DORA Directive

DORA – Digital Operational Resilience Act

Mastering requirements with BACKUP EAGLE®

Fulfill evidence requirements
Strengthen your cyber security
Increase your IT resilience

DORA Directive

In order to achieve a high common level of digital operational resilience, the DORA Regulation sets out uniform requirements for the security of network and information systems supporting the business processes of financial institutions. This includes information and communication technology (ICT), notification of serious ICT-related incidents, significant cyber threats and payment-related operational or security incidents, and digital operational resilience testing.

Request help

DORA Directive Overview

Why the DORA Directive?

The current EU legal framework for ICT risks and operational stability in the financial sector is fragmented and partly inconsistent. The new EU regulation is intended to harmonize the rules and ensure that member states no longer have any reason to adopt national regulations, standards and requirements relating to operational stability and cyber security on their own. Cross-border financial companies will also receive legal clarity on regulations for digital resilience.

In addition, EU-wide standards for digital operational resilience tests are to be defined in order to better identify as yet unknown vulnerabilities and risks.

Who is affected by DORA?

The DORA Directive ensures that the European financial sector is able to maintain operational stability in the event of a serious disruption, e.g. due to cyber attacks.

DORA therefore applies to all financial companies regulated at EU level. These include credit institutions, payment institutions, electronic money institutions, investment firms, crypto service providers, central securities depositories, central counterparties, trading venues, trade repositories, insurance and reinsurance undertakings, insurance intermediaries and others.

The core requirements differ between individual companies depending on their business model, size, risk profile or systemic importance.

DORA: What can affected financial companies expect?

The implementation of DORA entails coordination, training and implementation efforts for the companies concerned – depending on the current status. If new technical systems are also required for implementation, these should be regarded as IT projects with a high level of complexity and criticality.

Our recommendation: Comprehensive gap analysis, through which the requirements specified by DORA are verified in-house. Specific projects can then be planned and implemented on this basis.

These companies will presumably be subject to additional security checks. These include, for example, audits of their service providers and, if necessary, technical analyses in the form of threat-oriented penetration tests. Data reporting services must maintain adequate resources and have backup and recovery facilities to provide and maintain its services at all times. When setting recovery time and recovery point targets for each function, financial institutions must consider whether it is a critical or important function. These time targets must ensure that the agreed service levels are maintained in extreme scenarios.

Requirements for financial companies

Reporting ICT-related incidents
Testing the digital operational stability
Risk monitoring by third-party ICT providers

Measures for digital resilience

Specification of the management of digital risks (as a supplement to the previously applicable single rulebook of the European Banking Union)
Creation of a thorough audit of ICT systems
New powers for financial supervisory authorities to monitor risks associated with third-party ICT providers
Reporting procedure for ICT-related incidents

How does BACKUP EAGLE® support your DORA requirements?

The DORA Directive officially came into effect on 16.01.2023 and has been transposed into national law by the EU member states. The directive will be applied from 17.01.2025.

BACKUP EAGLE® supports you in complying with the DORA regulation. Get in touch with us and let us advise you in a free initial consultation. We are your partner in all matters relating to compliance and proof of legal requirements for backups and restores, from design and implementation to analysis, evaluation and optimization.

Contact

Proof of compliance through automated reports on backups and restores

– Via several backup tools
– On-prem and cloud
– Over long periods of time (up to 10 years)

Proof of compliance with specifications for backups and restores

– Evidence of backups and restores
– Documentation of incidents, actions and restore tests

Proof of compliance with the backup concept

– Automatic documentation of backup configuration
– Checking and reporting on backup outsourcing and media disruption

Checking the backup security

– Review of retention periods and documenting access to the backup system as well as restores

DORA support from BACKUP EAGLE®

Discover how BACKUP EAGLE® can help your company successfully master the challenges of DORA and optimize your backup infrastructure at the same time.

Download our free white paper on the DORA Directive now or contact BACKUP EAGLE® for free advice on implementing the DORA Directive!

This might also interest you

IT service provider accompio

At accompio, we develop customized services for financial companies that facilitate and ensure compliance with DORA requirements.

Learn more

DORA white paper r-tec

The r-tec white paper on DORA provides you with all the important details on the prerequisites and requirements as well as solutions for implementing the requirements.

Learn more