From 17th January 2025, the DORA (Digital Operational Resilience Act) regulation will be applied in all European Union countries. Its purpose is to increase the operational digital resilience of financial entities, including credit institutions, payment institutions, insurance and reinsurance companies, and investment firms. DORA is also seen as a step towards regulating the provision of ICT services in the financial market, meaning its provisions will also apply to organizations providing such services. How can financial institutions prepare for the new regulations? One potential solution is the DORIAN system created by Linux Poland.
What is DORA Regulation and Who Will it Cover?
DORA regulation was published in the Official Journal of the European Union on December 14, 2022, and it updated previous regulations (No 1060/2009, No 648/2012, No 600/2014, No 909/2014, and No 2016/1011). These new regulations lay out uniform requirements for financial institutions in terms of security of networks and information systems supporting business processes. These requirements primarily concern ICT risk management, reporting of serious operational or security incidents related to payments, testing of operational digital resilience, risk management of ICT service providers and setting up a control framework for national and EU supervisory bodies.
Over 20 types of organizations will be covered by DORA, mainly financial entities such as credit and payment institutions, investment firms, management companies, insurance companies, and central securities depositories. Importantly, the regulation will also apply to external providers of ICT services. Further, Article 4 introduces the principle of proportionality, this means that financial institutions will apply the regulations taking into account the size of the risk, as well as the scale and complexity of their services and operations.
New Obligations for Financial Entities
DORA imposes various obligations on financial institutions. These include implementing policies to ensure high standards of data availability, integrity, and confidentiality; approving strategies that ensure operational continuity and response plans for IT system failures; and regular security audits. Financial companies will be required to test their operational digital resilience by assessing network vulnerability and security, reviewing source code, and conducting scenario and penetration tests.
The Regulation also provides a guideline for information exchange in cybersecurity and regulates incident management, including early warning indicators, event categorization based on their importance, and the responsibility to report serious threats to management. As Dariusz Świąder, the President of Linux Poland, emphasized, under DORA financial institutions will also be obligated to manage risk in regards to cooperating with external ICT service providers.
In preparation for the regulation’s future implementation, Linux Poland has developed the DORIAN (Digital Operational Resilience Investigation and Analysis) system, a tool that can assist financial entities to manage operational risk in the ICT area and address the requirements defined by DORA.
How to Prepare for DORA Regulation?
DORA regulation will take effect on 15 January 2025. To help companies meet the requirements specified in the regulations, Linux Poland has created the DORIAN system. This solution provides support in the field of operational risk management in the ICT area in financial entities. As stressed by Dariusz Świąder, the system also aims to enhance IT security in financial entities.
Radosław Żak-Brodalko, Senior Architect Solutions at Linux Poland, adds that DORIAN was intended to be a simple and intuitive tool that will streamline the work of risk analysts. This goal has been achieved, and the tool has proven to be a practical asset in managing and analyzing ICT asset risks.
An estimated 22,000 financial entities operating within the European Union will be covered by DORA regulation. The responsibility for adhering to the regulations resides with the management boards of these organizations. In Poland, the supervisory body function is performed by the Financial Supervision Commission.
Source: https://managerplus.pl/dorian-w-sluzbie-rozporzadzenia-dora-nowy-system-ma-zwiekszac-bezpieczenstwo-it-w-podmiotach-finansowych-16299