DORA Getting Started Guide

Digital infrastructure is increasingly becoming the backbone of our society, making operational resilience essential for a wide array of sectors and services that support our daily lives. One of the sectors where this is most evident is financial services, where the modern world relies heavily on computers, networks, and digital systems for nearly everything we do. To help secure these services, the EU has developed DORA—the Digital Operational Resilience Act—which aims to establish a comprehensive framework for digital operational resilience across the financial sector. Its scope is broad, encompassing banks, insurance companies, investment firms, and third-party service providers.

For many organizations, implementing DORA compliance is a journey filled with complexities and uncertainties. This article series aims to help you navigate the DORA landscape, offering practical insights, step-by-step guidance, and expert perspectives on how to approach compliance effectively. So without further ado, let’s get the DORA compliance party going!

Start by asking yourself the questions below.

1. Do we fall directly under DORA? A bit simplified, do we fall under the financial supervisory authority in our country?

2. What kind of DORA obligations do we have? If you fall under the financial supervisory authority in your country, it's almost certain that you need to implement DORA compliance in full. If you don't, you need to implement at least some parts of DORA if your customers fall under DORA.

3. Should you use full or simplified ICT risk management framework?

4. Do you have an inventory of your ICT and other assets (a great idea even if you don't fall under DORA)?

5. Have you implemented a risk-based approach to managing information security in general, and ICT risks in particular (a great idea even if you don't fall under DORA)?

6. Are you following industry best practices around information security and have you implemented policies and procedures for, including but not limited to, top management involvement, regular checks and reviews of the effectiveness of your security controls, relevant change management, separation of development, test and production environments, separation of duties, regular security training for staff and consultants, appropriate access control and access rights, backup, incident and disaster recovery routines, capacity planning and testing, and incident reporting routines?

7. Do you know how to report ICT related incidents in a DORA compatible way and do you have prepared procedures for doing so?

Most companies have some of this in place and some that need updating, improvements or implementation. If you are in this situation, it's nothing strange and nothing that you need to worry about. But there is no better time than now to start improving your information security and your preparations for DORA compliance.

How to use this documentation in the most effective way?

The easiest way to go through this article series is to simply read them the way they are ordered. We start with a high-level overview of DORA and drill down to the details as we go along. The most advanced parts are the articles where we go over the Recitals and Articles of the Delegated Regulation 2024/1774 which is a supplementing regulation to the main DORA regulation (2022/2554) that provides more detailed specifications and guidelines for implementation of DORA. It can be seen as a type of blueprint for how to implement DORA compliance.

Are you missing anything or have a suggestion?

Since DORA is a new regulation and many organizations are implementing compliance just now, a lot of implementation questions and details are still changing and evolving. We will be adding more information and making improvements to this series as things progress. If you have any questions, are missing any information, have suggestions for improvements, or find issues, please don’t hesitate to contact us via this form or send us a message on dora@komply.one.