The DORA framework for ICT risk management in the financial sector
The DORA (EU Regulation 2022/2554) is the European regulation framework for ICT risk management services for the financial sector, aims to strengthen their "digital operational resilience". This concept refers to the reliability of IT services and their capability to guarantee digital operational continuity even in the event of incidents and disruptions.
The DORA framework has been designed to prepare operators and the financial markets to resist the risks generated by an increasing dependence on digital technology, establishing benchmark technical standards that must be implemented from 17 January 2025.
The DORA regulation is aimed at all financial sector operators, both traditional (banks, payment institutions, investment funds, financial brokers, etc.) and non-traditional (ratings agencies, crowdfunding platforms, etc.)
Financial institutions subject to the DORA regulation (art. 2)
- Credit entities
- Payment institutions
- Account information service providers
- E-money institutions
- Investment companies
- Crypto-asset service providers
- Authorized and connected token issuers
- Central securities depositories
- Central counterparts
- Trading venues
- Trade repositories
- Alternative investment fund managers
- Management companies
- Data communication service providers
- Insurance and reinsurance companies
- Insurance and reinsurance brokers
- Pension providers
- Credit ratings agencies
- Administrators of critical reference indices
- Crowdfunding service providers
- Securitization data repositories
The main DORA requirements to guarantee adequate security levels
The DORA regulation requires financial entities to ensure an effective and careful management of all IT risks with a view to minimizing their impact.
This is made possible through the definition of an IT risk management framework that meets specific technical requirements aimed to guarantee an adequate level of security.
IT risk management
The approach to risk management must be structured in specific phases: Identification, Protection and Prevention, Detection, Respond and Restore, Learning and Evolution, Communication. In concrete terms, financial entities are required to map the business functions supported by ICT services and identify those that are critical, assess threats, implement security policies, monitor abnormal activity and guarantee operational continuity with a continually improving, dynamic approach.
Reporting and notification of incidents and threats
Financial entities are required to monitor services continually and evaluate abnormal events and cyber threats, notifying the competent authorities of major incidents and significant threats. The criteria considered include the number and importance of customers involved, the transactions affected, the impact on reputation, the critical nature of the services, the duration and geographical nature of incidents, as well as the direct and indirect economic impact.
Digital operational resilience testing
The DORA regulation requires financial entities to define and implement an annual program of digital operational resilience testing to assess the level of preparedness to manage incidents, disruption and external attacks on ICT systems. For critical ICT services, threat-based penetration testing (TLPT) must be performed, comprising of advanced tests that imitate the tactics of real attackers and are designed to identify security weaknesses and improve response capability.
Third party risk management
DORA attributes a key role to ICT service providers, whose reliability cannot be underestimated when aiming to guarantee digital operational resilience: not only has the entire financial sector become primarily digital, but digitalization has also made interconnections and dependencies more pronounced both within the sector and in relation to third party infrastructure and service providers. Financial entities are required to identify providers who play a key role in their business services, evaluating them and ensuring that they are capable of maintaining the required security standards.
Aruba support in achieving DORA regulation compliance
As Italy's primary provider in the development of IT services and solutions for private and professional users, businesses and the Public Administration, for cloud, hosting, data center and trust services, Aruba is able to support customers fulfil all the necessary requirements for DORA Regulation compliance.
Aruba owned data center infrastructure
Aruba has many years of experience in the design and construction of Data Centers, establishing an outstanding European network of Rating 4 ANSI/TIA compliant, privately owned infrastructures. Thanks to this strategic asset, Aruba can offer a full range of services and IT platforms based on security best practices, with insurance cover for residual risks.
Security certifications and accredited Certification Authorities
Aruba services are subject to regular internal audits and third-party evaluations to ensure compliance with ISO 27001, ISO 27017, ISO 27018, ISO 27035, ISO 22301, ISO 9001 and CSA STAR Level 2 security standards. Through our Aruba PEC and Actalis Certification Authorities, we provide trust services that guarantee we are qualified to operate in different areas of the IT sector and provide certified services that are recognized at European level.
Risk Management, monitoring and internal controls
Aruba regards information as a critical asset and has implemented an ICT risk assessment model designed to protect it. Aruba actively contributes to the IT security sector through associations and regulations by means of continual monitoring of technology and emerging threats, as well as collaboration with research bodies to integrate innovative solutions.
Aruba security services useful for DORA compliance
Thanks to our professional team of experts, who are highly skilled in the management of security solutions, and the Actalis and Aruba PEC Certification Authorities, we offer solutions that strengthen the ICT infrastructure of Financial Entities, protecting digital transactions and guaranteeing resilience and operational continuity in line with DORA requirements.
Managed Services
-
Managed Aruba MDR - A solution for combatting cyber threats to customer resources, that allows the implementation of an antivirus protection at no additional cost.
More info
-
Aruba Vulnerability assessment and Penetration testing - Identifies vulnerabilities and simulates intrusions, reducing the area of attack and guaranteeing system compliance.
More info
-
Aruba Managed Web Application Protection - Customizable web security services with no need to purchase specialized tools and personnel, lowering costs and simplifying effective usage.
-
Business Continuity as a service - Business Continuity as a Service solutions with zero RPO almost no RTO, managed on technology campuses for mission critical environments.
More info
-
Disaster Recovery as a Service - Service that allows replicas to be created between remote sites in order to adopt solid and documented processes for restarting systems.
More info
Trust Services
-
SSL Certificates - Guarantee a secure, encrypted connection between server and customer, protecting data transfers from being intercepted or tampered with.
More info
-
Code Signing Certificates - Allows software, scripts and applications to be digitally signed to guarantee that code has not been changed or compromised once it has been created.
More info
-
S/MIME Certificates - Protect email messages using encryption and digital signatures, guaranteeing confidentiality, integrity and authenticity.
More info
-
QWAC - PSD2 compliant, ensure high levels of reliability and identification, guaranteeing the inalterability of data during transmission.
More info
For more detailed information on the full range of products and security services, please submit a contact request form.
Get in touch with our team and request further information on DORA and Aruba solutions