Fünf Säulen
Das DORA Rahmenwerk basiert auf fünf Säulen, welche für umfassende Anforderungen hinsichtlich der Stärkung der digitalen operationalen Resilienz sorgen.
ICT risk management
The section on risk management in DORA contains the most important principles and requirements for the risk management framework of financial intermediaries. Section I of Chapter II deals with the governance and organization requirements of the ICT risk management framework. Section II contains the requirements relating to the ICT risk management framework as part of the overall risk management system.
Treatment, classification and reporting of ICT-related incidents
With the requirements for handling, classifying and reporting ICT-related incidents listed in Chapter III, DORA aims to harmonize the reporting of ICT-related incidents across the financial sector. In addition to the mandatory reporting of serious ICT-related incidents, DORA also provides for the possibility of voluntary reporting of significant cyber threats. In addition, Chapter III also contains requirements for the process for handling ICT-related incidents.
Testing digital operational resilience
Chapter IV requires the implementation of a comprehensive testing program as an integral part of the ICT risk management framework to assess readiness for dealing with ICT-related incidents and to identify weaknesses, deficiencies and gaps in digital operational resilience. In addition to the basic testing requirements, DORA also requires advanced testing based on threat-based penetration testing (TLPT) for selected financial entities that fall within the scope of the TLPT regulation.
Management of third party ICT risk
In the first section of Chapter V, DORA sets out key principles for the management of ICT third party risk within the ICT risk management framework, as well as key contractual provisions to be considered when dealing with ICT third party service providers. In addition, Chapter V Section II introduces a monitoring framework for critical ICT third-party service providers. This monitoring framework focuses on those ICT third-party service providers that have been classified by the European supervisory authorities as critical ICT third-party service providers and therefore in need of monitoring on the basis of a classification process.
Agreements on the exchange of information
In Chapter VI, DORA aims to improve the digital operational resilience of financial institutions by providing for the voluntary sharing of information and intelligence on cyber threats between financial intermediaries.