Guide professionnel – Cybersécurité – Guide pratique DORA

The present guide provides a comprehensive overview of DORA and its implications for financial entities, particularly asset management companies. It outlines the key provisions of DORA, emphasizing the need for operational resilience in the digital domain and the obligations it imposes on financial entities and their digital service providers.
DORA aims to enhance the overall resilience of the financial sector by requiring entities to develop, maintain, and reassess their operational integrity and reliability, especially in the face of disruptions. The act applies to financial entities, including asset management companies, and their digital service providers. It emphasizes the importance of proportionality in applying measures based on the size, risk profile, nature, and complexity of services, activities, and operations of the entities.
The guide highlights the role of the board in overseeing the implementation of DORA’s obligations and emphasizes the need for the board to define, validate, and supervise the deployment of the digital risk management framework. It recommends annual training and emphasizes the challenges associated with board engagement and reporting on cyber resilience and IT risk.
Furthermore, the guide delves into the framework for managing digital risks, emphasizing the need for detailed documentation and strategies to ensure the security of information systems. It emphasizes the importance of separating IT management, control functions, and internal audit functions within asset management companies and the need for a digital resilience strategy.
The document also addresses the categorization of incidents and the need for entities to develop incident management processes, including incident registers, roles and responsibilities, response procedures, and communication plans. It emphasizes the importance of board involvement in incident management and the validation of critical processes and subcontractors.
Additionally, the guide discusses the management of third-party service providers supporting critical or important functions, highlighting the need for exit strategies and increased risk analysis. It emphasizes the responsibility of asset management companies in ensuring compliance with the services provided by third-party providers and the impact of DORA on the maturity level of these providers.