What is DORA?

DORA is a new regulatory framework in the EU that aims to ensure financial institutions are resilient in the face of technology disruptions and cyberthreats.

It sets out requirements across five areas: ICT risk management, incident reporting, third party risk management, digital operational resilience testing, and information sharing. 

DORA covers many topics already included in well-known ICT programmes like ISO 27001, but there are key differences:

• While other regimes focus on understanding ICT risks and creating the right internal structures or reporting, DORA brings a new level of detail when it comes to implementing practical measures to mitigate risk. 
  ‍
• DORA propagates operational resilience across the entire sector, since it doesn’t only apply to financial institutions like BVNK for example, but also to our vendors and our vendors’ vendors. In this way, each one of us asks the other to be more resilient. The end result is that the whole financial ecosystem is more secure. 

Implementing DORA at BVNK

BVNK is already ISO 27001:2022 certified, representing an enterprise-grade stamp of approvalon our security controls. As part of our DORA journey, BVNK has implemented additional measures to further fortify our resilience. These include:

• Ensuring our ICT vendors have the right security, privacy, data handling practices.
• Enhanced business continuity planning with robust disaster recovery plans for all critical ICT vendors.
• Aligning our incident management processes with DORA requirements 
• Holistic global governance of ICT risk: ensuring the right level of expertise and oversight in each market.

Our key takeaways

As with any piece of regulation, implementing DORA wasn’t always straightforward and we tackled a number of challenges along the way. Below are some of our key takeaways. 

Get ahead of disaster recovery with vendor exit plans. 

It can be difficult to move away from a critical supplier, so it’s important to plan ahead and consider right from the start of the relationship: what are the alternatives if this doesn’t work out? How would we exit and move to another solution? At BVNK, we’ve developed exit plans for all critical suppliers to meet DORA requirements, but we’ve gone one step further to make this part of our regular vendor onboarding process.

New vendors = new risk.

A new tool in your organisation means a new risk, but it can be difficult to stay on top of the tools colleagues are using, especially in a fast-scaling business. We’ve found it useful to use a system that automatically detects the introduction of new tools. This helps us reduce “Shadow IT” and take control of vendor risk. 

Align expectations with local regulators.

DORA is an EU-wide framework, but local regulators (National Competent Authorities or NCAs) may still differ in their expectations. For example, is it enough to have fulfilled a certain requirement or does your NCA expect you to report on this? If so, in what format? We found it valuable to stay in close contact with our local regulators to align on expectations. 

Pooled industry intelligence is invaluable.

Engaging with law enforcement around new and emerging cyber threats is important, but by itself it’s not always enough to keep you up to date with emerging threats like new phishing attacks for example. Joining an organisation like FS-ISAC enables you to confidentially exchange information about cyber threats with 7,000 other financial institutions.

You can learn more about BVNK’s security controls and credentials in our Trust Centre.