The Digital Operations Resilience Act (DORA) was published on 27 December 2022. It includes a Directive and a Regulation on Information and Communication Technology (ICT) operations for the financial sector that are now already in force and will apply in full from 17 January 2025.
DORA applies to a wide range of financial entities regulated by CSSF in Luxembourg and sets requirements on:
ICT risk management;
ICT related incident management and reporting;
ICT operational resilience testing;
ICT third-party service classification, assessment and reporting.
After 17 January 2025 financial institutions that fail to comply may face penalties:
Noncompliant financial entities can be fined up to 1% of average daily worldwide turnover in the preceding fiscal year. This fine can be levied every day until the financial entity achieves compliance;
Entities found to be in violation of DORA requirements may face fines of up to 2% of total annual worldwide turnover or a maximum fine of EUR 1,000,000 in the case of authority of the financial entity.
With less than seven months remaining before the deadline, we recommend starting as soon as possible to ensure your organization has ample time to complete all necessary preparations without rushing in the last month of the year.
Why MAQIT is the right partner?
MAQIT S.A. has 8 years of experience in IT Compliance Advisory. We have successfully completed a large number of engagements within the Fin-Tech and the traditional financial sectors.
MAQIT has developed and uses our own IT regulation compliance framework which includes:
Controls aligned to the most common frameworks such as COBIT and ISO 27001 methodology and a vast database of IT regulatory requirements;
dozens of templates, questionnaires and workflows.
The requirements set out in DORA show many similarities to those of CSSF Circulars 22/806 and 20/750 we have been helping our clients with during recent years. When DORA was published 6 months ago, we adapted our framework to help the clients meet the coming new requirements.
DORA focuses on all digital and data services provided on an ongoing basis and not only limited to ICT services that qualify as outsourcing. So, our ICT Control Framework is now more focusing on ICT Security Risk Management and Incident Management and not only on ICT Outsourcing Management.
What will you get?
With the MAQIT DORA Methodology and an efficient and proven implementation approach accelerated by the MAQIT Control Framework we will assist your company in achieving the following key objectives:
By the end of 2024: to become compliant to the DORA related regulatory requirements;
In a mid-term perspective: to gain advantages out of your remaining DORA compliant.
MAQIT will help your company to:
Find gaps in your policies and procedures regarding DORA requirements with our DORA Adoption Framework
Get templates for documents that are missing and changes to your policies and procedures that are not compliant to DORA
Select and implement technology and tools that permit to implement the controls on the field.
Obtain access to highly specialized workforce from MAQIT that permits you to implement the controls on the field.
How do we work?
For DORA Gap Assessment we suggest the following approach:
Phase | Actions | Deliverables |
1. Defining Strategy | Bring together the key stakeholders to clarify the project scope, goals, timeline and dependencies; Analise the regulatory context according to the principle of proportionality as well as applicability of DORA requirements; Perform initial risk assessment in each of the DORA pillars. |
|
2. Planning DORA Readiness | Perform a detailed DORA compliance gap analysis based on MAQIT Control Framework accelerated by our previous experience; Understand the priorities and adjust the planning; Define deadlines and owners of the plan. |
|
3. Achieving DORA Readiness | Address the DORA compliance gaps identified in earlier stages together with your IT Department; Drafting of DORA compliant Policies and Procedures; Development of a pen-testing strategy and approach / selection of a provider if needed; Provide assistance with the selection of a pen testing provider and define the pen-testing scope; Completion of the Information Register on third-party IT providers with analysis of its individual entries. |
|
4. DORA Adoption | Implementation of the DORA related Controls; Knowledge sharing (training of the key DORA stakeholders) Control automation (e.g. pen-testing, risk assessment or Information Register); Follow-up of implementation and amendment (optimization) to the existing policies and procedures; Measure effectiveness of the implemented Controls and propose amendments if needed; Further completion of the Information Register. |
|
5. Monitoring and Governance | Regulatory Watch Service; Monitoring of the implemented Controls; Ongoing Oversight of the Outsourcing and Third-Party providers; Improvement of the control mechanisms. |
|
Why MAQIT use Regulat.io?
Standards: Regulat.io is based on the most recognized industry standards including but not limited to TOGAF, COBIT, ISO, NIST, ENISA and others.
Reliability: Regulat.io digitalizes a former manual and error-prone process by creating a single point of truth in IT Compliance
Collaboration: Regulat.io has been designed with collaboration in mind. It permits a fluent exchange between the Line of Business and IT Compliance Experts.
Your Project Team:
Luc Maquil will manage communications and supervise delivery control.
Flavien Rouzaud will be your Project Manager and senior DORA expert.
Thulani Gina will cover Outsourcing Management.
Please contact Luc Maquil should you need more details or want to discuss our services.
Comments