DORA
Comply with EU Digital Operational Resilience Act requirements using CyberOrigen.
Overview
DORA (Digital Operational Resilience Act) is an EU regulation for the financial sector. It establishes uniform requirements for ICT risk management, incident reporting, and third-party risk management.
Effective Date: January 17, 2025
Scope
Covered Entities
- Credit institutions
- Payment institutions
- Investment firms
- Insurance companies
- Pension funds
- Crypto-asset service providers
- ICT third-party service providers
Key Areas
| Pillar | Description |
|---|---|
| ICT Risk Management | Governance and risk framework |
| Incident Reporting | Unified reporting mechanism |
| Resilience Testing | Regular testing requirements |
| Third-Party Risk | Oversight of ICT providers |
| Information Sharing | Threat intelligence exchange |
ICT Risk Management Framework
Article 5-16 Requirements
| Article | Requirement |
|---|---|
| 5 | ICT risk management framework |
| 6 | ICT systems and tools |
| 7 | Identification |
| 8 | Protection and prevention |
| 9 | Detection |
| 10 | Response and recovery |
| 11 | Backup policies |
| 12 | Learning and evolving |
| 13 | Communication |
| 14 | Advanced testing |
CyberOrigen Mapping
| DORA Article | CyberOrigen Feature |
|---|---|
| Art. 7 Identification | Asset discovery, scanning |
| Art. 8 Protection | Vulnerability remediation |
| Art. 9 Detection | Continuous monitoring |
| Art. 10 Response | Remediation workflow |
| Art. 14 Testing | Penetration testing support |
Getting Started
1. Enable Framework
- Go to GRC → Frameworks
- Click Enroll on DORA
- Click Enable
2. ICT Risk Assessment
Document your ICT risk framework:
- Go to GRC → Risk Register
- Identify ICT-related risks
- Assess impact on operations
- Document controls
3. Third-Party Inventory
Catalog ICT service providers:
- Go to GRC → Vendors
- Add ICT providers
- Classify by criticality
- Track contracts
Key Requirements
ICT Incident Classification
| Severity | Criteria | Reporting |
|---|---|---|
| Major | Significant operational impact | Competent authority |
| Significant | Material operational impact | Internal reporting |
| Minor | Limited impact | Logging only |
Classification Factors
- Number of clients affected
- Duration of incident
- Geographic spread
- Data losses
- Service criticality
- Economic impact
CyberOrigen Support
- Incident detection
- Severity classification
- Evidence collection
- Timeline documentation
Resilience Testing
Basic Testing (All Entities)
| Test | Frequency |
|---|---|
| Vulnerability scans | Continuous |
| Network security assessment | Annual |
| Gap analysis | Annual |
| Physical security review | Annual |
| Source code review | As needed |
Advanced Testing (Significant Entities)
| Test | Requirement |
|---|---|
| TLPT | Threat-Led Penetration Testing |
| Frequency | Every 3 years minimum |
| Scope | Critical functions |
| Provider | Independent testers |
CyberOrigen Scanning
- Continuous vulnerability scanning
- Configuration assessment
- Access control testing
- Encryption verification
Third-Party Risk Management
Article 28-30 Requirements
| Requirement | Description |
|---|---|
| Due diligence | Pre-contract assessment |
| Risk assessment | Ongoing monitoring |
| Contracts | Specific clauses required |
| Exit strategy | Documented transition plans |
Critical Provider Oversight
For critical ICT service providers:
- Dedicated oversight function
- Enhanced due diligence
- Concentration risk assessment
- Subcontracting controls
CyberOrigen Features
- Go to GRC → Vendors
- Classify ICT providers
- Track security questionnaires
- Monitor contract terms
- Document exit strategies
Information Sharing
Article 45 Requirements
Entities should participate in:
- Threat intelligence sharing
- Vulnerability disclosure
- Incident information exchange
CyberOrigen Integration
- MISP threat intelligence
- Vulnerability correlation
- Industry benchmarking
Control Mapping
DORA maps to other frameworks:
| DORA Article | ISO 27001 | NIST CSF |
|---|---|---|
| Art. 7 Identification | A.8.8 | ID.AM |
| Art. 8 Protection | A.8.24 | PR.DS |
| Art. 9 Detection | A.8.16 | DE.CM |
| Art. 10 Response | A.5.24 | RS.MI |
| Art. 28 Third-Party | A.5.21 | ID.SC |
Evidence Collection
Automated Evidence
- Vulnerability scan reports
- Configuration assessments
- Incident detection logs
- Access control audits
Manual Evidence
- ICT risk management policy
- Incident response procedures
- Third-party contracts
- Testing reports
- Board reporting
Reporting Requirements
To Competent Authority
- Major incident notification (initial)
- Incident report (intermediate)
- Final report (within 1 month)
To Management Body
- Regular ICT risk reports
- Incident summaries
- Testing results
- Third-party assessments
Timeline
| Date | Milestone |
|---|---|
| Jan 2023 | DORA entered into force |
| Jan 2025 | DORA becomes applicable |
| Ongoing | Regulatory technical standards |
Common Gaps
| Requirement | Gap | Solution |
|---|---|---|
| Art. 5 | No ICT framework | Documented framework |
| Art. 9 | Limited detection | Monitoring implementation |
| Art. 14 | No testing program | Testing schedule |
| Art. 28 | Weak vendor oversight | Vendor risk program |