EBA/DORA Validation for Financial Institution

Regulatory Context: EBA and DORA

The New Digital Resilience Framework

The European financial sector faces significant regulatory transformation in technology risk matters. DORA (Digital Operational Resilience Act) establishes a harmonized framework that goes beyond previous EBA guidelines.

Key DORA Requirements

5 Fundamental Pillars:

1. ICT Risk Management (Chapter II)
2. ICT Incident Management (Chapter III)
3. Resilience Testing (Chapter IV)
4. ICT Third-Party Management (Chapter V)
5. Information Sharing (Chapter VI)

Implementation by Pillar

Maturity Evolution

Pillar	Initial	Final	DORA Target
ICT Risk Management	52%	94%	90%
Incident Management	48%	92%	90%
Resilience Testing	23%	85%	80%
Third-Party Management	34%	88%	85%
Information Sharing	12%	78%	75%
Global	45%	87%	85%

ICT Third-Party Management

Provider Classification:

provider_classification:
  critical:
    criteria:
      - supports_critical_functions: true
      - difficult_substitution: true
      - high_operational_impact: true
    controls:
      - enhanced_due_diligence
      - annual_audits
      - detailed_exit_plans
      - continuous_monitoring

  important:
    criteria:
      - supports_important_functions: true
    controls:
      - standard_due_diligence
      - periodic_reviews
      - contingency_plans

Updated Contracts:

• 34 contracts with DORA clauses
• Audit rights included
• Documented exit plans
• Formalized security SLAs

Project Results

Tangible Benefits

Risk Reduction:

• Residual ICT risk: -45%
• Detection time: -67%
• Response time: -58%
• High-risk third parties: -67%

Operational Efficiency:

• Automated processes: +340%
• Manual reporting eliminated: 90%
• Eliminated duplications: 23 processes

This project positioned the institution not just to comply with DORA, but to turn digital operational resilience into a competitive advantage, demonstrating to customers and regulators its commitment to security and service continuity.