Making you 'Fit for DORA'
Tailored Coaching in all Areas and Efficient Automation
How do you manage to efficiently implement the requirements of DORA?
DORA in Practice
The DORA regulation – the Digital Operational Resilience Act – is an EU initiative aimed at strengthening cybersecurity and operational resilience in the financial sector. It came into force in January 2023 and requires financial institutions to implement extensive security and resilience measures by January 2025. This regulation aims to ensure that financial institutions can continue to operate even in the event of ICT (Information and Communication Technology) incidents.
The FIT4DORA team is a powerful partnership between KnowledgeRiver GmbH, VIVACIS Consulting GmbH, and Luther Rechtsanwaltsgesellschaft mbH for your DORA compliance.
With high expertise in IT technology, process management, and law, the FIT4DORA team offers comprehensive advice to master your DORA challenges. From gap analysis to conception to sustainable implementation in regular operation, the individual phases are modular and can be carried out independently of each other.
KnowledgeRiver combines technology and compliance. Our expertise in IT information security and IT consulting makes DORA compliance tangible and achievable. Discover solutions that not only protect your IT but also optimize it.
Our Solution
The Prologue
Readiness Assessment
Investigate the actual status
The Obligation
DORA Compliance
Planning & Transformation
The Extra Mile
in Business Operations
Implementation in Regular Operations
Structured assessment of the current situation, comparison against the desired state, and development of recommendations for action.
Key Questions
- Is my company affected by DORA?
- What exactly are the requirements of DORA?
- What aspects does my company already cover?
- Where is action required?
Services
- Determination of affectedness: categorization of the financial institution according to DORA
- Gap analysis based on the degree of affectedness: identification of weaknesses/deficiencies via interviews (questionnaire) or research based on existing documents (e.g. xAIT documentation)
- Inventory of company IT assets
- Identification of responsibilities (including ICT third-party service providers)
- Assessment of IT architecture
- Assessment of IT processes regarding reporting, notification and auditing
Outcome
- Hand-over of detailed documentation and recommendations
- Presentation and discussion of results regarding DORA compliance
Achieving DORA basic compliance with optimized time and monetary investment.
Key Questions
- Which are the key measures that need to be implemented?
- What documentation does the company need to generate?
- How can be ensured that costs do not get out of control?
Services
- Project management and execution
Creation and categorization of work items, assignment of responsibilities (to teams/individuals), and definition of timelines - IT concept validation or creation with process definition and automated documentation for:
- Reporting (recipient: regulatory authorities, auditors, and/or internal corporate committees) with documentation of DORA compliance, tests and examinations, risk management (e.g. practices and ICT third-party risks), ICT security measures and creation of IT manuals (e.g. operational and emergency manuals)
- Notification (recipient: regulatory authorities) for ICT incidents, reports to the information register (e.g. list of critical ICT third-party service providers and contract parameters), information exchange for joint threat mitigation
- Auditing (recipient: internal corporate committees, auditors) for penetration testing (usually addressing cybersecurity exclusively), backup/restore tests, disaster recovery tests, KPI definition (measurement method, parameters), role and permission management
Outcome
- Basic compliance with DORA
- Provision of concept documentation
Sustainable and efficient DORA compliance, embedding DORA regulations in business operations.
Key Questions
- How can current documentation be automated for provision?
- Which internal teams need to be involved in the processes for DORA compliance?
- What internal and external requirements must the company regularly meet?
Services
Establishment and further development of the digital DORA platform for central data collection and documentation for:
- Reporting:
- (Partially) automated collection of relevant data and information
- Automated generation of documentation based on previously specified templates
- Notification:
- Automation such as collecting configuration and log data at the time of an ICT incident and transmitting it to regulatory authorities
- Automation of reports to the information register (e.g., list of critical ICT third-party service providers and contract parameters
- Automation of information exchange for joint threat mitigation
- Auditing:
- Platform for preparation, regular execution, and documentation of resilience tests (penetration testing, backup/restore tests, disaster recovery tests)
- KPI compliance: Continuous measurement and reporting
- Data and communication platform for all stakeholders: Company employees, Information Security Officers (ISO), IT providers, ICT third-party service providers, legal experts, and process specialists
Provision of DORA compliance officers as the central point of contact for all DORA matters:
- Technical expertise
- Overview of existing DORA requirements and updates
- Development of internal and external processes
- Maintaining contact with all stakeholders
Outcome
Sustainable and efficient maintenance of DORA compliance
Reuse of established processes and automated documentation for additional requirements (e.g., NIS2, BSI basic protection, ISO 27001 certification, …)
The FIT4DORA Team
Business Organization
Legal
Technology
