DORA – Digital Operational Resilience Act
Fulfilling verification obligations easily and securely, strengthening cyber security and increasing IT resilience
DORA Directive: Mastering requirements
with BACKUP EAGLE®
In order to achieve a high common level of digital operational resilience, the DORA Regulation sets out uniform requirements for the security of network and information systems supporting the business processes of financial institutions. This includes information and communication technology (ICT), notification of serious ICT-related incidents, significant cyber threats and payment-related operational or security incidents, and digital operational resilience testing.
Discover how BACKUP EAGLE® can help your company successfully master the challenges of DORA while optimizing your backup infrastructure.
DORA Overview
The DORA Directive ensures that the European financial sector is able to maintain operational stability in the event of a serious disruption, e.g. due to cyber attacks. The DORA Directive formally entered into force on 16.01.2023 and has been transposed into national law by the EU member states. The directive will be applied from 17.01.2025.
DORA definition affected by DORA DORA directive (from page 80) BACKUP EAGLE® support Contact
Why DORA ?
The current EU legal framework for ICT risks and operational stability in the financial sector is fragmented and partly inconsistent. The new EU regulation is intended to harmonize the rules and ensure that member states no longer have any reason to adopt national regulations, standards and requirements relating to operational stability and cyber security on their own. Cross-border financial companies will also receive legal clarity on regulations for digital resilience.
In addition, EU-wide standards for digital operational resilience tests are to be defined in order to better identify as yet unknown vulnerabilities and risks.
Who is affected by DORA?
DORA applies to all financial companies regulated at EU level. These include credit institutions, payment institutions, e-money institutions, investment firms, providers of crypto services, central securities depositories, central counterparties, trading venues, trade repositories, insurance and reinsurance companies, insurance intermediaries and others.
The core requirements differ between individual companies depending on their business model, size, risk profile or systemic importance.
DORA: What can affected financial companies expect?
The implementation of DORA entails coordination, training and implementation efforts for the companies concerned - depending on the current status. If new technical systems are also required for implementation, these should be regarded as IT projects with a high level of complexity and criticality.
Our recommendation: Comprehensive gap analysis, through which the requirements specified by DORA are verified in-house. Specific projects can then be planned and implemented on this basis.
These companies will presumably be subject to additional security checks. These include, for example, audits of their service providers and, if necessary, technical analyses in the form of threat-oriented penetration tests. Data reporting services must maintain adequate resources and have backup and recovery facilities to provide and maintain its services at all times. When setting recovery time and recovery point targets for each function, financial institutions must consider whether it is a critical or important function. These time targets must ensure that the agreed service levels are maintained in extreme scenarios.
Requirements for financial companies
- Reporting ICT-related incidents
- Testing the digital operational stability
- Risk monitoring by third-party ICT providers
Measures for digital resilience
- Specification of the management of digital risks (as a supplement to the previously applicable single rulebook of the European Banking Union)
- Creation of a thorough audit of ICT systems
- New powers for financial supervisory authorities to monitor risks associated with third-party ICT providers
- Reporting procedure for ICT-related incidents
How does BACKUP EAGLE® support your DORA requirements?
BACKUP EAGLE® supports you in complying with the DORA regulation. Get in touch with us and let us advise you in a free initial consultation. We are your partner in all matters relating to compliance and proof of legal requirements for backups and restores, from design and implementation to analysis, evaluation and optimization.
Proof of compliance through automated reports on backups and restores
- Via several backup tools
- On-prem and cloud
- Over long periods of time (up to 10 years)
Proof of compliance with specifications for backups and restores
- By providing detailed evidence of each individual backup and restore
- By documenting incidents and the actions taken to resolve them
- By documenting restore tests
Proof of compliance with the backup concept
- Automatic documentation of the backup configuration
- Checking and reporting on backup outsourcing and media disruption
Checking the backup security
- Review of retention periods
- Checking and documenting access to the backup system
- Documentation of restores