DORA Compliance Checklist for Biotechnology

Implement mechanisms to promptly detect anomalous activities on ICT networks and systems including intrusion detection.

Gather intelligence on vulnerabilities, cyber threats, and ICT incidents and review post-incident analyses to improve resilience.

Implement a comprehensive ICT risk management framework as part of the overall risk management system with strategies, policies, and tools.

Maintain an up-to-date inventory of all ICT assets, systems, and their interconnections including third-party dependencies.

Deploy ICT security tools, policies, and procedures to protect ICT systems and ensure continuous data availability and integrity.

Establish comprehensive ICT business continuity plans and disaster recovery plans regularly tested and updated.

Establish a process to classify ICT incidents based on criteria including affected clients, duration, geographical spread, and data loss.

Inform clients about major ICT incidents that may affect their financial interests including measures taken to mitigate effects.

Submit initial, intermediate, and final reports to competent authorities for major ICT-related incidents within prescribed timeframes.

Perform vulnerability assessments, network security assessments, gap analyses, and compliance reviews at least annually.

Establish procedures to prioritize, classify, and remediate all issues identified during digital resilience testing.

Conduct advanced testing using threat-led penetration testing (TLPT) at least every three years for significant financial entities.

Continuously monitor ICT third-party service provider performance against agreed service levels and compliance requirements.

Develop and maintain exit plans for ICT third-party services ensuring ability to transition without disruption to business operations.

Conduct thorough risk assessments before entering into contractual arrangements with ICT third-party service providers.

Ensure ICT service contracts include provisions for SLAs, data location, audit rights, exit strategies, and subcontracting conditions.

Designate a function responsible for managing and overseeing ICT risk with appropriate independence and resources.

Ensure the management body defines, approves, and oversees implementation of the ICT risk management framework.

Consider participation in voluntary cyber threat intelligence sharing arrangements with other financial entities.

Ensure any information sharing protects business confidentiality, personal data, and competition policy requirements.