DORA2026-03-104 min read

DORA Article 9 Explained: Protection and Prevention

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

In the world of financial regulation, keeping up with the latest requirements is crucial for maintaining compliance and ensuring operations run smoothly. One of the latest pieces of legislation set to reshape the landscape is the Digital Operational Resilience Act (DORA). This sweeping European legislation is designed to bolster the resilience of financial entities’ ICT systems against risks such as cyber threats, data breaches, and operational disruptions.

DORA Article 9, focusing on protection and prevention, demands that financial entities implement robust ICT security policies and protection measures. This article will delve into what this entails, how to implement the requirements, common pitfalls to avoid, and how Matproof can assist in the process.

Key Requirements

DORA Article 9 sets forth several key requirements for financial entities to ensure they have effective ICT security policies and protection measures in place:

  • Risk Assessment: Conduct a comprehensive risk assessment to identify potential threats and vulnerabilities.

  • ICT Security Policies: Develop and implement ICT security policies that address identified risks. These should be dynamic and updated regularly to reflect changes in the threat landscape and technology.

  • Policies Review and Testing: Regularly review and test ICT security policies to ensure they remain effective against new and emerging threats.

  • Third-Party Relationships: Ensure that third-party providers adhere to the same high standards of security as the financial entity.

  • Incident Reporting and Management: Implement procedures for the reporting and management of ICT security incidents.

  • Data Protection: Ensure that personal and sensitive data is protected in line with data protection regulations.

  • Training and Awareness: Promote a culture of cybersecurity awareness through regular training and updates for all staff members.

Implementation Guide

To comply with DORA Article 9, financial entities should follow these practical steps:

  1. Conduct a Thorough Risk Assessment:

    • Engage in a systematic and regular process to identify potential risks and vulnerabilities in ICT systems. This should include both internal and external threats such as cyber attacks, natural disasters, and human error.

  2. Develop ICT Security Policies:

    • Based on the risk assessment, develop ICT security policies that are clear, comprehensive, and aligned with the entity’s risk profile. These policies should cover aspects such as access control, data encryption, network security, and incident response.

  3. Regularly Review and Update Policies:

    • Keep policies current by regularly reviewing and updating them in response to new threats, changes in technology, and evolving business processes.

  4. Manage Third-Party Relationships:

    • Implement due diligence processes for selecting and managing third-party providers. This includes assessing their security measures and ensuring contractual agreements enforce compliance with DORA requirements.

  5. Establish Incident Reporting and Management Procedures:

    • Develop and implement procedures for the prompt reporting and management of ICT security incidents. This should include clear communication channels, roles and responsibilities, and steps for containment, mitigation, and recovery.

  6. Protect Data:

    • Implement robust data protection measures to safeguard personal and sensitive data in compliance with applicable data protection laws.

  7. Promote Cybersecurity Awareness:

    • Foster a culture of cybersecurity awareness by providing regular training and updates to all staff members. This will help ensure that employees are aware of potential risks and understand their roles in maintaining ICT security.

Common Pitfalls

While implementing DORA Article 9, financial entities should avoid the following pitfalls:

  • Neglecting to Perform Regular Risk Assessments: Failing to regularly assess risks can lead to outdated policies that are not aligned with current threats.

  • Lack of Policy Enforcement: Having ICT security policies in place without enforcing them can render them ineffective.

  • Ignoring Third-Party Risks: Relying on third-party providers without assessing and managing their security measures can introduce significant risks.

  • Inadequate Incident Response Planning: Without a well-defined incident response plan, financial entities may not be able to respond effectively to ICT security incidents, leading to increased damage and reputational harm.

  • Overlooking Staff Training: Underestimating the importance of regular training and awareness programs can leave employees vulnerable to social engineering attacks and other threats.

How Matproof Helps

Matproof’s compliance management platform simplifies the process of ensuring compliance with DORA Article 9. It offers automated tracking and evidence collection for all the requirements, including risk assessments, policy reviews, third-party assessments, and incident management procedures. Matproof ensures that financial entities maintain up-to-date records and can demonstrate compliance with DORA’s stringent requirements.

Related Articles

For further reading on DORA and related topics, consider exploring the following articles:

DORA Article 9Protection and Preventiondigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo