Hi Jeremy,
While a SOC 2 report may assist in demonstrating part of DORA compliance, it's important to note that not all the specific requirements listed for DORA may be in scope for SOC 2 audits. As the organization you're working with is based in Sweden, they will have more experience and direct knowledge than I do with DORA. Please see below:
The DORA Act: Principal Conditions & Goals
The Digital Operational Resilience Act (DORA) aims to guarantee the financial sector's capacity to function in a secure and resilient way. DORA has five main components
- ICT Risk Management
- Incident Reporting
- Operational Resilience Testing
- ICT Third-party Risk
- Information sharing
And The act mandates the following key criteria:
- Companies must have an incident management plan that clearly outlines what qualifies as a cyberattack, the appropriate actions employees should take in response, and the steps to be taken to restore operations in the event of a breach.
- Companies must have a cybersecurity program in place that assesses the potential risks of cyberattacks and has a plan of action to mitigate them.
- Companies must maintain proper security measures for their digital infrastructure. These measures include encryption, authentication, access controls, audit trails, monitoring systems, event management systems, and incident response plans.
- Companies must report any incidents that occur to allow regulators to evaluate their vulnerabilities. This enables regulators to offer recommendations for enhancing the company's security posture
- Companies should have a contingency plan to ensure uninterrupted service in the event of any disruptions.
The SOC 2 framework consists of 5 Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy. Not all SOC reports are created equally though as you can choose between just using the Security criteria, or a mixture of the five as long as Security is included as the base set of criteria. Due to this, it furthers the point that a SOC report may or may not cover potentially required control areas within DORA. Especially if the Availability criteria is not chosen. As it does not appear that Oversight Plans have been standardized, a crossover / mapping between them isn't available to my knowledge, but if anyone is aware of more standardized criteria for Oversight Plans, I would appreciate the resource.
In addition, here are other helpful resources:
Oversight plan and objectives is determined by the Lead Overseer. Related, Directive (EU) 2022/2555 is referenced for potential control area overlap, with Article 7 within providing high-level guidance in a limited control area. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555 Chapter IV within also addresses additional control areas.
If an organization is designated as a Critical ICT Third-Party Provider (CTPP), oversight will be carried out by one of the European Supervisory Authorities. https://kpmg.com/xx/en/home/insights/2022/08/managing-critical-third-parties.html
I would love to hear from other members if they can shed some light on this topic.
Original Message:
Sent: 08-10-2023 02:51 PM
From: Jeremy Pelkey
Subject: Digital Operational Resilience Act
With our BaaS opportunities and working with a company based out of Sweden, they have advised that DORA and SOC2 are similar and I am seeking any guidance on this topic from this community. We read that EY consultants met with leaders from the Swedish Bankers' Association and Insurance Sweden to discuss potential challenges with the Digital Operational Resilience Act (DORA) but unsure how to use the information for our due diligence, when onboarding.