DORA | Board Training

Overview

What is the "management body" according to DORA?

According to Article 3 (Definitions) of the Digital Operational Resilience Act (DORA), management body means the body or bodies which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity.

Which are the responsibilities of the "management body" according to DORA?

According to DORA, in order to maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party risk.

According to Preamble 45 of the Digital Operational Resilience Act (DORA): The financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy. The approach to be taken by management bodies should not only focus on the means of ensuring the resilience of the ICT systems, but should also cover people and processes through a set of policies which cultivate, at each corporate layer, and for all staff, a strong sense of awareness about cyber risks and a commitment to observe a strict cyber hygiene at all levels. The ultimate responsibility of the management body in managing a financial entity’s ICT risk should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body in the control of the monitoring of the ICT risk management."

According to Article 5 of the Digital Operational Resilience Act, Governance and organisation:

1. Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in order to achieve a high level of digital operational resilience.

2. The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework.

For the purposes of the first subparagraph, the management body shall:

- (a) bear the ultimate responsibility for managing the financial entity’s ICT risk;

- (b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;

- (c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;

- (d) bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the financial entity;

- (e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;

- (f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;

- (g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training, and ICT skills for all staff;

- (h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;

- (i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:

(i) arrangements concluded with ICT third-party service providers on the use of ICT services,

(ii) any relevant planned material changes regarding the ICT third-party service providers,

(iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.

3. Financial entities, other than microenterprises, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.

4. Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.

It is a clear requirement from the Digital Operational Resilience Act (DORA) that the Board of Directors and the CEO must have the knowledge and skills necessary to assess cybersecurity risks, challenge security plans, discuss activities, formulate opinions, and evaluate policies and solutions that protect the assets of their organization. The failure to maintain adequate risk oversight can expose companies, officers, and directors to liability.

Our Briefings for the Board:

We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive, or longer, depending on the needs, the content of the program and the case studies.

Alternatively, you may choose one of our existing briefings:

1. The Digital Operational Resilience Act (DORA) for the Board of Directors and executive management of EU legal entities.

2. The Digital Operational Resilience Act (DORA) for the Board of Directors and executive management of non-EU legal entities.

You can find all information below.

Delivery format of the training program

a. In-House Instructor-Led Training. This format is specifically designed and customized for individuals within a particular company or organization, including board members, executive management, risk managers, and employees. An instructor from Cyber Risk GmbH, approved by the client, will travel to the client’s chosen location to deliver the training. The content and delivery are tailored to meet the specific needs of the client, as outlined in the contract.

b. Online Live Training. This real-time, synchronous training takes place in a live virtual meeting room via platforms such as Zoom, Webex, or Microsoft Teams. Instructors from Cyber Risk GmbH, approved by the client, customize the delivery method (e.g., interactive or non-interactive) to suit the client’s needs. The instructor leads the session and addresses questions based on the client’s specific requirements and the terms of the contract.

c. Video-Recorded Training. This professional, pre-recorded training format is tailored to the client’s needs and contract specifications. Instructors from Cyber Risk GmbH, approved by the client, record the content in a professional studio. The pre-recorded material, including future updates, is licensed to the client for internal training purposes. Clients can integrate the videos into their internal learning management systems. Available programs include Orientation Video Training and Compliance Video Training.

1. The Digital Operational Resilience Act (DORA) for the Board of Directors and executive management of EU legal entities.

This comprehensive training program is designed to equip the Board of Directors and executive management of EU legal entities with the critical knowledge and skills necessary to understand the challenges of the Digital Operational Resilience Act (DORA). We will discuss the right questions to ensure thorough oversight, and the evaluation of the answers they receive, ensuring informed and effective decision-making.

Through this program, participants will explore their governance responsibilities, regulatory obligations, and the importance of a robust ICT risk management strategy. The course will also cover the practical steps necessary to enhance operational resilience, with a focus on accountability, internal controls, and strategic decision-making.

The training will highlight synergies between DORA and other relevant EU regulations, allowing organizations to design a comprehensive project that achieves compliance across multiple regulatory frameworks.

Course Synopsis (possible modules of the tailor-made training).

Understanding DORA.
- Gain a thorough understanding of DORA’s scope, key definitions, and its applicability to your organization.

Strategic Oversight and Governance.
- Understand the governance and accountability frameworks required under DORA for managing ICT risks and ensuring resilience.

Regulatory Compliance.
- Learn how to comply with the regulatory requirements under DORA, including ICT risk management frameworks, testing, and reporting.

ICT Risk Management.
- Explore the components of an effective ICT risk management system, including internal governance, risk identification, mitigation strategies, and oversight responsibilities.

Operational Resilience and Incident Management.
- Learn how to develop and maintain an operational resilience strategy to manage cyber incidents, operational disruptions, and ensure business continuity.

Third-Party Risk Management.
- Understand DORA’s requirements for managing third-party ICT service providers, including cloud providers, and how to integrate third-party risks into your resilience strategy.

Critical Thinking and Decision-Making.
- Learn how to ask the right questions to ensure robust oversight, challenge assumptions, and critically evaluate the responses from your risk and compliance teams.

Synergies with Other EU Regulations.
- Explore how DORA aligns with and complements other EU regulatory frameworks. Identify opportunities to streamline efforts and resources across different regulatory requirements to create a unified approach to compliance.

One Project for Multiple Regulations.
- Discover how your organization can design and execute a single compliance project that addresses the key requirements of DORA while simultaneously meeting the objectives of other regulations. By integrating common elements such as incident reporting, governance frameworks, and risk assessments, your organization can reduce redundancy, lower costs, and ensure a more cohesive compliance strategy.

Which are these EU Directives and Regulations that have common elements with DORA and may apply to us?
- The NIS 2 Directive.
- The Artificial Intelligence Act.
- The Critical Entities Resilience Directive (CER).
- The European Data Act.
- The European Data Governance Act (DGA).
- The European Cyber Resilience Act (CRA).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The EU Cyber Solidarity Act.
- The European ePrivacy Regulation.
- The European Digital Identity Regulation.
- The Corporate Sustainability Due Diligence Directive (CSDDD).
- The Financial Data Access (FiDA) Regulation.
- The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR).

Practical Steps for Implementation.
- Explore the practical steps to implement DORA’s requirements across your organization, including enhancing existing ICT governance frameworks, incident reporting, and preparing for regulatory scrutiny.

Instructor.

Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

2. The Digital Operational Resilience Act (DORA) for the Board of Directors and executive management of non-EU legal entities.

The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a country to extend its legal powers beyond its territorial boundaries, and to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.

The Sarbanes-Oxley Act of 2002, for example, applies to foreign auditors and foreign companies whose securities are listed in a US stock exchange.

Extraterritorial application of EU law is the application of EU provisions outside the territory of the EU, resulting from EU unilateral legislative and regulatory action.

For example, according to EU’s General Data Protection Regulation (GDPR), non-EU data controllers and processors in any country, must comply with the GDPR obligations, if they offer goods or services to individuals in the EU.

Anu Bradford, Professor of Law in Columbia Law School, is the author of the book “The Brussels Effect: How the European Union Rules the World” (2020), that was named one of the best books of 2020 by Foreign Affairs.

In 2012, she introduced the concept of the ‘Brussels Effect’, that describes Europe’s unilateral power to regulate global markets.

Anu Bradford explains why most global corporations choose to adopt the European laws, regulations and standards in the design and operation of their products and services.

The EU standards are generally stricter, and in most cases, when you comply with EU rules, you comply with laws and regulations around the world.

Even when this approach is more costly, global corporations prefer to have an enterprise-wide, single mode of production and operations, and to market their goods and services globally.

Following the doctrine "you comply with EU rules, you comply around the world", global corporations and service providers need professionals that understand the EU laws, regulations, standards and guidelines.

When the European Commission determines that the regulatory or supervisory regime of a non-EU country is equivalent to the corresponding EU framework:

- allows authorities in the EU to rely on supervised entities' compliance with equivalent rules in a non-EU country,

- reduces or eliminates overlaps in compliance requirements for both EU and non-EU entities,

- makes services and products of non-EU companies accepted in the EU,

- allows third-country firms to provide services without establishment in the EU single-market.

We will discuss what happens when the European Commission determines that the regulatory or supervisory regime of a non-EU country is not equivalent to the corresponding EU framework, or when the European Commission has not yet determined if the regulatory or supervisory regime of a non-EU country is equivalent.

We can understand better equivalence decisions from the experience we have with the Accounting Directive, the Audit Directive, the Capital Requirements Regulation (CRR), the Credit Rating Agencies Regulation, the European Market Infrastructure Regulation (EMIR), the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II), the Markets in Financial Instruments Regulation (MiFIR), the Prospectus Directive, the Solvency II Directive and the Transparency Directive.

While primarily aimed at EU entities, DORA has significant implications for non-EU companies that provide services to or operate within the EU financial system.

Course Synopsis

Introduction
- What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.
- Are you sure we must comply with DORA? Where can we find this information?

DORA and Its Extraterritorial Impact.
- Breakdown of DORA, scope, and provisions.
- Analysis of DORA’s extraterritorial application to non-EU entities that offer services to the EU or engage in cross-border activities.
- Key compliance obligations and risk management requirements for non-EU organizations.

Third-Party Providers to EU Financial Institutions.
- Non-EU companies providing ICT services, such as cloud services, software, or data storage, to an EU financial institution.
- Obligation for EU financial institutions to ensure that their third-party providers comply with DORA’s standards, which means non-EU providers will need to adhere to these same standards to retain their business.

Critical ICT Providers.
- Understanding the role of the European Supervisory Authorities (ESAs) for overseeing critical ICT providers, including non-EU companies.
- Understanding the compliance challenges if a non-EU provider is designated as "critical," and must be subject to direct oversight by EU regulators, requiring compliance with strict monitoring and reporting obligations.

Outsourcing and Subcontracting Arrangements.
- Non-EU companies that are part of outsourcing or subcontracting arrangements with EU entities will need to ensure their processes align with DORA’s requirements.
- The EU financial institution that outsources to a non-EU provider remains responsible for compliance, meaning non-EU companies must meet high standards for cybersecurity, resilience testing, and incident reporting.

Incident Reporting.
- Non-EU companies providing services to EU financial entities may also need to comply with incident reporting rules.
- Any major ICT incident that affects the operational resilience of the EU financial entity must be reported, even if the incident originates outside the EU.

Assessing the Risk Exposure of Non-EU Entities.
- Identifying sectors and services that fall within the scope of DORA.
- How to evaluate your organization's exposure to DORA obligations based on business operations in the EU.

Roles and Responsibilities of the Board and Executive Management.
- Clarifying the roles of the Board and executive management in overseeing compliance with DORA.
- Understanding the accountability and governance obligations of non-EU entities subject to DORA.
- Potential legal, financial, and reputational risks associated with non-compliance.

Cybersecurity Risk Management for Cross-Border Entities.
- Strategies for implementing effective risk management frameworks in alignment with DORA requirements.
- Enhancing resilience in international operations by adopting EU-compliant cybersecurity practices.

Immediate actions needed.
1. Carefully assess whether and to what extent you are required to comply with the Digital Operational Resilience Act (DORA), based on your operations and relationships with EU financial entities.
2. Align with DORA Standards. This includes developing comprehensive cybersecurity policies, resilience strategies, and risk mitigation processes.
3. Engage in Contractual Negotiations. Anticipate changes in contracts with EU financial entities that include provisions for compliance with DORA. This involves commitments to security standards, reporting obligations, and regular resilience testing.
4. Incident Management and Reporting. Establish robust systems to detect, manage, and report ICT-related incidents. This may involve setting up specialized teams or systems that can quickly respond to disruptions and communicate them effectively to EU clients.
5. Monitor for Critical ICT Provider Designation. If a non-EU company is providing critical services to EU financial institutions, it should be aware of the possibility of being designated as a critical ICT provider. This status requires adherence to stricter oversight and regulation by EU authorities.

Instructor.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

DORA | Board Training

Cyber Risk GmbH, some of our clients