Don’t Trust DORA Compliance Checklists

04 Don’t Trust DORA Compliance Checklists

A DORA compliance checklist would make meeting the act's requirements easier for affected organisations.

Unfortunately, a DORA compliance checklist doesn't exist.

That doesn't mean you won't find plenty of such checklists online.

Having reviewed dozens of DORA compliance checklists, we can't say they're pointless. A checklist can provide a general direction and summary of DORA. However, that's typically where their usefulness ends.

Why You Shouldn’t Rely On a DORA Compliance Checklist

Unless it's tailored uniquely to you, a DORA compliance checklist is not something you can follow and expect to become compliant or even use to understand your compliance gaps.

Here's why:

DORA compliance can be too complex for a checklist

“Put in place resilience testing procedures. Establish standardised resilience testing methods to test your ICT systems’ effectiveness under various scenarios to ensure they can withstand disruption.”

From reading this example taken from a DORA compliance checklist, you know that, under DORA, you have to conduct resilience testing on your ICT systems.

The problem with this, and with every other checklist, is that you don’t get much insight into what to do for DORA compliance beyond high-level statements.

For instance, to continue with the example above, what testing is required/allowed under DORA? How often should this testing take place? Are there any exceptions? Are there any specifications regarding who should conduct this testing?

The only way to answer these questions is to read the DORA documentation and measure its requirements against your operations. To put it another way, you can’t tick an item off a checklist if you don’t know the details of what you’re ticking off.

You are likely to need specific advice

Like other regulations, DORA tells you that you need to be able to perform specific actions, but it doesn’t tell you how to do them.

DORA is broad in scope, and the solutions one organisation might use to meet these requirements will not necessarily work for another.

It’s up to each organisation to determine how they’ll meet DORA requirements. This means that it’s essentially impossible to have a practical DORA compliance checklist because it will be too generic.

For example, here’s an item from another DORA checklist:

“Entities will put in place mechanisms for prompt detection of anomalous activities, including performance issues and ICT-related incidents.”

Again, you know that you need to have some kind of detection mechanism to detect ICT-related incidents. But what kind of detection mechanism? Does what you have in place already work, or do you need to look at other mechanisms? Which one would be most suitable for your environment?

Neither a DORA compliance checklist nor the DORA documentation itself will be able to answer these questions for you.

DORA may overlap with your existing security program

For some DORA requirements, you might already have sufficient policies or controls in place.

This is especially true if you comply with other operational resilience regulations like FCA PS21/3 and PRA PS6/21. However, even smaller organisations may have some DORA requirements in place.

The only way to find out is through a gap analysis, not a checklist.

DORA is risk-based

DORA requires you to assess and manage your digital operational resilience based on your specific risk profile.

For example, a large bank is likely to have a broader attack surface. As a result, it will need extensive third-party risk management and robust incident response mechanisms to reflect its broader range of services, larger customer base, and greater exposure to international cyber threats.

In contrast, a small credit union is likely to have a smaller amount of exposure (even though it may face many of the same threats) and will be theoretically easier to secure.

With your DORA requirements depending on your level of risk, you cannot apply a uniform set of resilience measures to become DORA compliant like a checklist might specify.

DORA is not finished

Even if you were to find a comprehensive DORA compliance checklist, DORA isn’t yet finalised, and new information is being released constantly as public consultation continues.

DORA is designed to be adaptive to changing circumstances and risks, requiring ongoing assessment and updates to compliance strategies.

For example, we are seeing changes in DORA requirements, like incident reporting guidelines, between the release of the draft DORA documentation and current public consultation papers.

Forget DORA Compliance Checklists

We strongly advise financial services companies not to look at DORA compliance as a checklist exercise.

Your company isn’t going to be addressing DORA requirements in the same way that other companies will, and whatever approach to compliance you take is going to need to be customised to your organisation.

Compliance with DORA goes beyond ticking off a list of requirements. It involves integrating resilience into your strategy, governance structure, and culture.

What you need is something other than a checklist or a solution to a small subset of DORA challenges. You need a strategic plan.

Depending on your organisation, you may be able to figure out this plan internally, or you can hire a strategic, end-to-end DORA compliance partner like SECFORCE to help you create a tailored approach.

Contact us to learn more about how we can help you become compliant with DORA.

You may also be interested in...

05 Interpret the 5 DORA Pillars In 5 Minutes
Feb. 29, 2024

Interpret the 5 DORA Pillars In 5 Minutes

Our high-speed explanation of what exactly DORA pillars are, who's responsible, and what you need to do to be compliant.

See more
June 18, 2024

Threat-Led Penetration Testing Explained

Insights from SECFORCE’s offensive security experts on what threat-led penetration testing is (and what it isn't)

See more