Our view of DORA for German companies
We see DORA both as a challenge and as an opportunity for financial firms. DORA’s uniform EU-wide requirements mean that financial firms must ensure a consistent level of maturity in terms of cybersecurity and operational resilience in respect of all of their activities in the EU.
However, with a “preparatory period” of two years, which is already well under way, there is a huge amount to consider, to implement and to verify. Financial institutions should already undertake comprehensive GAP analyses now, in order to evaluate their degree of maturity with respect to DORA and identify areas, in good time, that require further investment and appropriate prioritisation. This will put your company in a better position to meet more complex requirements such as third party risk management, threat intelligence and more advanced security tests and thereby protect itself proactively against possible shortfalls.
Given DORA’s broad scope of application, it is likely that the regulations will address many topics that have already been covered by existing provisions in Germany. Nevertheless, certain topics such as threat intelligence and threat-led penetration tests are novel and closer attention must therefore be paid to them. We see a further challenge in the ability to develop overall control, and an understanding for all of the key dependencies between your company and your service providers. Given the heavy focus on third-party risk management, companies are expected to satisfy themselves as to the resilience of their service providers. This requires close interaction and collective efforts with the relevant third-party ICT providers – particularly if these support the provision of critical or important business services.