ISACA publishes guidance on draft EU Digital Operational Resilience Act
- Published: Friday, 15 October 2021 07:21
The European Union’s draft Digital Operational Resilience Act (DORA) is designed to provide digital operational resilience rules for EU financial institutions and ISACA has released new guidance to help organizations prepare for its implementation. The final version of DORA is currently expected in an estimated 18-24 months, with a compliance requirement at some point after that.
ISACA’s document, 'Digital Operational Resilience in the EU Financial Sector: A Risk-Based Approach', outlines the objectives and legal basis for DORA, as well as its information and communication technology requirements around risk management, information and cybersecurity, incident reporting, testing, and oversight of third-party service providers, some of which include:
- Set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
- Have an ICT risk-management framework that includes strategies, policies, procedures, ICT protocols and tools necessary to effectively protect all relevant physical components and infrastructures from risk, such as damage and unauthorized access or usage.
- Test the ICT business continuity policy and the ICT disaster recovery plan at least yearly, and after substantive changes to the ICT systems.
- Include relevant provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recover and return in the case of failures of the ICT third-party service providers in contracts that govern the relationship with third-party providers.
When finalized, DORA will enact rules for financial services system operators like investment firms, credit institutions, trading venues and electronic money institutions to ensure these systems’ stability and resilience to cyber incidents.
To download a complimentary copy of Digital Operational Resilience in the EU Financial Sector click here.