The Last Piece of DORA Falls Into Place: 10 Lessons From the First Six Months

The Last Piece of DORA Falls Into Place: 10 Lessons From the First Six Months

Summary

The EU’s Delegated Regulation on Subcontracting has officially implemented the Digital Operational Resilience Act (DORA). This sends the message that companies must now ensure compliance with new cybersecurity expectations. The article outlines ten crucial lessons learned during the initial implementation phase of DORA and underscores the prioritisation of operational resilience by relevant regulators.

Key Points

• DORA’s framework for cyber resilience now complete; enforcement forthcoming.
• Existing obligations reflect established guidelines but require updates for compliance.
• A risk-based approach to compliance is recommended, especially for budget constraints.
• Understanding which functions are genuinely ‘critical’ is essential for compliance.
• Incident response plans must be practised and easily actionable within strict time frames.
• Board members face personal liability and need adequate support to manage DORA’s demands.
• Integration of IT procedures with existing compliance needs is critical to ensure effectiveness.
• Collaboration with non-EU entities is vital for comprehensive compliance.
• Rolling out necessary contract amendments requires targeted actions.
• DORA mandates continuous policy reviews and updates, with ongoing compliance required.

Why should I read this?

If you’re involved in the financial sector or IT services, you’ll want to keep your finger on the pulse of DORA’s implications. This article lays out practical insights gathered during the DORA rollout phase. It covers challenges and actionable strategies you won’t want to miss out on—saving you time by doing the heavy lifting for you!