Barikat Siber Güvenlik Logo
+90 (216) 504 53 30 +90 (312) 235 44 41 info@barikat.com.tr TR Barikat Grup

Review Your DORA (Digital Operational Resilience Act) Compliance Processes!

  1. Home
  2. News
Review Your DORA (Digital Operational Resilience Act) Compliance Processes! | Barikat Siber Güvenlik

Review Your DORA (Digital Operational Resilience Act) Compliance Processes!

13/06/2024

DORA Compliance in the Financial Sector: Strengthen Your Processes!

As Barikat Cyber Security, we would like to share with you an important update that closely concerns the financial sector. The Digital Operational Resilience Act (DORA), enacted by the European Commission, entered into force on January 16, 2023. This law is of great importance especially for financial institutions operating in European Union member states and companies providing services to these institutions.

DORA applies to financial institutions operating in Turkey, representative offices, subsidiaries, and offices in European Union member states, and all entities that provide services to financial institutions in these countries. The deadline for financial institutions to comply with the law is January 17, 2025. By this date, the compliance status must be determined and deficiencies must be eliminated.

It is critical that companies subject to the decree, which are obliged to implement the law, complete their work by January 17, 2025, when audits and sanctions will begin to determine the compliance status and act on the identified deficiencies. Financial institutions may be fined if they do not comply with the regulation.

Basically;

  • DORA provides a new perspective for institutions in the financial sector in the European Union to be resistant to disruptions and threats in matters related to information and communication technologies (ICT), to protect themselves from these threats and to minimize their effects by providing a regulatory framework on digital operational resilience. offers.
  • The law sets standards on issues such as management of operational risks, cyber security measures, data management and reporting requirements. It also ensures that measures are taken to minimize the effects of interruptions and attacks on the systems of financial institutions.
  • DORA, a binding EU regulation regarding the digital operational flexibility of companies providing financial services in European Union (EU) countries, also addresses the potential risks that may be caused by third parties providing information and communication technologies to these companies.

    • In addition, compliance audits of organizations that must implement DORA will be carried out by auditors appointed by EBA. The audit service also has a financial obligation.

    DORA's requirements can be grouped under 6 important headings;

  • 1. Governance and organization: Governance and organization underpin digital resilience. Under this heading, responsibilities and roles regarding digital security and resilience need to be clearly defined. This includes appointing security leadership and establishing the security team. It also helps to establish security policies and procedures and determine the security standards of businesses.
  • 2. IT risk management framework: IT risk management determines how organizations address cyber threats and risks. In this direction, Risk assessment should be made, risk reduction strategies should be determined, and strategies should be created for situations where some risks will be accepted.
  • 3. ICT case management, classification and reporting: ICT case management; It includes identifying, managing and reporting cybersecurity incidents. However, case identification, classification and reporting processes should be established.
  • 4. Digital operational resilience testing: Digital operational resilience testing determines the ability of organizations to react in crisis situations and ensure business continuity. In this context, scenarios and simulations should be developed, test results should be evaluated, and improvement plans should be created.
  • 5. Third-party provider risk management: Organizations should analyze their relationships with third-party providers and determine strategies to manage the security risks of these providers. Additionally, steps such as third-party evaluations and review of contracts and agreements should be taken.
  • 6. Information sharing: Information sharing determines how to manage the flow of information about security threats and events within and outside the organization. In this context, internal and external information sharing processes should be established and confidentiality and security principles should be considered.

    • Scope of DORA

  • It focuses on critical Information Technology (IT) services, covering institutions operating in the financial sector in European Union member countries as well as other institutions providing services in the financial sector.
  • Additionally, third party providers engaged to provide these services, particularly cloud computing service providers, are also discussed.
  • According to Article (2) of the Law; Located in the financial sector of the European Union; credit institutions, payment institutions, service providers, electronic money institutions, investment firms, crypto asset service providers, token issuers, central registry institutions, managers of alternative investment funds, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, credit It includes many sectors such as rating agencies and ICT third-party service providers.

    • Structure of DORA

    DORA, which was put into effect by the European Commission on 13.03.2024, is grouped under 4 headings. There are different sections under each heading.

    The law is generally as follows;

    1. TITLE 1 GENERAL PRINCIPLES

    1.1. Article 1: General risk profile and complexity

    2. FURTHER HARMONIZATION OF IT RISK MANAGEMENT TOOLS, METHODS, PROCESSES AND POLICIES IN ACCORDANCE WITH ARTICLE 15 OF THE REGULATION TITLE 2

    2.1 Bölüm 1 BT GÜVENLİK POLİTİKALARI, PROTOKOLLERİ, PROTOKOLLERİ VE ARAÇLARI

    Section 1

  • Article 2 General elements of IT security policies, procedures, protocols and tools

    • Section 2

  • Article 3 IT risk management

    • Section 3 ICT ASSET MANAGEMENT

  • Article 4 IT asset management policy
  • Article 5 IT asset management procedure

    • Section 4 ENCRYPTION AND CRYPTOGRAPHY

  • Article 6 Encryption and cryptographic controls
  • Article 7 Cryptographic key management

    • Section 5 ICT OPERATIONS SECURITY

  • Article 8 Policies and procedures for IT operations
  • Article 9 Capacity and performance management
  • Article 10 Vulnerability and patch management
  • Article 11 Data and system security
  • Article 12 Logging

    • Section 6 NETWORK SECURITY

  • Article 13 Network security management
  • Article 14 Secure transfer of information

    • Section 7 IT PROJECT AND CHANGE MANAGEMENT

  • Article 15 IT Project Management
  • Article 16 Acquisition, development and maintenance of IT systems
  • Article 17 IT change management

    • Section 8

  • Article 18 Physical and environmental security

    • 2.2 Chapter 2 HUMAN RESOURCES POLICY AND ACCESS CONTROL

  • Article 19 Human resources policy
  • Article 20 Identity management
  • Article 21 Access control

    • 2.3 Chapter 3 DETECTION AND RESPONSE TO IT-RELATED INCIDENTS

  • Article 22 IT incident management policy
  • Article 23 Detection of abnormal activities and criteria for detection and response to ICT-related incidents

    • 2.4 Chapter 4 IT BUSINESS CONTINUITY MANAGEMENT

  • Article 24 Components of IT business continuity policy
  • Article 25 Testing of IT business continuity plans
  • Article 26 IT response and recovery plans

    • 2.5 Chapter 5 IT RISK MANAGEMENT FRAMEWORK REVIEW REPORT

  • Article 27 Format and content of the report on the review of the IT risk management framework

    • 3. SIMPLIFIED IT RISK MANAGEMENT FRAMEWORK FOR FINANCIAL INSTITUTIONS SPECIFIED IN ARTICLE 16(1) OF THE REGULATION TITLE 3

    3.1. Chapter 1 SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK

  • Article 28 Governance and organization
  • Article 29 Information security policy and measures
  • Article 30 Classification of information assets and IT assets
  • Article 31 IT risk management
  • Article 32 Physical and environmental security

    • 3.2 Chapter 2 OTHER SYSTEM, PROTOCOL AND TOOL ELEMENTS TO MINIMIZE THE IMPACT OF IT RISK

  • Article 33 Access control
  • Article 34 Security of IT operations
  • Article 35 Data, system and network security
  • Article 36 IT security testing
  • Article 37 Acquisition, development and maintenance of IT systems
  • Article 38 IT project and change management

    • 3.3 Chapter 3 IT BUSINESS CONTINUITY MANAGEMENT

  • Article 39 Components of IT business continuity policy
  • Article 40 Testing of IT business continuity plans

    • 3.4 Chapter 4 REPORT ON THE REVIEW OF THE SIMPLIFIED IT RISK MANAGEMENT FRAMEWORK

  • Article 41 Format and content of the report on the review of the simplified ICT risk management framework

    • 4. TITLE 4 FINAL PROVISIONS

  • Article 42 Entry into force
    “This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union. This Regulation is fully binding and directly applicable in all Member States.”

    • What Should Financial Companies Do?

    Turkish Finance companies that have offices in European Union countries or provide services to EU countries are required to complete their work for compliance with DORA within the scope of IT by January 17, 2025. Considering the similarity of DORA articles with the ISO 27001 standard; If ISO 27001 ISMS is not operated, the studies will need to be carried out by meeting DORA's requirements. If ISO 27001 ISMS is operated, the existing studies will need to be reviewed and compared with DORA's requirements and the missing points will need to be completed. Although the presence of ISO 27001 within the company facilitates DORA processes, studies can also be carried out independently of ISO 27001.

    How Can We Help as Barikat?

    As Barikat Cyber Security, we support organizations operating in the financial sector in their compliance processes with the Digital Operational Resilience Act (DORA). We support you in reviewing your organization's current work within the scope of DORA and carrying out the necessary work to comply with the requirements of the law. We also strengthen your operational resilience by increasing the maturity of critical processes such as cyber security and supplier risk management.

    As Barikat, we are at your side with our experienced staff to improve your processes in DORA compliance studies. Contact us to review your existing processes and get more detailed information about DORA.

    Source: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en


    More information
    Share on Social Media
    Linkedin