Managed Detection and Response
The State of Cyber Defense: Manufacturing Cyber Resilience
July 31, 2024
DORA Compliance Assessment
Understand your gaps and prioritize key requirements for DORA compliance with guidance from Kroll experts.
Contact Us
Watch our DORA breifing here, to learn about top tips in achieving DORA compliance for your organization. Watch Now.
DORA is a new EU regulation designed to improve the cybersecurity and operational resilience of firms in the financial services sector, covering more than 22,000 financial entities and Information Communications and Technology (ICT) service providers operating within the EU.
The DORA regulation comes into force on January 17, 2025, with state- level mechanisms expected to be in place and financial entities will be expected to be compliant with the regulation.
Businesses may underestimate the amount of work required to become DORA compliant, and those based outside the EU may not realize that they also need to pay attention to the changes. This could put organizations at risk of failing to meet the new DORA requirements.
To prevent this and ensure that they are ready for the impending changes, businesses should take strategic action now.
Key Focus Areas of DORA Regulation
ICT Risk Management | ICT Related Incident Reporting | Digital Operational Resiliency Testing | ICT Third-Party Risk | Information Sharing |
|---|---|---|---|---|
Embed a comprehensive risk management framework for ICT systems. | Standardize reporting of ICT related incidents. Incident management processes and templates for reporting of incidents. | Testing and assurance of technology resiliency through a combination of techniques and harmonization of data collected by financial organizations. | Stricter controls and processes for third-party risk management and oversight. | Mechanisms for sharing information on threat actor activity. |
What is the difference between DORA and NIS2 ?
Organizations may find similarities between NIS2 and DORA given its focus on Digital Resilience, however, it is important to understand that there are key differences in terms of scope and application:
NIS2 | DORA | |
|---|---|---|
Type | Directive – EU Member States are responsible for implementing national laws | Regulation – directly applicable to financial services companies |
Implementation Date | October 17, 2024 | January 17, 2025 |
Applies To | Critical Sectors (energy, transportation, health, space, internet etc.), MSPs, MSSPs in EU Member States | Financial Entities (banks, insurance, crypto, etc.) and ICT service providers in EU member states |
Overlap | Part of the broader cybersecurity regulatory framework | Takes precedence where sector-specific rules apply (‘Lex Specialis’ exemption)
|
Areas of Focus | Strengthening overall security and incident reporting requirements | Complements NIS2 by providing specific provisions around ICT frameworks, incident response and third-party ICT contracts |
Testing Requirements | Variable depending on country |
|
Incident Reporting |
| Classification of ‘major’ incidents and subject to the following:
|
Navigating the Most Common Barriers to DORA Compliance
From our experience of helping organizations in the financial services industry in addressing cybersecurity, governance, risk and compliance challenges, we anticipate businesses may underestimate the amount of work required for DORA compliance. More specially, it’s important to consider some of the most common challenges that will need to be addressed:
How Kroll Can Help You Achieve DORA Compliance
Kroll has a long track record of working with financial institutions to enabling them to achieve their security and regulatory goals. We leverage knowledge of Kroll experts who are our expertise consisting of former DORA consultation group members and former SEC, FCA and AMF regulators, along with our frontline intelligence from thousands of incident response cases a year, to provide in-depth support and help prepare your organization prepare for and to fully meet DORA requirements.
Key Outcomes:
Understand Key Gaps in Your DORA Compliance | Have a Clear Path to DORA Compliance While Reducing Longer Term Risk | Implement Solutions to Maintain Operational Resiliency |
|---|---|---|
Quantitative measure of DORA compliance status highlighting key weaknesses by carrying out a gap assessment of operational resilience with DORA and RTS standards | Clear roadmap towards DORA compliance with priority tasks and timeframes. An action tracker is also provided with recommended owners to help stakeholders for effective project management | With our portfolio of advisory, transformation and managed services, we can assist you with the implementation of DORA-aligned policies and procedures, controls, testing and services across ICT risk management, incident management, business continuity, third-party risk management, and digital resiliency testing |
DORA Compliance Assessment in Your Cyber Risk Retainer
Our DORA Compliance Assessment, along with many other cybersecurity and compliance services, can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer. In addition to prioritized access to Kroll’s elite digital forensics and incident response team ahead of and in the event of an incident, the Retainer can also be used for services like penetration testing, risk assessments and tabletop exercises to name just a few.
Why Kroll?
- Ex-DORA and Financial Services Regulatory Experts
Our team consists of experts involved in the preparatory consultation work that led to DORA as well as former-FCA, SEC and AMF regulators with a deep understanding of relevant legislation and standards in your industry to provide real insight and value.
- Experienced, Accredited Cybersecurity Professionals
700+ skilled and certified cybersecurity experts across the globe, experienced in not only helping clients comply with multiple regulations but staying resilient ahead of the changing landscape.
- Solutions Across the DORA Maturity Lifecycle
Our solutions can address all aspects of DORA compliance and maturity; from assessing all possible gaps/weaknesses and advising on remediation with our consultancy expertise to implementing the right controls and providing remote- managed services.
- Unrivalled Frontline Intelligence
With unrivalled exposure to thousands of incident response cases each year, we know what’s needed to stay resilient to cyber threats.
- Fast Implementation, Built on Previous Engagements
We leverage our 50+ DORA-tailored policies and procedures templates to provide immediate value as we roll out your tailored program.
Talk to a Kroll Expert
Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page.
Cyber and Data Resilience
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.
Financial Services Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.
Cyber Governance and Strategy
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Threat Exposure and Validation
Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.
Incident Response and Litigation Support
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
The State of Cyber Defense: Manufacturing Cyber Resilience
Repulatory Updates
Navigating the Digital Age: DORA’s Role in Financial Services
August 30, 2024
by Grainne O' Farrelly, Hannah Rossiter, Eoin Devlin
Regulatory Updates
Global Regulatory Pulse
October 3, 2024
by Aaron Weiss, Colleen Corwell, Hannah Rossiter, Eoin Devlin, Rose Kaufman, Ana D. Petrovic, Andrew Poole, Alasdair Putt, Josh Parker, Rajiv Philip, Amrita Michael
Kroll Appoints Katherine Keefe to Lead Global Cyber Insurance Industry Capabilities
Press Release
Kroll Appoints Katherine Keefe to Lead Global Cyber Insurance Industry Capabilities
October 18, 2024
Press Release
Kroll Becomes Relativity Gold Provider Partner
September 19, 2024
Press Release
Kroll Recognized in 2024 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services for the Fifth Consecutive Year
September 12, 2024
Press Release
Kroll Expands AI Risk Consulting Services
August 27, 2024
Kroll is headquartered in New York with offices around the world.
One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.