What It Is

Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is an EU regulation bolstering ICT resilience for the financial sector against disruptions like cyberattacks. Applicable to 20 financial entity types (~22,000 entities) and critical third-party providers (CTPPs), it employs a risk-based, proportional approach for harmonized management across 27 member states, entering full application January 17, 2025.

Key Components

DORA's pillars include:

• **ICT Risk Management FrameworksIdentification, mitigation, continuity plans overseen by management.
• **Incident Reporting4-hour initial, 72-hour intermediate, 1-month root-cause for major incidents (>5% users or €100k loss).
• **Resilience TestingAnnual vulnerability scans; triennial threat-led penetration testing (TLPT).
• **Third-Party Risk OversightDue diligence, contractual rights, ESAs supervision of CTPPs. Supported by Batch 1/2 RTS/ITS; no formal certification but mandatory compliance.

Why Organizations Use It

Mandatory for EU finance to avert 2% turnover fines; counters threats (74% ransomware hit). Drives resilience, systemic stability, stakeholder trust, and competitiveness amid rising incidents like CrowdStrike outage. Enables proactive cyber defense and regulatory harmonization.

Implementation Overview

Gap analyses against RTS, policy development, tool deployment (e.g., monitoring), testing programs, vendor audits. Tailored by size/complexity; key for banks/insurers/fintechs. Ongoing reviews; ESAs audits/reporting ensure adherence by 2025 deadline. (178 words)

What It Is

Capability Maturity Model Integration (CMMI) is a globally recognized process improvement framework governed by ISACA's CMMI Institute. It helps organizations enhance performance through structured practices in development, services, and acquisition. CMMI employs a maturity-based methodology with progression from ad-hoc to optimizing processes.

Key Components

• 4 Category Areas (Doing, Managing, Enabling, Improving), 12 Capability Areas, 25 Practice Areas (v2.0)
• 6 Maturity Levels (0-5) in staged representation; Capability Levels (0-3) in continuous
• Generic Practices for institutionalization (policy, planning, monitoring, evaluation)
• SCAMPI appraisals (Class A for benchmarking, B/C for evaluation)

Why Organizations Use It

• Drives predictability, reduces rework/costs, improves quality (e.g., 34-61% gains)
• Meets DoD/contract requirements; enhances procurement eligibility
• Mitigates risks via quantitative management
• Builds trust, competitive edge via certified ratings

Implementation Overview

• Phased: assessment (gap analysis), design/tailoring, pilot/rollout, appraisal, sustainment
• Suits mid-large orgs in IT/software/defense globally
• Involves training, tooling, evidence capture; SCAMPI A optional for publication