Innovation, Agility and Resilience - DNA of the fittest!

Strategy, AI, Digital transformation, Operational Resilience, Cyber Security, Process automation, Risk management and Compliance are your focus domains for value creation. AI supported disruption and geopolitical uncertainty - new reality. Agile organizations see all that as opportunities. People, Processes and Planet are changing at a faster pace as any time before. Sustainability, Artificial Intelligence and new business models are shaping the future. Without efficient utilization of "Digital" most businesses are at risk. Quick fix, systematic transformation or independent sparring partner to CX team - your call. We provide tailored Advisory Services for your Sustainable Growth.

Uncategorized

DORA RTS in EU Official journal

For your convinience we have prepared the list of EU 2022/2554 (DORA) releated technical standards published in EU official journal:

Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information

Integrity vs. Authenticity of information

Regulatory frameworks in the field of information security in 2024, in addition to the already known properties of information such as confidentiality, integrity, and availability, particularly highlighted authenticity. In practice, we find that in some places there is a simplification and misunderstanding of the differences between integrity and authenticity. For this purpose, the following record was created. (Partially using ChatGPT.)

The concepts of authenticity and integrity refer to two different aspects of information and system security.

Authenticity

Authenticity of Information
Authenticity of Information

Authenticity refers to ensuring that the identities of entities (users, devices, or systems) and the origin of data or communications are reliably verified and not falsely represented. It means that organizations can trust that:

  • The users or entities accessing the systems are who they claim to be.
  • Documents, data, or communications are indeed from the rightful sender.

Examples in practice:

  • Using two-factor authentication to verify users.
  • Digital signatures that ensure a document or message is genuinely from the author.

Integrity

Integrity of Information
Information integrity risk

Integrity refers to protecting data and systems from unauthorized changes, including preventing and detecting data tampering or corruption. It ensures that:

  • Data is accurate, complete, and has not been altered without authorization.
  • Systems operate as intended without external influences or errors that could affect outcomes.

Examples in practice:

Using checksums (e.g., hash functions) to verify that data remains unchanged.

Log files that record all data changes and allow for review to detect potential manipulations.

Difference between authenticity and integrity

Authenticity focuses on reliable identification and verification of identity and source of information.

Integrity ensures that information or systems remain unchanged and protected from manipulations.

Both concepts are crucial for ensuring trust and security in digital ecosystems, especially in the context of the EU Digital Operational Resilience Act (DORA), which aims to increase the resilience of financial institutions to cyber and other operational threats.

DORA Q&A update 03

European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) (jointly ESAs) have issued the decision ESA 2024 22 of 08 November 2024 concerning the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third party service providers in accordance with Article 31(1)(a) of Regulation (EU) 2022/2554.

This information was published on ESMA site:

The ESAs also published on 15th of November  a list of validation rules that will be used when analysing the registers of information and the visual representation of the data model. These rules will be included in the updated reporting technical package (including updated data point model, taxonomy and validation rules), which is set to be published in December 2024.

Workshop

Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited to take part in an information workshop on 18 December 2024.

The workshop will be held virtually from 10:00 to 13:00. Interested parties can register by 16 December 2024 at the following link.

Data Governance – key principles

Data governance is a critical framework for managing and ensuring the quality, security, and effective use of data within an organization. Here are some key principles of data governance:

  1. Accountability
    Ownership: Assign clear ownership of data assets to specific individuals or roles within the organization.
    Responsibilities: Define responsibilities for data management, ensuring that all data-related activities have accountable parties.
  2. Transparency
    Data Lineage: Ensure that the origin, movement, and transformations of data are documented and traceable.
    Clear Policies: Establish and communicate clear policies and standards for data management, access, and use.
  3. Integrity
    Accuracy: Maintain data accuracy and reliability through regular validation and quality checks.
    Consistency: Ensure consistency in data definitions, formats, and standards across the organization.
  4. Compliance
    Regulatory Adherence: Comply with legal, regulatory, and industry-specific data requirements (e.g., GDPR, HIPAA).
    Auditability: Implement processes that enable data and processes to be audited for compliance.
  5. Security
    Protection: Implement measures to protect data from unauthorized access, breaches, and other security threats.
    Privacy: Safeguard personal and sensitive information, ensuring that data privacy laws and regulations are adhered to.
  6. Quality
    Data Quality Management: Continuously monitor and improve the quality of data, addressing issues like duplicates, errors, and outdated information.
    Data Stewardship: Assign roles responsible for ensuring data quality across the organization.
  7. Standardization
    Data Standards: Define and enforce consistent data standards and definitions to facilitate interoperability and integration.
    Metadata Management: Maintain comprehensive metadata that describes data characteristics, origins, and usage.
  8. Accessibility
    Ease of Access: Ensure that data is accessible to authorized users in a timely and efficient manner.
    Data Democratization: Empower users to access and use data effectively while maintaining security and compliance.
  9. Agility
    Adaptability: Allow for flexible data governance practices that can adapt to changing business needs, technology advancements, and regulatory environments.
    Scalability: Design governance frameworks that can scale with the organization’s growth and data complexity.
  10. Ethics
    Responsible Use: Promote the ethical use of data, ensuring that data practices align with the organization’s values and societal norms.
    Bias Mitigation: Identify and mitigate potential biases in data collection, processing, and analysis.
  11. Collaboration
    Cross-Functional Collaboration: Foster collaboration across departments to ensure that data governance is integrated into all business processes.
    Stakeholder Engagement: Engage stakeholders in governance activities, ensuring their needs and concerns are addressed.
  • These principles provide a foundation for establishing effective data governance practices, ensuring that data is managed as a valuable organizational asset.

Implementation of these principles requires synchronized effort from all key stakeholders in any organization.

Need support? Let us know.

DORA Q&A update 02

The purpose of this post is share the facts & links about DORA to community.

DORA act

  • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)

RTS published and sent to the EU Commission – first batch on 17th of January 2024:

  • JC 2023 83 – RTS on criteria for the classification of ICT-related incidents
    • JC_2023_83_-_Final_Report_on_draft_RTS_on_classification_of_major_incidents_and_significant_cyber_threats.pdf
  • JC 2023 84 – RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (Was replaced with JC(2024) 1531).
    • JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions.pdf
  • JC 2023 85 – Implementing Technical Standards (ITS) to establish the templates for the register of information
    • JC_2023_85_-_Final_report_on_draft_ITS_on_Register_of_Information.pdf
  • JC 2023 86 – RTS on ICT risk management framework and on simplified ICT risk management framework (Was replaced with JC(2024) 1532.)
    • JC_2023_86_-_Final_report_on_draft_RTS_on_ICT_Risk_Management_Framework_and_on_simplified_ICT_Risk_Management_Framework.pdf

Final Reports – draft RTS submitted to the European Commission on 17th July 2024:

Final Reports – draft RTS submitted to the European Commission on 26th July 2024:

  • JC 2024 53 – Final Report RTS .. to assess when subcontracting ICT services supporting critical or important functions
    • Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554;
    • JC 2024-53_Final report DORA RTS on subcontracting.pdf

The set of guidelines include:

  • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
    • JC 2024 34 Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554. EBA site;
    • JC 2024 34 Joint Guidelines pdf
  • Guidelines on oversight cooperation.

https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora

Update to DORA regulation – Supplementing Regulation (EU) 2022/2554:

Criteria for the designation of ICT third-party service providers as critical for financial entities

  • Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. (EU) 2024/1502.

Criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents

DORA Q&A update 01

RTS published and sent to EU Commission:

  • JC 2023 83 – RTS on criteria for the classification of ICT-related incidents
  • JC 2023 84 – RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers
  • JC 2023 85 – Implementing Technical Standards (ITS) to establish the templates for the register of information
  • JC 2023 86 – RTS on ICT risk management framework and on simplified ICT risk management framework

JC_2023_83_-_Final_Report_on_draft_RTS_on_classification_of_major_incidents_and_significant_cyber_threats

JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions

JC_2023_85_-_Final_report_on_draft_ITS_on_Register_of_Information

JC_2023_86_-_Final_report_on_draft_RTS_on_ICT_Risk_Management_Framework_and_on_simplified_ICT_Risk_Management_Framework

Deadline for Final Report and the submission of the other draft RTS to the European Commission is 17th July 2024. RTS listed further are under construction:

  • Joint draft RTS specifying elements related to threat led penetration tests – EBA link
  • Joint Technical Standards on major incident reporting – EBA link
  • Joint Regulatory Technical Standards on subcontracting ICT services supporting critical or important functions – EBA link
  • Joint Regulatory Technical Standards on the harmonisation of conditions enabling the conduct of the oversight activities – EBA link

Final deadline for compliance:

Jan 17 2025

Digital Resilience

Digital Resilience and Cyber resilience are the terms we often hear in the boardrooms from the executives, in meetings with the regulators and government officials.

But what is it really? While there are some definitions out the there we wrote our own for Digital resilience.

Digital resilience is the ability of the entity (organization, corporation, state, country) to continue its mission and deliver value even if under cyber attack or under the influence of a disruptive digitally enabled business model by agile and effective use of its resources to:

  • anticipate successful cyber attacks and disruptions
  • anticipate disruptive business models based on ICT
  • prepare for key scenarios relevant to digital resilience
  • build and improve resilient digital business models
  • build and improve resilient enterprise and ICT architecture
  • understand and continuously test and improve all building blocks of the enterprise and ICT architecture.

Source: Renato Burazer, CISA, CISM, CRISC, CGEIT, CISSP, Managing Partner, AREM

123

Copyright © 2026 AREM / Advisory Services for Sustainable Growth / Assurance Risk Enterprise Management