DORA – What’s Next and How Can I Prepare?

In this clip from HANDD’s recent webinar, experts outline upcoming key dates and stress the need for organisations to proactively prepare for DORA enforcement by January 2025. Emphasising the identification of existing compliance, gap analysis, and early engagement with third-party suppliers, we advocate a strategic approach to avoid last-minute challenges.

Watch the clip ‘DORA – What’s Next and How can I Prepare? below.

Need more support on DORA? Then watch the full DORA webinar here.

Transcript:

Sam Malkin : So what’s happening next? we’ve already I think all three of us have mentioned these other RTSs is which are currently in draft format, Matt covered it. So I’m not going to spend too much time here. It can be found online, if you can’t find them, ask us and we’ll be able to point you in the direction of where those RTSs are, that’s going to run through to the fourth of March. And on the key dates this year, we’ll have a similar event to what’s going on today. So the big day really is a year from today, when actually you’re going to have to have this stuff in place, and it’s going to be enforced. So what are we advocating that people start to consider or start doing over the next 12 months? Something that I’ve already alluded to and we’ve already told customers is that a lot of this regulation is probably already being adhered to within your organisation. I think that the closer you get to January 2025, I expect to see more vendors kind of claiming that they’re going to solve DORA for you with purchase of their product set. But I think the important thing to be doing this far out is to identify what you’ve already got. And where you potentially have a gap, you know, performing a gap analysis.

So if you’ve already got ISO 27001 compliance, if you’re already following a lot of best practices, you know, all of the frameworks that we all know and love, there’ll be a lot of coverage you’ve already got in place. I think what might be lacking is stuff like that asset classification, or understanding behaviors and anomalous detection or having a PKI policy. Certainly a lot of the organisations I’ve worked for and with in the past don’t have PKI management within their infrastructure or policies to do so. So how often do you rotate keys? Do you have a certain certificate authority that you get all your SSL certs from? So we need to be doing that. Obviously BCP exercises, you know, I would say, do a couple of them so the you’ve been through it, you’ve tracked it, you’ve tested it, and you understand what’s good and what works for you. And then as Nick just said, you know, the third party suppliers that you’ve already got, you need to start getting that information ready. It’s not just new contracts that needs to go into that asset register.

So for some people, that might be a really, really easy exercise, it might be, you know, I just need to go and talk to Amazon. For others, you know, you might have to start researching as to who provides what, as Matt already said, you know, we’re going to be involved in a lot of those discussions. And you’re going to have to start performing those background checks and recording them into templates. That’s probably not the type of thing you want to be doing on the 17th of January 2025 when it goes live. So you want to be ready for when that comes in.

Matt Parkinson : I think, my sort of takeaway on that part particularly is; there’s loads of stuff we’re going to have to do, some stuff we don’t know exactly what it is yet i.e. the RTSs – but there are things we can start doing now. That is going to be people, policies and process based stuff that you can do without having to go out and buy some special product to do it. But what everybody doesn’t want to do is loads of work now to then have to throw in the bin at the RTS changes. Now the RTS are out for those areas covered, talk to us – we can help you and you’ve got another year to do this stuff. But you are going to have to do it so let’s start working now so we don’t need to panic. We all remember the GDPR products that were going to solve it for us and none of them did. So yeah – just start thinking now.

Need support to achieve DORA compliance?

HANDD is experienced in helping banks and financial institutions navigate the complexities of new cyber regulation, and DORA is no exception. Our experienced team of cyber-risk specialists can help you find and identify non-compliant areas of your business in preparation for the full launch of DORA in 2025.

Book a call with our DORA Consultant: Call +44 (0)845 643 4063 or email marketing@handd.co.uk

Need more? View all our DORA resources here.