How compliant off-channel communications can help you address DORA requirements

Contact Us

Contact Us

[contact-form-7 404 "Not Found"]

One of the biggest shakeups the financial sector in the European Union (EU) has seen is set to unfold at the beginning of 2025 when the Digital Operational Resilience Act (DORA) will come into effect.

Along with banks, insurance firms, and investment companies, their Information and Communication Technology (ICT) vendors must become DORA compliant by January 17 or risk massive penalties.

The measure, which resulted from extensive debate and planning in the EU, requires companies with operations in the region to adopt a robust operational resilience framework.

What does DORA compliance entail?

The DORA regulations are designed to ensure financial institutions can handle operational disruption smoothly, especially when it comes to ICT risk.

Notably, the regulated entities are expected to have mechanisms to protect, detect, contain, recover, and repair issues arising from ICT-related incidents. It sets rules for how companies should handle ICT-related risk management, incident reporting, operational resilience testing, and third-party risk monitoring.

Essentially, the rules are supposed to ensure:

  • That financial firms operating in the EU can effectively withstand and respond to IT lapses, cyber threats, etc.
  • The protection of consumer data from breaches

Overall, the new guidelines are set to impact around 22,000 organizations, including investment firms, banks, payment institutions, cloud computing providers for financial firms, etc. Firms found violating the compliance requirements could face penalties of up to 1% of their average daily worldwide turnover until they have demonstrated compliance.

To comply with DORA requirements, financial firms need to demonstrate operational resilience by putting in place measures to:

  • Identify & Mitigate ICT-related risk

Financial firms in the EU must come up with measures to proactively manage the risk posed by disruptions to their IT infrastructure. Measures from the compliance team, including regular risk assessments and the creation of mitigation policies will go a long way in facilitating DORA compliance.

  • Fast-track incident reporting and cooperation with authorities

If the operations of a financial firm have been disrupted by an incident, they are required to report it to the designated country authorities       in a timely manner. These authorities are also in a position to oversee the responses to the incident in a manner that ensures that the disruption gets resolved smoothly without significant repercussions. It is worth mentioning that financial firms must have in place measures to share information with the authorities so the incident response can be coordinated.

  • Promote iteration and improvement in resilience.

Financial firms need to foster a culture of frequent testing of their operational resilience. By continuously simulating disruptions, the companies’ compliance teams must increasingly become better at identifying, tracking, logging, categorizing, and classifying issues, so that they stay ahead of incidents that could bring operations to a halt.

  • Mitigate third-party risk

Per DORA requirements, financial firms must consider the third-party systems they use for their operations while taking stock of their risk vulnerability. Consequently, the compliance teams are responsible for ensuring that platforms, including digital communication channels, such as social media and instant messengers are vetted for DORA compliance.

Navigating DORA: The Role of Compliant Digital Communications

DORA lays out clear guidelines when it comes to how financial firms must handle digital communications during a disruption.

Crucially, per Article 14,

  • When there is an ICT-related incident or vulnerability, financial firms must have in place a crisis communication plan to disclose the same to clients, counterparts, and even the public, if appropriate.
  • Financial firms are responsible for implementing clear communication policies for internal employees and external stakeholders, differentiating between staff involved in ICT-related incident response and recovery and employees who need to be in the loop on the happenings.
  • Companies are to appoint a person to oversee the implementation of the communication strategy for ICT-related incidents.

How off-channel communication compliance can make a difference

Along with following DORA guidelines, financial firms must also follow several best practices when it comes to their digital communication to ensure that their operational resilience is not compromised, including:

  • Monitoring their off-channel communication for any data breaches by employees
  • Ensuring that the communication channels, especially devices and applications that have not been issued by the company, have powerful encryption capabilities
  • Ensuring that the communication on these platforms is in alignment with company and industry policy so that incidents leading to disruptions in operations can be prevented
  • Establishing efficient reporting mechanisms so that users of third-party communication platforms can bring potential disruptions or cyber threats to the attention of the management or the compliance team
  • Training employees to be able to detect cyber threats or non-complaint activity happening over the off-channel communication platforms
  • Keeping comprehensive records of incidents, especially the ones arising from third-party, off-channel solutions to ensure that the compliance team can be prepared the next time around

Conclusion

Within the next year, compliance teams have to step up their firm’s operational resilience to meet DORA requirements. As best practices, they should prioritize transparency and efficiency in risk identification and resolution when it comes to ICT-related incidents and data governance to protect consumer information. Investing in employee training and incident monitoring systems and personnel will go a long way in bolstering companies’ DORA compliance efforts.

One of the most potent ways to ensure accountability when it comes to ensuring that incidents or potential threats are reported and documented by your employees is the implementation of a communication compliance system, like the TeleMessage mobile archiver. The solution can be used by compliance teams to monitor employee communication to ensure there is timely incident reporting, risk identification, and supervision when there is a potentially disruptive incident. The conversations are secured by SOC 2-level encryption to minimize the chance of data breaches. Additionally, the system is capable of alerting the compliance team when potentially non-compliant information is shared on the platforms. Most importantly, the solution can be employed to retain communication to serve as the “single source of truth” when there are audits or legal issues associated with DORA compliance.

To know more about how the enterprise messaging compliance solution can help you get started with your DORA compliance efforts, contact us for a demo.

About TeleMessage

TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.

Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:

Skip to content