Vstupenky na konferenci Kyber bez keců (21. 5.) právě v prodeji – přihlaste se do konce března slevou! 🚀

DORA Regulation

The Digital Operational Resilience Act (DORA) is a binding and comprehensive framework for managing mainly digital risks in the financial sector. It came into force at the beginning of 2023 and entities must comply with it from 17 January 2025.

The new regulation brings changes to digital and operational resilience management and sets rules for financial institutions and their ICT (information and communication technology) service providers. We can help you through the entire process of implementing DORA requirements – from initial DORA compliance analysis to ICT risk management services.

What is DORAand who is affected by the regulation?

The Digital Operational Resilience Order (DORA) is a binding and comprehensive framework for managing mainly digital risks in the financial sector. It came into force at the beginning of 2023 and entities must comply with it from 17 January 2025.
DORA applies to a wide range of financial institutions, such as banks, investment firms, insurance companies or crypto asset service providers. The regulation also significantly affect their information technology service providers, such as providers of cloud services or software development, etc. More than 22,000 financial entities in the EU are expected to be involved.
  • DORA sets out several obligations for financial institutions. Among the most important ones are:
  • Top management responsibility for establishing and approving all measures related to the ICT risk management framework.
  • Obligation for top management to attend regular training sessions.
  • Obligation to implement security measures.
  • Obligation to report ICT related incidents, implement countermeasures and many others.

Standards related to cybersecurity

Law of the Czech Republic

New Cybersecurity Act

EFFECTIVE

2025

APPLIES TO

Providers of regulated service.

MAIN OBLIGATIONS

  • Identify the regulated service by self-identification and registration through the NÚKIB portal.
  • Implementation of cybersecurity measures (in the regime of higher or lower obligations).

European Union Regulation

DORA

EFFECTIVE

17 January 2025

APPLIES TO

Financial entities.

MAIN OBLIGATIONS

  • Implement security measures to ensure digital operational resilience.
  • Information and Communication Technology (ICT) risk management.

International and cross-industry standard for Information Security Management System (ISMS)

ISO 27001

EFFECTIVE

Since 2005 (the latest version of the standard is from 2022).

APPLIES TO

All organizations that want to protect their assets.

MAIN OBLIGATIONS

  • Implement information security measures (certification).
  • Asset and risk management. Business continuity management.
  • Incident management.

European standard, assessment and information exchange mechanism for the automotive industry

TISAX®

EFFECTIVE

Since 2017 (version 6 of the VDA ISA survey is from April 4 2024 mandatory for all new TISAX assessments).

APPLIES TO

Organizations in the automotive industry.

MAIN OBLIGATIONS

  • Meeting the specific safety requirements for successful TISAX® certification.
  • The assessment for TISAX® certification takes place once every 3 years.

Frequently asked questions

DORA is an EU regulation that sets out a framework for digital risk management in the financial sector. Unlike NIS2, which covers cybersecurity across different sectors, DORA focuses specifically on financial institutions and their ICT service providers. NIS2 and its implementation in the new Cybersecurity Act will only apply to entities to the extent that DORA does not specifically address. This means that DORA is primary for them. However, this does not mean that only DORA will apply to financial entities, but to some extent NIS2 will also affect them in those areas not comprehensively addressed by DORA.

DORA applies to a wide range of financial institutions, including banks, investment firms, insurance companies and cryptocurrency service providers. It brings several obligations, including senior management responsibility for ICT risk management, ICT incident reporting obligations, ICT risk management, digital operational resilience testing, risk management measures for ICT service providers and many more.

Entities affected by DORA include credit institutions, payment institutions, investment firms, insurance companies, credit rating agencies and others. A full list can be found here. In contrast, the regulation does not apply to alternative investment fund managers, insurance and reinsurance companies or insurance intermediaries. A full list of entities not covered by DORA can be found here.

DORA came into force at the beginning of 2023, but entities must comply with it from 17 January 2025.

In 2024, the European Supervisory Authorities will submit draft implementing acts to the European Commission. These will provide technical specifications and guidance on how to specifically put the DORA requirements into practice. For example, it will say how to assess the amount of loss caused by an incident or what the rules will be for controlling suppliers/subcontractors supporting critical or important functions. There should be 13 of these implementing acts in total.

How can we help?

In a digital era where we are constantly faced with cyber threats, DORA seeks to increase the digital resilience of financial institutions and their suppliers, who play an important role in the cybersecurity of the entire financial sector.

We can help you by practically preparing your company for the new DORA regulation. Our approach is client-centric, and we understand your unique needs, goals, and challenges. When working with a client we begin by assessing the current state of the company through a gap analysis. Our interest is to ensure that you have control of your company’s security risks and proactively manage them. We believe that together we can make the digital space Věříme, že společnými silami můžeme dosáhnout, aby digitální prostor byl safer, more ethical and more transparent.

  • By conducting a gap analysis, we will assess your company's compliance with DORA and prepare a plan for the next steps and measures that need to be put in place.
  • We will prepare an outline of corrective measures to ensure compliance with the identified DORA deficiencies.
  • We can help you with managing your ICT and third-party risk management.
  • We will explain all your obligations and alert you to legislative changes in a timely manner.
  • We will prepare the necessary documentation to ensure you are compliant with DORA.

Why to work with us?

Experienced cyber experts
Our experts have many years of experience in the complete implementation of cyber security measures in companies of various industries and sizes.
Focus on legislation
We do not provide legal services, but our consultants have a legal background. We can therefore translate directives and legislation into plain language so that you fully understand everything.
We stay updated
We monitor the legislative developments and the current situation regarding the DORA regulation and other European standards in the current local legislation. We know the news and updates first hand.
We respect the business
We set up cybersecurity in a practical and comprehensible way so that it is mainly beneficial for you and so that everyone in your company understands and knows how to use it.
about us

Contact us and get your umbrella against cyber threats!

We will help you create the foundations, principles and documentation for the effective security. We will teach you how to understand and rely on your security in case of incidents, so that it is preventive and does not limit the operations.
Contact us

Přečtěte si o nařízení DORA

Všechny články

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.
By clicking subscribe you consent to the processing of your personal data for marketing purposes.