Most prominent of these are the EBA guidelines on ICT and security risk management and the corresponding EIOPA guidelines (collectively ICT guidelines). Since these guidelines were adopted in 2020 and 2021 respectively, FCG has supported financial institutions in maturing their ICT and security risk management.
If we have adopted the guidelines on ICT, what will be the major challenges in adopting the DORA legislation?
The simple answer to this question is that in strengthening your ICT and security risk management you have already done parts of the work needed to meet the requirements set by DORA. However, two things must be understood before taking on DORA.
Firstly, instead of focusing on only achieving ICT risk management and information security, DORA aims to secure digital operational resilience over the entire financial ecosystem. What this mean is that DORA will apply to more types of financial institutions than previous regulation has done.
Secondly, the requirements set in DORA are more focused on ensuring the existence of strategies, frameworks, and governing processes to achieve digital operational resilience. This is opposed to the requirements in ICT guidelines which are more focused on specifying controls, and especially security control, addressing governing processes in more general terms. In this regard, DORA should not be seen as a replacement for the ICT guidelines, but as a necessary complement to building a stable financial ecosystem.
FCG help you navigate
FCG is positive that any financial entity accustomed to the ICT guidelines and working actively with ICT risk and security management have a head start. Taking the right steps now will let you achieve a robust digital resilience.
Want to find out how FCG can help you?