List of DORA security requirements

time to read: 2 min

Table of Contents

Here is a list of all DORA security requirements for your organization. You can print it out and start working on them, before it is too late!

And if you need expert help, just reach out and schedule a free consultation!

1. ICT Risk Management Framework

  • Establish and maintain a comprehensive ICT risk management framework.
  • Integrate ICT risk management into overall risk management processes.
  • Define clear roles and responsibilities for ICT risk management.
  • Ensure management body oversight and accountability for ICT risks.
  • Regularly update the framework to reflect changes in ICT risk landscape.

2. ICT Risk Management Processes

  • Identification of ICT Risks

    • Continuously identify and assess ICT risks.
    • Maintain an inventory of ICT assets and their risk profiles.
  • Protection and Prevention Measures

    • Implement security policies and controls to mitigate identified risks.
    • Ensure data protection and confidentiality.
  • Detection Measures

    • Establish systems to detect anomalous activities and potential ICT incidents.
    • Monitor networks and systems continuously.
  • Response and Recovery

    • Develop and maintain an ICT incident response plan.
    • Ensure business continuity and disaster recovery plans are in place.
    • Test response and recovery plans regularly.
  • Learning and Evolving

    • Analyze incidents to improve future responses.
    • Update policies and procedures based on lessons learned.

3. ICT Systems, Protocols, and Tools

  • Ensure ICT systems are resilient and secure.
  • Implement access controls and authentication mechanisms.
  • Regularly update and patch ICT systems.
  • Use encryption and other security technologies where appropriate.
  • Maintain documentation of ICT systems and protocols.

4. ICT Incident Reporting

  • Establish an internal process for ICT incident management.
  • Classify ICT incidents based on impact and severity.
  • Report major ICT incidents to competent authorities promptly.
  • Notify clients and stakeholders about incidents when relevant.
  • Keep records of all ICT incidents and reporting actions.

5. Digital Operational Resilience Testing

  • Conduct regular ICT security assessments.
  • Perform vulnerability assessments and penetration testing.
  • Engage in threat-led penetration testing where applicable.
  • Address and remediate identified vulnerabilities promptly.
  • Document testing methodologies and results.

6. ICT Third-Party Risk Management

  • Maintain an up-to-date register of all ICT third-party service providers.
  • Conduct due diligence before engaging third-party providers.
  • Ensure contracts include:
    • Service level agreements (SLAs).
    • Security and confidentiality obligations.
    • Termination rights and exit strategies.
  • Monitor third-party performance and compliance regularly.
  • Assess the concentration risk of third-party dependencies.
  • Develop contingency plans for third-party service disruptions.

7. Information Sharing Arrangements

  • Participate in information-sharing networks where appropriate.
  • Share information on cyber threats, vulnerabilities, and incidents.
  • Ensure compliance with data protection and confidentiality laws during sharing.
  • Establish procedures for receiving and disseminating shared information.

8. Governance and Oversight

  • Ensure the management body is actively involved in ICT risk governance.
  • Provide regular training on ICT risks to management and staff.
  • Assign a senior management function responsible for ICT risks.
  • Establish internal audit mechanisms to review ICT risk management.
  • Report ICT risk matters to the management body regularly.

9. Specific Provisions for Critical ICT Third-Party Service Providers

  • Identify if any ICT third-party providers are deemed critical.
  • Ensure critical providers comply with oversight requirements.
  • Engage with regulatory bodies regarding critical provider assessments.
  • Include contractual clauses allowing for regulatory audits of critical providers.

10. Transitional Measures and Compliance

  • Develop a roadmap to achieve full compliance within the implementation period.
  • Review and adjust existing policies and contracts to meet DORA requirements.
  • Engage with regulators to clarify any compliance uncertainties.
  • Monitor for updates or additional guidelines related to DORA.