top of page
  • mikecartoscelli

Digital Operational Resilience Act Series: Regulator Reactions and Information so far.

With the final set of Regulatory Technical Standards (RTS’s) being released on July 17th, 2024, there has not been an overly prescriptive amount of direction from the majority of regulators or competent authorities (CA’s) for each jurisdiction.

In reviewing the 50+ financial authorities across 31 jurisdictions. The following was identified:

9 agencies provided 0 information regarding DORA.
16 agencies provided very limited guidance on DORA. A mention about the dates of enforcement, and that it is important.
5 agencies had a decent level of guidance on DORA, these being presentations to their audience on the importance of DORA or what it means to them.

There were a couple of examples that were directly calling out DORA compliance as being extremely important. 

Looking at the ‘Dear CEO’ letter, dated March 26th, 2024, from the Malta Financial Services Authority, they specifically call out that the CEO of any firm that falls under the DORA legislation should have a focus on several areas this year.

Expectation 14: Financial Entities have taken steps towards developing a digital operational resilience testing programme, in accordance with Articles 24 and 25 of the DORA Regulation.

In May of 2024, the Swedish Financial Supervisory Authority held a DORA workshop. Within that workshop was a presentation on what part of the DORA framework requirements were perceived as particularly challenging to implement. 

18.8% of the firms polled, said that the Digital Operational Resilience Testing pillar was the most challenging. Management of 3rd party risk was the runaway favourite at 37.5%

In December of 2023, the French AMF (Financial Markets Authority) conducted spot checks on 5 firms that are asset management companies. They found several issues with the readiness of these firms:

4 of the 5 lacked a method of using encrypted communications
2 of the 5 lacked multi factor authentication when logging into machines
3 of the 5 not enforcing a strict password policy
1 of the 5 had business user accounts with ‘Administrator’ profile

These are just a couple of examples of how regulatory bodies have the expectation that companies will be compliant by January 17th, 2025, and the level of maturity that the ICT Risk Management framework and Security posture of their critical infrastructure. 

With the imminent release of the final RTS’s (Regulatory Technical Standard) it is certain that the competent authorities will release their own individual guidance for their jurisdictions. 

Once those are released, Persistent Securities Industries will look to review them in a video for our Digital Operational Resilience Act Series, which will hopefully bring some clarity to the steps outlined in those RTS’s. 

Within those RTS’s, they include several areas where Nemesis Breach and Attack Simulation (BAS) software will be a vital part of your cybersecurity tool set and aid in your compliance journey for DORA by validating and documenting your security controls and their effectiveness as required. 

Remember with Nemesis Breach and Attack Simulation you are able to:

Want to know more? Reach out to us via the contact us button and we will schedule some time to chat about how we can help your firm on their compliance journey.



bottom of page