The countdown for the Digital Operational Resilience Act (DORA) continues. With the regulation set to start on 17 January 2025, many organizations are scrambling to ensure they are ready. They don’t have to face this challenge alone, as companies like Vantacan help ensure compliance.
In a recent webinar, Counting DORA: Preparing for ComplianceFaisal Khan, GRC solutions specialist at Vanta, and Lazar Lazarov, head of information security at BVNK—a stablecoin payments infrastructure provider—discuss DORA frameworks. They cover what it is, how to prepare it, who can use it, as well as how BVNK will manage their DORA journey.
Discover more insights from Vanta DORA compliance webinar.
What is DORA?
Khan began the conversation by saying, “At its core, DORA is an EU regulation aimed at strengthening digital operation resilience in the financial sector. In general, it is a framework that ensures that financial institutions have stability in their operations and can withstand all types of technological disruptions and cyber threats.
He went on to outline the five pillars of DORA: “When talking to a customer, I frame the regulation that mandates a balanced security program for content organizations. Finally, DORA promotes in the strength of organizations.
While financial institutions such as banks and insurance companies are often considered when it comes to obtaining DORA compliance, third party ICT service providers who provide services to them are also subject to regulation.
Reflecting on his experience at BVNK, Lazarov says that one of the challenges the organization faces in its application process is understanding which third-party partners fall into the category that needs to be regulated.
Due to the interconnectedness of tools and processes, Lazarov said: “My advice is to be careful about adding more vendors than less: we want them to deliver what we need and DORA is the perfect way to get the additional assurances.”
Khan then emphasized the importance of DORA compliance. Companies that fail to comply can be fined millions of euros.
How can Vanta help?
The journey to DORA compliance can be difficult. Vanta provides tools aimed at streamlining this process for organizations. Its service includes an automated compliance solution that features a prebuilt framework, which maps out DORA requirements as necessary controls to be implemented by organizations. This ensures that companies are in proper compliance with current regulations and are well prepared for any future changes or updates to them.
How Vanta helps BVNK keep up
Lazarov described Vanta as “instrumental” in connecting all the systems started and unfinished at different points in the lifecycle of BVNK due to the movement within the company.
Lazarov also said, “I am happy that I was able to convince my manager on our board to go for the extended risk management and vendor management package with Vanta, because now we are complying with ISO 27001 in our risk register in addition to our dealer registry.
“Because of this, we’re 40 percent of the way to becoming DORA compliant! Sixty percent may seem like a long way to go, but that’s mostly related to documentation. We need to change our policies.” and train the board of directors—that’s the easy part. The hard part is going after your vendors but that’s done.”
As a result of the partnership with Vanta, Lazarov added that he wakes up happy, knowing that he can check his emails and see which individual controls need to be fixed. “It really helps to get ahead.”
Progressing from ISO 27001 to DORA
ISO 27001 is an important standard, which holds organizations accountable for their security. For BVNK, this is important in shaping its policies and processes, Lazarov said. That said, when asked how BVNK found the transition to DORA, Lazarov said: “We don’t need to rewrite our policies from the bottom up – we can see where we need to upgrade the ours now to follow.”
Exemplifying this, he added: “For us to be ISO compliant, it took us about six to seven months. Then to upgrade from ISO to DORA, it only took us two months.”
The conversation turned to the challenges faced by companies seeking to become DORA compliant, with Lazarov reflecting on BVNK’s obstacles. “Vendor management is the biggest challenge to achieve compliance. We need to understand who the ICT vendors are, while simultaneously checking what needs to be more compliant. We can’t expect them all to be ISO 27001 certified —so we have to bug them and chase them and make sure they comply with DORA, and as a smaller company, getting them to sign these contracts is very difficult.”
DORA and others
In addition to DORA’s requirements for operational stability, there is also emphasis on the need to coordinate with National Competent Authorities (NCAs). NCAs play an important role in managing and enforcing compliance in their respective EU member states, requiring companies to provide clear evidence of their risk management, incident reporting, governance of third party ICT, and robustness testing measures. Adapting strategies to the NCA’s relevant interpretation of DORA will ensure consistent compliance across jurisdictions.
Khan suggested that companies review DORA’s prescriptive requirements, along with what is required by the NCA, to address the different ways they can apply to their business so they are fully prepared should any questions arise. regulation of their compliance.
Discover more insights from the Vanta DORA compliance webinar.
https://thefintechtimes.com/wp-content/uploads/2021/03/iStock-1005371528-2.jpg
