Brainwave GRC Joins The Radiant Logic Group.
Brainwave GRC rejoint le groupe Radiant Logic

Is your European company prepared for the Digital Operational Resilience Act (DORA)?

Automate your User Access Reviews

The DORA Regulation: Europe’s New Cybersecurity Measures


Over the last two years, the European Commission has been working on regulations that they refer to as the Digital Operational Resilience Act (DORA). In November 2022, this act was adopted by the European Council. DORA aims to promote resilience to Information, Communication and Technology (ICT)-related risk for companies doing business within the financial sector in Europe, including banks, insurance companies and investment and asset management firms. Even third-party providers that handle crucial financial data, records and information will be subject to this regulatory statute. This act follows the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) who, in 2020, created and proposed guidelines to which European financial institutions were highly encouraged to adhere, focusing on cybersecurity measures and the implementation of independent and objective controls of data and resources within these companies.

As stated in the Council of the EU press release of May 11, 2022, “Once the DORA proposal is formally adopted, it will be passed into law by each EU member state”. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.” According to most accounts, it may take up to two years to implement the requirements associated with DORA, but companies can start early by tightening their compliance and security policies through investing in new technologies and processes.

But what does operational resilience mean with regards to DORA? Operational resilience is the result of the effective management of operational risks which means that internal and external policies and rules are in place to prevent catastrophic incidents such as data breaches and cyber-theft. Identifying and mitigating risk in addition to continuous monitoring and testing are examples of ways that companies can reduce any disruption to their operations that could lead to serious consequences.

Digital Transformation in the Corporate World


The corporate landscape has dramatically changed over the last few years. A great percentage of employees now work from home at least part of the time. This means that daily digital activities are no longer on premise and significant data exchange is happening through cloud-based frameworks. This new environment inherently brings with it a higher level of cyber-risk that must be addressed in a more aggressive manner than in the past, and more specifically, within the financial sector. This is because this area has the highest potential gain for hackers and cyber criminals.

The regulations included in DORA will oblige that financial institutions within the European Union adhere to the act by reducing, whenever and wherever possible, the weakness of their internal systems and processes that could potentially increase the chance of cyber-attacks. The only way to do this is to have the proper tools, processes and directives in place, including extra vigilance of third-party organizations that have access to sensitive resources. Detailed reporting, audits and testing will become essential in monitoring the companies for whom DORA will become an obligatory practice.


DORA Regulations:  The Five Targets


The focus of the Digital Operational Resilience Act will be on five main areas within ICT and information security, including:

  • Digital operational resilience
  • Risk management
  • ICT incident reporting and management
  • Information sharing
  • Third-party risk management.

Now that the act has been signed, what does this mean?  It means that entities and institutions cannot and should not wait to begin ramping up for these regulations which will be enforced in approximately two years from the date of signing. Strategies must be put into place as soon as possible to be prepared for DORA’s official roll-out.


Brainwave GRC Supports DORA Directives


“DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them,” according to a press release published by the European Council on November 28, 2022. The first step in securing a company’s network and information systems is by knowing, first and foremost, who has access to them, how they got the access granted to them, and is this access legitimate.


Thankfully, there are competent companies like Brainwave GRC who provide software solutions that can be implemented today for a smooth transition tomorrow. One of our key platforms is Identity Analytics which has been designed to help with the detection, measurement and reduction of risks related to identity and access data quality issues, providing a full understanding of access rights and the knowledge of who has access to what and to what extent.


By far, the Identity Analytics component which delivers the most immediate benefit to the business teams is the automated user access review. In addition to supporting audit requirements, performing regular access review campaigns promotes:

    • the security and protection of resources,
    • the compliance of access rights granted to employees, and
    • conformity with the current internal and external security policies and rules, including segregation of duties.

There is no better way to begin complying with the Digital Operational Resilience Act.

Why wait? Take your first step towards compliance with the Digital Operational Resilience Act by contacting Brainwave GRC, the expert in the field of identity analytics.

More information about identity analytics and IAM

What Is Access Certification?

What Is Access Certification?

Every day, companies must manage in the best way possible various types of internal changes which include employee hirings and firings, staff reassignment and turnover in general, technological improvements and external projects. These changes that influence the...

Webinar Recordings

How will DORA affect your company regarding user access?

This European law establishes a framework to strengthen the resilience of financial institutions.

Automate your user access reviews

Forget manual processes and take back control of your access rights quickly and easily with Brainwave Identity Analytics

EBA / EIOPA Access Right Compliance: What Is It All About?

Delve into the reasons for performing user access reviews to adhere to the EBA/EIOPA guidelines for the banking and insurance industries.


User Access Review

User Access Review

User Access Review and Certification’s Added Value for Organizations


User Access Review with Brainwave Identity Analytics

How can you execute your user access reviews in a timely manner while at the same time being certain that they are compliant? What does it take for you to respond quickly to auditors? Discover Brainwave Identity Analytics, the only solution on the market that specializes in periodic user access reviews.

The Ten Best Practices for User Access Reviews

Are you preparing to launch your user access review campaign? Discover the ten best practices to optimize the operation, reduce your efforts and achieve compliance.

Customer Testimonials

Access Review Automation: Feedback from ADP

Pierre Dumas, Director of IS and Compliance, shares with us his advice on optimizing user access reviews based on ADP's experience.