Information Security

 View Only
  • 1.  Digital Operational Resilience Act

    Posted 08-10-2023 02:51 PM

    With our BaaS opportunities and working with a company based out of Sweden, they have advised that DORA and SOC2 are similar and I am seeking any guidance on this topic from this community. We read that EY consultants met with leaders from the Swedish Bankers' Association and Insurance Sweden to discuss potential challenges with the Digital Operational Resilience Act (DORA) but unsure how to use the information for our due diligence, when onboarding. 



  • 2.  RE: Digital Operational Resilience Act

    This message was posted by a user wishing to remain anonymous
    Posted 08-10-2023 03:39 PM
    This message was posted by a user wishing to remain anonymous

    Great question. I'd be curious what others have to say about this as well.




  • 3.  RE: Digital Operational Resilience Act

    Posted 08-11-2023 10:58 AM

    Hi Jeremy,

    While a SOC 2 report may assist in demonstrating part of DORA compliance, it's important to note that not all the specific requirements listed for DORA may be in scope for SOC 2 audits. As the organization you're working with is based in Sweden, they will have more experience and direct knowledge than I do with DORA. Please see below:

    The DORA Act: Principal Conditions & Goals

    The Digital Operational Resilience Act (DORA) aims to guarantee the financial sector's capacity to function in a secure and resilient way. DORA has five main components

    1. ICT Risk Management
    2. Incident Reporting
    3. Operational Resilience Testing
    4. ICT Third-party Risk
    5. Information sharing

    And The act mandates the following key criteria:

    • Companies must have an incident management plan that clearly outlines what qualifies as a cyberattack, the appropriate actions employees should take in response, and the steps to be taken to restore operations in the event of a breach.
    • Companies must have a cybersecurity program in place that assesses the potential risks of cyberattacks and has a plan of action to mitigate them.
    • Companies must maintain proper security measures for their digital infrastructure. These measures include encryption, authentication, access controls, audit trails, monitoring systems, event management systems, and incident response plans.
    • Companies must report any incidents that occur to allow regulators to evaluate their vulnerabilities. This enables regulators to offer recommendations for enhancing the company's security posture
    • Companies should have a contingency plan to ensure uninterrupted service in the event of any disruptions.

    The SOC 2 framework consists of 5 Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy. Not all SOC reports are created equally though as you can choose between just using the Security criteria, or a mixture of the five as long as Security is included as the base set of criteria. Due to this, it furthers the point that a SOC report may or may not cover potentially required control areas within DORA. Especially if the Availability criteria is not chosen. As it does not appear that Oversight Plans have been standardized, a crossover / mapping between them isn't available to my knowledge, but if anyone is aware of more standardized criteria for Oversight Plans, I would appreciate the resource.

    In addition, here are other helpful resources:

    Oversight plan and objectives is determined by the Lead Overseer. Related, Directive (EU) 2022/2555 is referenced for potential control area overlap, with Article 7 within providing high-level guidance in a limited control area. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555 Chapter IV within also addresses additional control areas. 

    If an organization is designated as a Critical ICT Third-Party Provider (CTPP), oversight will be carried out by one of the European Supervisory Authorities. https://kpmg.com/xx/en/home/insights/2022/08/managing-critical-third-parties.html

    I would love to hear from other members if they can shed some light on this topic.




  • 4.  RE: Digital Operational Resilience Act

    Posted 08-11-2023 11:01 AM

    Hi Jeremy, 

    I'll start this with the disclosure that I don't have experience specifically with DORA, operating under it, or aligning any processes to it's requirements.  That said, these are 2 separate things.  DORA is a legislation and/or set of requirements for financial institutions in the EU while a SOC2 is a type of audit, or more specifically a type of audit report.

    DORA is operational risk focused and increases the requirements for financial institutions around the operational risks or their critical third parities, specific to those that provide Information Communication Technologies related services to said institutions.  It adds additional requirements for risk management, incident reporting, operational resilience testing and monitoring.  

    As I mentioned previously, a SOC2 a type of audit, but these actually aren't generally conducted outside of the US.  These audits also don't specifically test to any legislation/regulations either.  Internationally, ISO270001 seems to be the popular standard, instead of SOC reports, but these also do not audit to specific regulations.  It's also worth noting that while ISO is an actual certification, a SOC is not.

    Hopefully this helps differentiate the two.