Overview
Which is the "management body"?
According to Article 3 (Definitions) of the Digital Operational Resilience Act (DORA), management body means the body or bodies which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity.
Which are the responsibilities of the "management body" according to the Digital Operational Resilience Act (DORA)?
According to the Digital Operational Resilience Act (DORA), in order to maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party risk.
According to Preamble 45 of the Digital Operational Resilience Act (DORA): The financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy. The approach to be taken by management bodies should not only focus on the means of ensuring the resilience of the ICT systems, but should also cover people and processes through a set of policies which cultivate, at each corporate layer, and for all staff, a strong sense of awareness about cyber risks and a commitment to observe a strict cyber hygiene at all levels. The ultimate responsibility of the management body in managing a financial entity’s ICT risk should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body in the control of the monitoring of the ICT risk management."
According to Article 5 of the Digital Operational Resilience Act, Governance and organisation:
1. Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in order to achieve a high level of digital operational resilience.
2. The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework.
For the purposes of the first subparagraph, the management body shall:
- (a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
- (b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
- (c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
- (d) bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the financial entity;
- (e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
- (f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
- (g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training, and ICT skills for all staff;
- (h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
- (i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
(i) arrangements concluded with ICT third-party service providers on the use of ICT services,
(ii) any relevant planned material changes regarding the ICT third-party service providers,
(iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.
3. Financial entities, other than microenterprises, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
4. Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.
It is a clear requirement from the Digital Operational Resilience Act (DORA) that the Board of Directors and the CEO must have the knowledge and skills necessary to assess cybersecurity risks, challenge security plans, discuss activities, formulate opinions, and evaluate policies and solutions that protect the assets of their organization. The failure to maintain adequate risk oversight can expose companies, officers, and directors to liability.
Our Briefings for the Board:
We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive (60 minutes), or longer, depending on the needs, the content of the program and the case studies.
Alternatively, you may choose one of our existing briefings:
1. The Digital Operational Resilience Act (DORA) for the Board of Directors and executive management of EU legal entities.
2. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.
You can find all information below.
1. The Digital Operational Resilience Act (DORA) for the Board of Directors and executive management of EU legal entities.
Course Synopsis
- Are you sure we must comply with the Digital Operational Resilience Act (DORA)? Where can we find this information?
- Subject matter and scope.
- Understanding the important definitions.
ICT risk management.
- The internal governance and control framework that ensures an effective and prudent management of ICT risks.
- The sound, comprehensive and well-documented ICT risk management framework, as part of the overall risk management system.
- ICT systems, protocols and tools.
- The need to identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.
- The need to continuously monitor and control the security and functioning of ICT systems and tools, to minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
- The need for mechanisms to promptly detect anomalous activities.
- The need for response and recovery, and a comprehensive ICT business continuity policy.
- Ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss.
- Learning and evolving, gathering information on vulnerabilities and cyber threats.
- Communication, crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public.
- ICT-related incident management, classification and reporting.
- Digital operational resilience testing.
- ICT third-party risk.
- Competent authorities.
- Master plan and list of immediate actions, for firms established in the EU.
- Other new EU directives and regulations that introduce compliance challenges.
- Closing remarks.
Instructor.
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
Terms and conditions.
You may visit: https://www.cyber-risk-gmbh.com/Terms.html
2. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.
Course Synopsis
The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a country to extend its legal powers beyond its territorial boundaries, and to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.
The Sarbanes-Oxley Act of 2002, for example, applies to foreign auditors and foreign companies whose securities are listed in a US stock exchange.
Extraterritorial application of EU law is the application of EU provisions outside the territory of the EU, resulting from EU unilateral legislative and regulatory action.
For example, according to EU’s General Data Protection Regulation (GDPR), non-EU data controllers and processors in any country, must comply with the GDPR obligations, if they offer goods or services to individuals in the EU.
Anu Bradford, Professor of Law in Columbia Law School, is the author of the book “The Brussels Effect: How the European Union Rules the World” (2020), that was named one of the best books of 2020 by Foreign Affairs.
In 2012, she introduced the concept of the ‘Brussels Effect’, that describes Europe’s unilateral power to regulate global markets.
Anu Bradford explains why most global corporations choose to adopt the European laws, regulations and standards in the design and operation of their products and services.
The EU standards are generally stricter, and in most cases, when you comply with EU rules, you comply with laws and regulations around the world.
Even when this approach is more costly, global corporations prefer to have an enterprise-wide, single mode of production and operations, and to market their goods and services globally.
Following the doctrine "you comply with EU rules, you comply around the world", global corporations and service providers need professionals that understand the EU laws, regulations, standards and guidelines.
When the European Commission determines that the regulatory or supervisory regime of a non-EU country is equivalent to the corresponding EU framework:
- allows authorities in the EU to rely on supervised entities' compliance with equivalent rules in a non-EU country,
- reduces or eliminates overlaps in compliance requirements for both EU and non-EU entities,
- makes services and products of non-EU companies accepted in the EU,
- allows third-country firms to provide services without establishment in the EU single-market.
We will discuss what happens when the European Commission determines that the regulatory or supervisory regime of a non-EU country is not equivalent to the corresponding EU framework, or when the European Commission has not yet determined if the regulatory or supervisory regime of a non-EU country is equivalent.
We can understand better equivalence decisions from the experience we have with the Accounting Directive, the Audit Directive, the Capital Requirements Regulation (CRR), the Credit Rating Agencies Regulation, the European Market Infrastructure Regulation (EMIR), the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II), the Markets in Financial Instruments Regulation (MiFIR), the Prospectus Directive, the Solvency II Directive and the Transparency Directive.
After this presentation, the Board and executive management will have a clear understanding or what is mandatory and what is "nice to have", and the consequences of non-compliance.
Instructor.
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
Terms and conditions.
You may visit: https://www.cyber-risk-gmbh.com/Terms.html