Understanding The Second Chapter of DORA

The Core Requirements

Monitoring and Management Process

Chapter 2 mandates that financial entities establish and implement comprehensive management processes for monitoring ICT incidents. This involves setting up systems to detect and log incidents in real time, ensuring that potential threats are identified before they escalate into critical issues.

Incident Classification

Classifying ICT-related incidents based on a clear and predefined set of criteria is a cornerstone of DORA’s incident management framework. This classification helps organisations prioritise their response efforts, ensuring that severe incidents are addressed promptly while less critical ones are managed appropriately. The criteria for classification should address the incident’s impact on operations, data integrity, and customer trust.

Reporting to Authorities

DORA specifies precise timeframes within which incidents must be reported to competent authorities. The current recommendations being considered are:

• Initial notification – 4 hours from the incident being classified as major and not later than 24 hours
• Intermediate report – 72 hours, or if/when the status of the incident changes or new information about the incident is available
• Final report – within 1 month.

This ensures that regulatory bodies are kept informed of significant issues that could affect the financial stability of the organisation or its customers. Timely reporting also facilitates coordinated responses to widespread threats, enhancing the overall resilience of the financial sector.

Practical Implications

Implementing Chapter 2’s requirements involves adopting a structured approach to incident management, as follows:

1. Identify

The first step is to establish a robust incident detection system. This involves deploying monitoring tools that can detect anomalies and potential security breaches in real time. These tools should be capable of logging incidents with detailed metadata, which is crucial for subsequent analysis and classification.

2. Assess

Once an incident is detected, it needs to be assessed to determine its severity. This assessment should be based on predefined criteria that consider the incident’s impact on business operations, data integrity, and customer trust.

3. Respond

Effective response plans are critical for minimising the impact of ICT incidents. These plans should outline the specific steps to be taken based on the incident’s classification. For high-severity incidents, this might involve activating a crisis management team, notifying affected customers, and working with authorities to contain the breach.

4. Learn

After resolving an incident, it’s essential to conduct a thorough post-incident review. This review should analyse what went wrong, how the incident was handled, and what improvements can be made to prevent similar incidents in the future.

Documentation

Proper documentation is vital for demonstrating compliance with DORA. Financial entities should maintain detailed records of each incident, including detection, assessment, response, and lessons learned. This should include:

• Incident Reports: Detailed accounts of each incident, including the date and time of detection, the nature of the incident, and its classification.
• Assessment Records: Documentation of the assessment process, including the criteria used for classification and the rationale for the assigned severity level.
• Response Logs: Records of all actions taken in response to the incident, including communications with affected parties and authorities.
• Post-Incident Reviews: Detailed analyses of the incident and the response, including recommendations for improvements.