Data Strategy Briefing — January 17, 2025
The Digital Operational Resilience Act (DORA) starts applying, requiring EU financial entities to implement ICT risk management, incident reporting, and third-party oversight frameworks.
Executive briefing: Regulation (EU) 2022/2554 (DORA) begins to apply on 17 January 2025, obligating banks, insurers, investment firms, and ICT third-party providers to implement harmonised digital operational resilience frameworks.
Key data governance checkpoints
- ICT risk management. Finalise asset inventories, risk assessments, and protection measures covering critical data and systems.
- Incident reporting. Prepare to submit major ICT incident notifications within the DORA timelines using the common templates.
- Third-party oversight. Update contracts and monitoring regimes for critical ICT providers, ensuring access, audit, and exit clauses meet DORA standards.
Operational priorities
- Testing programmes. Launch threat-led penetration tests and scenario exercises proportionate to entity classification.
- Governance structures. Empower management bodies to oversee DORA KPIs, risk appetite, and remediation plans.
- Reporting automation. Integrate incident, testing, and third-party metrics into dashboards ready for competent authority review.
Enablement moves
- Align DORA controls with NIS2, PSD2, and EBA outsourcing guidelines to reduce duplication.
- Train first-line teams on new reporting templates, taxonomy, and escalation paths.
Sources
Zeph Tech equips financial institutions with DORA-aligned data resilience, testing, and third-party governance programmes.