might be<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">firms already in the scope of NIS regulation)\u00a0<\/span><span data-contrast=\"auto\">should start thinking about the scenario as soon as possible to enable validation with the regulator at least 2 years before the deadline.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\">4. ICT third party risk management<\/h3>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Why?<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">Ensure that financial organisations have an appropriate level of control<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0and monitoring\u00a0<\/span><span data-contrast=\"auto\">of\u00a0<\/span><span data-contrast=\"auto\">their ICT third parties, especially the ones that underpin critical<\/span><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">functions<\/span><span data-contrast=\"auto\">; and set up specific oversight on providers that are critical to the market as a whole.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Key requirements:\u00a0<\/span><\/b><span data-contrast=\"auto\">With this regulation, the EU\u00a0<\/span><span data-contrast=\"auto\">introduces\u00a0<\/span><span data-contrast=\"auto\">requirements on both financial organisations and critical ICT providers.<\/span><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li data-leveltext=\"\uf0e8\" data-font=\"Wingdings\" data-listid=\"9\" aria-setsize=\"-1\" data-aria-posinset=\"0\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Financial organisations<\/span><\/b><span data-contrast=\"auto\">\u00a0will need to have a defined multi-vendor ICT third-party risk strategy and policy owned by a member of the management body.<\/span><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">They will need to compile a standard register of information that contains the full view of all their ICT third-party providers, the services they provide and the functions\u00a0<\/span><span data-contrast=\"auto\">they<\/span><span data-contrast=\"auto\">\u00a0underpin<\/span><span data-contrast=\"auto\">; and report on changes to this register to the regulator once a year. They will need to\u00a0<\/span><span data-contrast=\"auto\">assess ICT service providers according to certain criteria before entering a contract (e.g. security level,\u00a0<\/span><span data-contrast=\"auto\">concentration risk, sub-outsourcing risks), and they will need to plan for an exit strategy in case of failure of a provider.\u00a0<\/span><span data-contrast=\"auto\">DORA also contains guidelines for contract contents\u00a0<\/span><span data-contrast=\"auto\">and reasons for termination of contract, which has to be linked to a risk or evidence of non-compliance at the provider level.\u00a0<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0e8\" data-font=\"Wingdings\" data-listid=\"9\" aria-setsize=\"-1\" data-aria-posinset=\"0\" data-aria-level=\"1\"><span data-contrast=\"auto\">Under a new Oversight Framework,<\/span><b><span data-contrast=\"auto\">\u00a0critical providers\u00a0<\/span><\/b><span data-contrast=\"auto\">will\u00a0<\/span><span data-contrast=\"auto\">be the subject of a<\/span><span data-contrast=\"auto\">nnual a<\/span><span data-contrast=\"auto\">ss<\/span><span data-contrast=\"auto\">essments against resilience requirements such as availability, continuity, data integrity, physical security, risk management processes, governance, reporting,\u00a0<\/span><span data-contrast=\"auto\">portability, testing\u2026 These assessments will be performed directly by the regulator\u00a0<\/span><span data-contrast=\"auto\">and will result in penalties for non-compliance.\u00a0<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Biggest challenge<\/span><\/b><b><span data-contrast=\"auto\">:\u00a0<\/span><\/b><span data-contrast=\"auto\">Collating information on\u00a0<\/span><span data-contrast=\"auto\">all ICT vendors<\/span><span data-contrast=\"auto\">\u00a0(not only the most critical)<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0with the<\/span><span data-contrast=\"auto\">\u00a0services provided and functions they underpin<\/span><span data-contrast=\"auto\">\u00a0for the register of information<\/span><span data-contrast=\"auto\">\u00a0will be a\u00a0<\/span><span data-contrast=\"auto\">very\u00a0<\/span><span data-contrast=\"auto\">big task for large financial organisations that<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">typically\u00a0<\/span><span data-contrast=\"auto\">rely on<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">thousands of<\/span><span data-contrast=\"auto\">\u00a0big and<\/span><span data-contrast=\"auto\">\u00a0small providers<\/span><span data-contrast=\"auto\">\u00a0and legacy contract management systems<\/span><span data-contrast=\"auto\">\u00a0that make it difficult to mine data from<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\">5. Information and intelligence sharing<\/h3>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Why?<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">Promote sharing of information and intelligence on cyber threats between financial organisations to enable them to be better prepared.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Key requirements:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">DORA introduces guidelines on setting up information sharing arrangements between firms for cyber threats<\/span><span data-contrast=\"auto\">, including confidentiality requirements and the need to notify the regulator.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Biggest challenge<\/span><\/b><b><span data-contrast=\"auto\">:<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">We do not see any particular challenge in this space as many organisations already have such agreements in place.\u00a0<\/span><span data-contrast=\"auto\">It will be an opportunity to make local initiatives<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">networks<\/span><span data-contrast=\"auto\">\u00a0or<\/span><span data-contrast=\"auto\">\u00a0associations<\/span><span data-contrast=\"auto\">\u00a0visible and<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">encourage more companies to become part of them.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 style=\"text-align: justify;\">What happens next?<\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">DORA is currently going through the EU legislative process an<\/span><span data-contrast=\"auto\">d it is expected to take 6-<\/span><span data-contrast=\"auto\">12<\/span><span data-contrast=\"auto\">\u00a0months before it becomes law.\u00a0<\/span><span data-contrast=\"auto\">A<\/span><span data-contrast=\"auto\">\u00a0few questionable topics might lead to some debates and slow down the process, especially on third-party management<\/span><span data-contrast=\"auto\">:\u00a0<\/span><span data-contrast=\"auto\">restrictive criteria for organisations to terminate contracts, banned non-EU based critical third parties, penalty system and financing of the Oversight framework by the critical providers<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">There are also details that still need to be published to clarify some of the requirements<\/span><span data-contrast=\"auto\">\u00a0(e.g. templates, criticality criteria and thresholds\u2026), which might also create some debates.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Once DORA is passed, firms\u00a0<\/span><span data-contrast=\"auto\">should<\/span><span data-contrast=\"auto\">\u00a0have one year to get into compliance\u00a0<\/span><span data-contrast=\"auto\">with most of the requirements (i.e. probably by the end of 2022<\/span><span data-contrast=\"auto\">\u00a0\u2013 but this one-year deadline is short and we anticipate it may shift to 18 months following market feedback<\/span><span data-contrast=\"auto\">) and 3 years to organise a large-scale penetration test if required (i.e. probably by the end of 2024).\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">In order to be ready,\u00a0<\/span><\/b><b><span data-contrast=\"auto\">we recommend organisations<\/span><\/b><b><span data-contrast=\"auto\">\u00a0take the following steps in 2021:\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul>\n<li style=\"text-align: justify;\" data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"10\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">P<\/span><\/b><b><span data-contrast=\"auto\">erform a maturity assessment against the\u00a0<\/span><\/b><b><span data-contrast=\"auto\">DORA requirements, with associated gap analysis and mitigation plan to reach compliance by the end of 2022<\/span><\/b><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li style=\"text-align: justify;\" data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"10\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Begin thinking about a scenario for the large-scale penetration test, aiming to get it validated by the regulator by mid-2022<\/span><\/b><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li style=\"text-align: justify;\" data-leveltext=\"\u2044\" data-font=\"Tahoma\" data-listid=\"10\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">Start\u00a0<\/span><\/b><b><span data-contrast=\"auto\">work on consolidation of the register of information for all ICT third party providers<\/span><\/b><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>With the release of the Digital Operational Resilience Act (DORA), the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents. With prescriptive requirements on both financial entities and critical ICT services provider, and an aggressive timeline&#8230;<\/p>\n","protected":false},"author":1132,"featured_media":16732,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3268,2777,3271],"tags":[3625,3738,3739,3741,3742,3740],"coauthors":[2570,3743],"class_list":["post-14837","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-for-financial-services-en","category-cybersecurity-digital-trust","category-digital-compliance-en","tag-cyber-resilience","tag-digital-compliance","tag-dora","tag-financial-regulation","tag-ict","tag-operational-resilience"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What does DORA mean for Resilience of financial organisations?<\/title>\n<meta name=\"description\" content=\"With DORA, the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What does DORA mean for Resilience of financial organisations?\" \/>\n<meta property=\"og:description\" content=\"With DORA, the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2020-12-18T14:51:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-12-18T15:03:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"780\" \/>\n\t<meta property=\"og:image:height\" content=\"456\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Roxane Bohin\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Roxane Bohin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\"},\"author\":{\"name\":\"m@THIEU\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/d32e77bd2cd2bb2261b4f64f06113d8c\"},\"headline\":\"Decrypting DORA: what does it mean for Resilience of financial organisations?\",\"datePublished\":\"2020-12-18T14:51:32+00:00\",\"dateModified\":\"2020-12-18T15:03:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\"},\"wordCount\":1807,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg\",\"keywords\":[\"cyber resilience\",\"Digital compliance\",\"DORA\",\"Financial regulation\",\"ICT\",\"Operational Resilience\"],\"articleSection\":[\"Cyber for Financial Services\",\"Cybersecurity &amp; Digital Trust\",\"Digital Compliance\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\",\"name\":\"What does DORA mean for Resilience of financial organisations?\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg\",\"datePublished\":\"2020-12-18T14:51:32+00:00\",\"dateModified\":\"2020-12-18T15:03:09+00:00\",\"description\":\"With DORA, the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg\",\"width\":780,\"height\":456},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Decrypting DORA: what does it mean for Resilience of financial organisations?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/d32e77bd2cd2bb2261b4f64f06113d8c\",\"name\":\"m@THIEU\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/mthieu\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What does DORA mean for Resilience of financial organisations?","description":"With DORA, the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/","og_locale":"en_US","og_type":"article","og_title":"What does DORA mean for Resilience of financial organisations?","og_description":"With DORA, the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents.","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/","og_site_name":"RiskInsight","article_published_time":"2020-12-18T14:51:32+00:00","article_modified_time":"2020-12-18T15:03:09+00:00","og_image":[{"width":780,"height":456,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg","type":"image\/jpeg"}],"author":"Roxane Bohin","twitter_misc":{"Written by":"Roxane Bohin","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/"},"author":{"name":"m@THIEU","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/d32e77bd2cd2bb2261b4f64f06113d8c"},"headline":"Decrypting DORA: what does it mean for Resilience of financial organisations?","datePublished":"2020-12-18T14:51:32+00:00","dateModified":"2020-12-18T15:03:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/"},"wordCount":1807,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg","keywords":["cyber resilience","Digital compliance","DORA","Financial regulation","ICT","Operational Resilience"],"articleSection":["Cyber for Financial Services","Cybersecurity &amp; Digital Trust","Digital Compliance"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/","name":"What does DORA mean for Resilience of financial organisations?","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg","datePublished":"2020-12-18T14:51:32+00:00","dateModified":"2020-12-18T15:03:09+00:00","description":"With DORA, the European Union is taking a strong stand\u00a0to strengthen\u00a0the financial sector\u2019s\u00a0resilience to ICT-related\u00a0major incidents.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/01\/Image14.jpg","width":780,"height":456},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/12\/decrypting-dora-what-does-it-mean-for-resilience-of-financial-organisations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Decrypting DORA: what does it mean for Resilience of financial organisations?"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/d32e77bd2cd2bb2261b4f64f06113d8c","name":"m@THIEU","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/mthieu\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/14837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1132"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=14837"}],"version-history":[{"count":6,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/14837\/revisions"}],"predecessor-version":[{"id":14841,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/14837\/revisions\/14841"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/16732"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=14837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=14837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=14837"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=14837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}