DORA Tools
Listen to this articleThe Digital Operational Resilience Act (DORA) is a proposed regulation by the European Union aiming to ensure that all entities operating in the financial sector, including banks, insurance companies, and even fintech startups, can withstand all types of Information and Communication Technology (ICT) risks.
The proposal aims to develop a more standardized approach to ICT risk management, including cyber-attacks, across the EU. This includes requirements for ICT risk management, ICT-related incident reporting, digital operational resilience testing, management of ICT third-party risk, and more.
The specific tools to ensure compliance with DORA would depend on its final form when enacted, but generally speaking, organizations would need a robust suite of tools to ensure resilience, risk management, and incident response.
| Activity | Tools | ||
|---|---|---|---|
| (a)(i) ICT Risk Management | Risk Assessment and Management tools (RSA Archer, LogicGate, ServiceNow's GRC module), Cybersecurity tools (CrowdStrike, Palo Alto Networks, Check Point, Splunk) | ||
| (a)(ii) Reporting of major ICT-related incidents and notifying cyber threats | Incident Response Tools (PagerDuty, Opsgenie, ServiceNow), Security Orchestration, Automation, and Response (SOAR) tools (Demisto, Phantom, Swimlane) | ||
| (a)(iii) Reporting of major operational or security payment-related incidents | Incident Response Tools (PagerDuty, Opsgenie, ServiceNow), Payment Security solutions (like PCI DSS compliant payment gateways) | ||
| (a)(iv) Digital Operational Resilience Testing | Security Testing Tools (Nessus, Qualys, Rapid7), Backup and Disaster Recovery Solutions (Veeam, Zerto, Datto) | ||
| (a)(v) Information and intelligence sharing in relation to cyber threats and vulnerabilities | Threat Intelligence Platforms (Recorded Future, ThreatConnect, Anomali), Collaboration tools (Microsoft Teams, Slack) | ||
| (a)(vi) Measures for the sound management of ICT third-party risk | Third-party Risk Management tools (Prevalent, BitSight, SecurityScorecard), Vendor Management Platforms (Gatekeeper, VendorInsight, Coupa) | ||
| (b) Requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities | Contract Management Software (Agiloft, Concord, Icertis), Vendor Management Platforms (Gatekeeper, VendorInsight, Coupa) | ||
| (c) Rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers | GRC Tools (RSA Archer, LogicGate, ServiceNow's GRC module), Vendor Management Platforms (Gatekeeper, VendorInsight, Coupa) | ||
| (d) Rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation | GRC Tools (RSA Archer, LogicGate, ServiceNow's GRC module), Collaboration tools (Microsoft Teams, Slack) |
