DORA Compliance

Overview: DORA Conformity of imc Express

The Digital Operational Resilience Act (DORA) establishes comprehensive requirements for the digital operational resilience of financial institutions. imc Express meets the essential DORA pillars through its robust security architecture and established compliance practices.

1. ICT Risk Management Framework

ISO 27001 Certification as Foundation

  • Implemented: Complete Information Security Management System (ISMS)
  • Compliance Relevance: Meets DORA requirements for structured ICT risk management
  • Evidence: Certified development team with continuous security training

Defined Security Processes

  • Security Incident Management: Structured processes according to ISO 27001 for handling security events
  • Risk Assessment: Regular identification and evaluation of ICT risks
  • Governance: Clear responsibilities and escalation paths implemented

2. ICT-Related Incident Management

Incident Response Framework

  • Structured Approach: Defined processes for security events within the ISO 27001 framework
  • Stakeholder Communication: Established procedures for informing all stakeholders
  • Preventive Measures: Systematic analysis to prevent future incidents

Audit Logging and Traceability

  • Comprehensive Audit Log: Chronological recording of all system activities
  • Categorized Events: Detailed logging of authentication, user and project management
  • Compliance Support: Complete traceability for regulatory requirements

3. Digital Operational Resilience Testing

Regular Penetration Testing

  • External Expertise: Conducted by independent security experts
  • Vulnerability Assessment: Systematic identification of vulnerabilities
  • Continuous Improvement: Regular testing to strengthen defense mechanisms

Automated Security Checks

  • Code Analysis: Automatic review of entire source code for security vulnerabilities
  • Dependency Scanning: Continuous monitoring of all dependencies for known vulnerabilities
  • Container Security: Automatic verification of all container images before deployment

4. ICT Third-Party Risk Management

Secure Cloud Infrastructure

  • AWS Frankfurt: Hosting in EU region with highest security standards
  • Certified Infrastructure: AWS compliance with international standards (ISO, SOC)
  • Encrypted Data Transmission: All third-party interfaces TLS encrypted

Documented Data Flows

  • Transparent Architecture: Complete documentation of all data processing procedures
  • Subcontractor Management: Secure and encrypted connections to all partners
  • Risk Assessment: Regular evaluation of third-party risks

5. Operational Resilience

High Availability Architecture

  • Kubernetes Cluster: Automatic failover mechanisms and load distribution
  • Multi-Zone Deployment: Distribution across multiple availability zones in Frankfurt
  • Scalability: Automatic resource adjustment during load spikes

Business Continuity Management

  • Automated Backups: Frequent and routine data backups
  • Disaster Recovery: Established procedures for rapid recovery
  • Continuous Monitoring: 24/7 monitoring of critical systems

DDoS Protection and Network Security

  • AWS Shield: Professional protection against Denial-of-Service attacks
  • Web Application Firewall (WAF): Protection against cyber attacks like SQL injection
  • Intrusion Detection: Containerized security architecture with native Kubernetes tools

6. Data Protection and Encryption

End-to-End Encryption

  • Data in Transit: TLS 1.3 with AES-256-GCM encryption
  • Data at Rest: AES-256 encryption for all stored data
  • Key Management: Automatic key rotation every 12 months

GDPR Compliance

  • Privacy by Design: Integrated data protection measures in system architecture
  • User Rights: Complete support for all GDPR user rights
  • Staff Training: Regular GDPR training for the entire development team

7. Continuous Improvement

Agile Security Development

  • DevSecOps: Security as integral part of the development process
  • Continuous Monitoring: Permanent monitoring and improvement of security measures
  • Feedback Integration: Systematic incorporation of security feedback into new releases

Proactive Threat Intelligence

  • OWASP Compliance: Consideration of all OWASP standards and best practices
  • Vulnerability Management: Proactive identification and remediation of security vulnerabilities
  • Security Updates: Immediate provision of hotfixes for critical security issues