DORA
Resilience beyond compliance
The European Regulation on digital operational resilience for the financial sector (DORA) is due to come into force on 17 January 2025. A sectoral version of the NIS 2 directive, it sets uniform cybersecurity requirements for the financial sector in all EU Member States. DORA represents an important milestone in the European Union's fight against cyberattacks and the protection of the critical infrastructures of companies and their sensitive data.
DORA
Resilience beyond compliance
The European Regulation on digital operational resilience for the financial sector (DORA) is due to come into force on 17 January 2025. A sectoral version of the NIS 2 directive, it sets uniform cybersecurity requirements for the financial sector in all EU Member States. DORA represents an important milestone in the European Union's fight against cyberattacks and the protection of the critical infrastructures of companies and their sensitive data.
DORA
Resilience beyond compliance
The European Regulation on digital operational resilience for the financial sector (DORA) is due to come into force on 17 January 2025. A sectoral version of the NIS 2 directive, it sets uniform cybersecurity requirements for the financial sector in all EU Member States. DORA represents an important milestone in the European Union's fight against cyberattacks and the protection of the critical infrastructures of companies and their sensitive data.
A risk-based approach to governance
EGERIE platform orchestrates & industrializes cyber programs, spreading a culture of cyber performance, enabling scaling through continuous improvement, achieving high control, compliance, risk anticipation, protection & confidence.
A demanding framework
DORA is part of the European Commission's Digital Finance Strategy, which aims to foster innovation and the adoption of new technologies while ensuring financial stability and the protection of European investors and consumers.
A demanding framework
DORA is part of the European Commission's Digital Finance Strategy, which aims to foster innovation and the adoption of new technologies while ensuring financial stability and the protection of European investors and consumers.
A demanding framework
DORA is part of the European Commission's Digital Finance Strategy, which aims to foster innovation and the adoption of new technologies while ensuring financial stability and the protection of European investors and consumers.
What impact on organizations?
The text brings together and harmonizes the various regulations that until now have governed the cybersecurity of the financial sector in the Union. DORA's reach extends beyond the 21 types of financial sector entities directly affected, and now includes their IT service providers and subcontractors, i.e. nearly 15,000 players in their value chain.
What impact on organizations?
The text brings together and harmonizes the various regulations that until now have governed the cybersecurity of the financial sector in the Union. DORA's reach extends beyond the 21 types of financial sector entities directly affected, and now includes their IT service providers and subcontractors, i.e. nearly 15,000 players in their value chain.
What impact on organizations?
The text brings together and harmonizes the various regulations that until now have governed the cybersecurity of the financial sector in the Union. DORA's reach extends beyond the 21 types of financial sector entities directly affected, and now includes their IT service providers and subcontractors, i.e. nearly 15,000 players in their value chain.
2 major articles
Art. 6: ICT risk management framework
Calls on organizations to establish a risk management framework that is "robust, comprehensive and well-documented, which enables them to address cyber risks in a timely, efficient and comprehensive manner." The framework will need to include the strategies, policies, procedures and protocols necessary to protect physical infrastructure and computer hardware, as well as information assets (i.e. the data). A comprehensive mapping of assets, risks and associated security measures will be essential to control the level of exposure to cyber risk. A "digital resilience strategy" will define the terms of its implementation. The framework should include: • the strategies, policies, procedures and protocols necessary to protect physical infrastructure and IT equipment • information assets (data). A complete mapping of assets, risks and associated security measures will be essential to control your level of exposure to cyber risk. A “digital resilience strategy” will define the implementation modalities.
Art. 5: Governance and organization
Provides for the responsibility for operational resilience and the ultimate responsibility for risks management lying on the general management team, which "defines, approves, supervises and is responsible for the implementation" of this framework. Management will therefore have to determine its level of risk tolerance, and therefore arbitrate based on an aggregated view of the risks, between those on which to intervene to reduce them, the risks they choose to accept, and those they decide to transfer.
2 major articles
Art. 6: ICT risk management framework
Calls on organizations to establish a risk management framework that is "robust, comprehensive and well-documented, which enables them to address cyber risks in a timely, efficient and comprehensive manner." The framework will need to include the strategies, policies, procedures and protocols necessary to protect physical infrastructure and computer hardware, as well as information assets (i.e. the data). A comprehensive mapping of assets, risks and associated security measures will be essential to control the level of exposure to cyber risk. A "digital resilience strategy" will define the terms of its implementation. The framework should include: • the strategies, policies, procedures and protocols necessary to protect physical infrastructure and IT equipment • information assets (data). A complete mapping of assets, risks and associated security measures will be essential to control your level of exposure to cyber risk. A “digital resilience strategy” will define the implementation modalities.
Art. 5: Governance and organization
Provides for the responsibility for operational resilience and the ultimate responsibility for risks management lying on the general management team, which "defines, approves, supervises and is responsible for the implementation" of this framework. Management will therefore have to determine its level of risk tolerance, and therefore arbitrate based on an aggregated view of the risks, between those on which to intervene to reduce them, the risks they choose to accept, and those they decide to transfer.
2 major articles
Art. 6: ICT risk management framework
Calls on organizations to establish a risk management framework that is "robust, comprehensive and well-documented, which enables them to address cyber risks in a timely, efficient and comprehensive manner." The framework will need to include the strategies, policies, procedures and protocols necessary to protect physical infrastructure and computer hardware, as well as information assets (i.e. the data). A comprehensive mapping of assets, risks and associated security measures will be essential to control the level of exposure to cyber risk. A "digital resilience strategy" will define the terms of its implementation. The framework should include: • the strategies, policies, procedures and protocols necessary to protect physical infrastructure and IT equipment • information assets (data). A complete mapping of assets, risks and associated security measures will be essential to control your level of exposure to cyber risk. A “digital resilience strategy” will define the implementation modalities.
Art. 5: Governance and organization
Provides for the responsibility for operational resilience and the ultimate responsibility for risks management lying on the general management team, which "defines, approves, supervises and is responsible for the implementation" of this framework. Management will therefore have to determine its level of risk tolerance, and therefore arbitrate based on an aggregated view of the risks, between those on which to intervene to reduce them, the risks they choose to accept, and those they decide to transfer.
EGERIE helps you be DORA compliant
EGERIE fully contributes to this objective of security and resilience of the financial sector, in particular from the point of view of the following requirements:
Decision making
By establishing real governance and accountability for general management who will, with DORA, determine the appropriate level of risk tolerance.
Aggregated view
By generating a complete vision of risks as well as a prior mapping of assets and associated risks, the EGERIE platform promotes decision-making and trade-offs.
Anticipation
Based on risk analysis scenarios making, it possible to reduce the likelihood of an attack or failing that to ensure better resilience, it appears decisive for entities to carry out a risk analysis.
Accountability
The assessment of the cybersecurity posture of subcontractors and suppliers, proposed by the EGERIE platform, makes it possible to clearly identify who is responsible for the proper management of risks linked to third-party IT service providers.
EGERIE helps you be DORA compliant
EGERIE fully contributes to this objective of security and resilience of the financial sector, in particular from the point of view of the following requirements:
Decision making
By establishing real governance and accountability for general management who will, with DORA, determine the appropriate level of risk tolerance.
Aggregated view
By generating a complete vision of risks as well as a prior mapping of assets and associated risks, the EGERIE platform promotes decision-making and trade-offs.
Anticipation
Based on risk analysis scenarios making, it possible to reduce the likelihood of an attack or failing that to ensure better resilience, it appears decisive for entities to carry out a risk analysis.
Accountability
The assessment of the cybersecurity posture of subcontractors and suppliers, proposed by the EGERIE platform, makes it possible to clearly identify who is responsible for the proper management of risks linked to third-party IT service providers.
EGERIE helps you be DORA compliant
EGERIE fully contributes to this objective of security and resilience of the financial sector, in particular from the point of view of the following requirements:
Decision making
By establishing real governance and accountability for general management who will, with DORA, determine the appropriate level of risk tolerance.
Aggregated view
By generating a complete vision of risks as well as a prior mapping of assets and associated risks, the EGERIE platform promotes decision-making and trade-offs.
Anticipation
Based on risk analysis scenarios making, it possible to reduce the likelihood of an attack or failing that to ensure better resilience, it appears decisive for entities to carry out a risk analysis.
Accountability
The assessment of the cybersecurity posture of subcontractors and suppliers, proposed by the EGERIE platform, makes it possible to clearly identify who is responsible for the proper management of risks linked to third-party IT service providers.
A dissuasive sanctions regime
The associated system of penalties is intended to be a deterrent: administrative sanctions, corrective measures, and even the possibility for Member States to introduce criminal sanctions. This is a way of emphasizing that cybersecurity cannot be the concern of CISOs, CIOs, or compliance departments alone, but that it is a shared responsibility and must be addressed at the highest level of organizations. Decisions to impose an administrative penalty may be published on the official website of the competent authorities. Compliance with cyber requirements is more than ever a real reputational issue. DORA involves the entire supply chain of financial entities and underlines the responsibility of financial entities in the respect and fulfilment of all the obligations arising from it towards their suppliers. It is now up to them to define a third-party risk strategy and policy, keep a record of all their contractual agreements, and identify third parties that cover critical functions prior to entering a contract. The entities in the scope will therefore have to assess the cyber posture of their subcontractors or suppliers to be able to make the right choices of service providers, thus reducing their cyber risks and ensuring a maximum level of security. This is essential to ensure the resilience of the sector across the entire value chain.
A dissuasive sanctions regime
The associated system of penalties is intended to be a deterrent: administrative sanctions, corrective measures, and even the possibility for Member States to introduce criminal sanctions. This is a way of emphasizing that cybersecurity cannot be the concern of CISOs, CIOs, or compliance departments alone, but that it is a shared responsibility and must be addressed at the highest level of organizations. Decisions to impose an administrative penalty may be published on the official website of the competent authorities. Compliance with cyber requirements is more than ever a real reputational issue. DORA involves the entire supply chain of financial entities and underlines the responsibility of financial entities in the respect and fulfilment of all the obligations arising from it towards their suppliers. It is now up to them to define a third-party risk strategy and policy, keep a record of all their contractual agreements, and identify third parties that cover critical functions prior to entering a contract. The entities in the scope will therefore have to assess the cyber posture of their subcontractors or suppliers to be able to make the right choices of service providers, thus reducing their cyber risks and ensuring a maximum level of security. This is essential to ensure the resilience of the sector across the entire value chain.
A dissuasive sanctions regime
The associated system of penalties is intended to be a deterrent: administrative sanctions, corrective measures, and even the possibility for Member States to introduce criminal sanctions. This is a way of emphasizing that cybersecurity cannot be the concern of CISOs, CIOs, or compliance departments alone, but that it is a shared responsibility and must be addressed at the highest level of organizations. Decisions to impose an administrative penalty may be published on the official website of the competent authorities. Compliance with cyber requirements is more than ever a real reputational issue. DORA involves the entire supply chain of financial entities and underlines the responsibility of financial entities in the respect and fulfilment of all the obligations arising from it towards their suppliers. It is now up to them to define a third-party risk strategy and policy, keep a record of all their contractual agreements, and identify third parties that cover critical functions prior to entering a contract. The entities in the scope will therefore have to assess the cyber posture of their subcontractors or suppliers to be able to make the right choices of service providers, thus reducing their cyber risks and ensuring a maximum level of security. This is essential to ensure the resilience of the sector across the entire value chain.
Ready to try EGERIE?
