Are you ready for DORA compliance? Understand your gaps and build long-term digital and operational resilience.
DORA is a new EU regulation designed to improve the cybersecurity and operational resilience of firms in the financial services sector, covering more than 22,000 financial entities and Information Communications and Technology (ICT) service providers operating within the EU.
The DORA regulation comes into force on January 17, 2025, with state- level mechanisms expected to be in place and financial entities will be expected to be compliant with the regulation.
Businesses may underestimate the amount of work required to become DORA compliant, and those based outside the EU may not realize that they also need to pay attention to the changes. This could put organizations at risk of failing to meet the new DORA requirements.
To prevent this and ensure that they are ready for the impending changes, businesses should take strategic action now.
ICT Risk Management | ICT Related Incident Reporting | Digital Operational Resiliency Testing | ICT Third-Party Risk | Information Sharing |
|---|---|---|---|---|
Embed a comprehensive risk management framework for ICT systems. | Standardize reporting of ICT related incidents. Incident management processes and templates for reporting of incidents. | Testing and assurance of technology resiliency through a combination of techniques and harmonization of data collected by financial organizations. | Stricter controls and processes for third-party risk management and oversight. | Mechanisms for sharing information on threat actor activity. |
Organizations may find similarities between NIS2 and DORA given its focus on Digital Resilience, however, it is important to understand that there are key differences in terms of scope and application:
NIS2 | DORA | |
|---|---|---|
Type | Directive – EU Member States are responsible for implementing national laws | Regulation – directly applicable to financial services companies |
Implementation Date | October 17, 2024 | January 17, 2025 |
Applies To | Critical Sectors (energy, transportation, health, space, internet etc.), MSPs, MSSPs in EU Member States | Financial Entities (banks, insurance, crypto, etc.) and ICT service providers in EU member states |
Overlap | Part of the broader cybersecurity regulatory framework | Takes precedence where sector-specific rules apply (‘Lex Specialis’ exemption)
|
Areas of Focus | Strengthening overall security and incident reporting requirements | Complements NIS2 by providing specific provisions around ICT frameworks, incident response and third-party ICT contracts |
Testing Requirements | Variable depending on country |
|
Incident Reporting |
| Classification of ‘major’ incidents and subject to the following:
|
From our experience of helping organizations in the financial services industry in addressing cybersecurity, governance, risk and compliance challenges, we anticipate businesses may underestimate the amount of work required for DORA compliance. More specially, it’s important to consider some of the most common challenges that will need to be addressed:
Kroll has a long track record of working with financial institutions to enabling them to achieve their security and regulatory goals. We leverage knowledge of Kroll experts who are our expertise consisting of former DORA consultation group members and former SEC, FCA and AMF regulators, along with our frontline intelligence from thousands of incident response cases a year, to provide in-depth support and help prepare your organization prepare for and to fully meet DORA requirements.
Understand Key Gaps in Your DORA Compliance | Have a Clear Path to DORA Compliance While Reducing Longer Term Risk | Implement Solutions to Maintain Operational Resiliency |
|---|---|---|
Quantitative measure of DORA compliance status highlighting key weaknesses by carrying out a gap assessment of operational resilience with DORA and RTS standards | Clear roadmap towards DORA compliance with priority tasks and timeframes. An action tracker is also provided with recommended owners to help stakeholders for effective project management | With our portfolio of advisory, transformation and managed services, we can assist you with the implementation of DORA-aligned policies and procedures, controls, testing and services across ICT risk management, incident management, business continuity, third-party risk management, and digital resiliency testing |
Our DORA Compliance Assessment, along with many other cybersecurity and compliance services, can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer. In addition to prioritized access to Kroll’s elite digital forensics and incident response team ahead of and in the event of an incident, the Retainer can also be used for services like penetration testing, risk assessments and tabletop exercises to name just a few.
Our team consists of experts involved in the preparatory consultation work that led to DORA as well as former-FCA, SEC and AMF regulators with a deep understanding of relevant legislation and standards in your industry to provide real insight and value.
700+ skilled and certified cybersecurity experts across the globe, experienced in not only helping clients comply with multiple regulations but staying resilient ahead of the changing landscape.
Our solutions can address all aspects of DORA compliance and maturity; from assessing all possible gaps/weaknesses and advising on remediation with our consultancy expertise to implementing the right controls and providing remote- managed services.
With unrivalled exposure to thousands of incident response cases each year, we know what’s needed to stay resilient to cyber threats.
We leverage our 50+ DORA-tailored policies and procedures templates to provide immediate value as we roll out your tailored program.
Cyber and Data Resilience
Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.
Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.
Financial Services Compliance and Regulation
In the ever-evolving financial services landscape, Kroll's award-winning team offers comprehensive regulatory and compliance services, guiding clients through registration, licensing, and compliance support to minimize risks and enhance efficiency globally.
Threat Exposure Management
Kroll’s field-proven cyber security assessment and testing solutions help identify, evaluate and prioritize risks to people, data, operations and technologies worldwide.
Incident Response & Recovery
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
