DORA & ICT risk
LEXIA supports financial institutions, ICT providers, and companies with strategic services for compliance with the Digital Operational Resilience Act (DORA) and ICT risk management, integrating governance, security, contracts, and operational testing into a coherent and effective framework.
We begin with a structured analysis to assess whether the Regulation applies, defining an ICT risk management strategy that meets the requirements of the standards (ICT governance, incident management, digital resilience). Process organization follows a multilayer model (“three lines of defense”), involving top management and periodic review. We draft policies for incident handling, SLA criteria, business continuity plans, and internal escalation procedures, ensuring a calibrated definition of risk tolerance, KPIs, and KRIs, in line with Article 6 of the Regulation.
We ensure contractual compliance with the Regulation, preparing clauses for critical ICT providers (cloud services, outsourcing), including audits, exit plans, and corrective measures. We also support clients in conducting operational testing, from customized penetration testing (Threat-Led Penetration Testing) to continuous procedure verification, according to the digital resilience “pillars”. Finally, we prepare organizations to manage major incident reporting and voluntary sharing of threat intelligence, in line with Supervisory Authorities’ directives.
