5 Practical steps Copla recommends for smooth DORA compliance in Hungary

Sponsored content

The EU’s Digital Operational Resilience Act (DORA) is now in force, applying fully from January 2025. Its aim is to ensure that financial institutions and their service providers across the Union can withstand and recover from disruptions caused by information and communication technologies (ICT). For Hungary, this means that banks, insurers, investment firms, and many intermediaries must be able to demonstrate—not just claim—that they are resilient.

In Hungary, Magyar Nemzeti Bank (MNB) acts as the supervisory authority. MNB has already updated its IT and cloud guidance to align with DORA, which means Hungarian institutions are expected to show maturity in their digital resilience programs. For firms that have already implemented MNB’s recommendations, DORA should not require starting from scratch, but rather integrating, upgrading, and documenting what exists.

Below are Copla’s five practical steps to achieve smooth compliance with DORA in Hungary.

1) Conduct a Gap Assessment and Strengthen Governance

The foundation of DORA compliance is knowing where you stand today. Organizations should map their existing resilience and cybersecurity frameworks to DORA’s five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. This gap assessment should lead to a prioritized roadmap of remediation actions.

Key tasks:

• Clarify governance. Under DORA, the management body (board or equivalent) must take full responsibility for digital resilience. This should be documented in governance charters, minutes, and KPIs.
• Rationalize policies. Many institutions maintain multiple overlapping IT, security, continuity, and outsourcing policies. DORA offers an opportunity to consolidate these into a clear, tiered structure of policies, standards, procedures, and playbooks.
• Localize compliance. Align your approach with both EU-level requirements and Hungarian supervisory expectations, ensuring MNB’s updated recommendations are fully embedded.

The main deliverable here is a gap-to-target matrix, assigning responsibility and deadlines. This becomes the living document guiding both internal progress and external inspections.

2) Strengthen ICT Risk Management with Accurate Data

DORA elevates ICT risk management to a discipline of its own. Central to this is maintaining a comprehensive and dynamic view of business services, their supporting ICT assets, and interdependencies. Without accurate data, resilience planning is little more than guesswork.

Practical measures:

• Service mapping. Identify your important business services and map them to underlying applications, infrastructure, data stores, people, and suppliers.
• Impact tolerances. Define maximum outage times and acceptable data loss for each important service. Link these tolerances to your risk appetite and remediation strategy.
• Control library. Integrate DORA requirements into your existing control framework (e.g., ISO 27001, NIST CSF) to avoid duplication and maintain one consistent set of controls.
• Registers and inventories. Maintain an up-to-date register of ICT assets and dependencies. This becomes crucial for monitoring risks and demonstrating compliance.

Hungarian institutions already accustomed to MNB’s information security focus will find many of these elements familiar. The difference is now in proving that all registers and mappings are accurate, maintained, and used in risk decisions.

3) Prepare for Major Incident Classification and Reporting

One of the biggest shifts under DORA is the structured requirement for major ICT incident reporting. Financial institutions must be able to classify incidents consistently, escalate them quickly, and report them within tight timelines using standardized templates.

How to prepare:

• Unified severity schema. Develop a harmonized incident severity framework so that all teams (security, IT operations, business continuity) speak the same language when classifying incidents.
• Playbooks for different audiences. Create pre-approved communication templates for MNB reporting, executive updates, customer communication, and supplier escalation.
• Evidence capture. Ensure your IT systems log classification decisions, containment actions, and communication timestamps in a way that can be retrieved for regulatory inspections.
• Post-incident learning. Feed lessons learned into the risk register, track corrective actions, and close findings with documented proof.

A smooth incident management program ensures that when—not if—a disruption happens, your reporting will be compliant and your response coordinated.

4) Take Control of ICT Third-Party Risk

DORA places strong emphasis on outsourcing and ICT third-party risk management. Institutions must know who their ICT providers are, what services they deliver, and whether they are critical to important business functions.

Step-by-step approach:

• Build a supplier inventory. Document service scope, data processed, hosting locations, subcontractors, and linked business services for each ICT provider.
• Classify by criticality. Identify which providers support critical or important functions. These require deeper due diligence, stricter SLAs, and formal exit strategies.
• Update contracts. Insert mandatory clauses covering audit rights, incident notification timelines, resilience testing cooperation, and termination rights.
• Ongoing monitoring. Move beyond annual questionnaires. Use dashboards and real-time metrics for critical suppliers to ensure continuous oversight.
• Cloud alignment. Since MNB has long focused on cloud risks, check that your cloud governance meets both DORA and national expectations, especially around resilience and recoverability.

A practical tool here is a supplier risk heat map, showing criticality versus residual risk. This visual helps boards make quick, informed decisions about third-party investments and mitigations.

5) Prove Resilience Through Testing and Evidence

DORA requires institutions not only to design resilience frameworks but also to prove they work through testing. Depending on size and systemic importance, this may extend to advanced threat-led penetration testing (TLPT).

Practical testing program:

• Annual resilience plan. Base your testing plan on the top ICT risks and most important business services.
• Service failover drills. Test entire business services, not just individual components, to ensure end-to-end resilience.
• Exercise variety. Alternate table-top exercises for senior decision-makers with live technical drills to test systems and people under stress.
• Evidence packages. For each test, archive the plan, execution records, findings, remediation actions, and closure proofs. This creates an audit-ready evidence pack.

The key is to treat testing as a cycle: test, learn, improve, and prove. Regulators are less interested in a “perfect score” than in evidence of continual improvement.

Bringing It Together: A Practical Roadmap for Hungary

For Hungarian financial entities, DORA should be seen as a consolidation exercise rather than a completely new regime. The MNB’s strong history of ICT oversight provides a head start. The challenge now is integration, documentation, and evidence.

A pragmatic short-term roadmap could look like this:

1. Weeks 1–3: Conduct a gap assessment, confirm board responsibilities, and set up a compliance deliverables register.
2. Weeks 4–6: Map important services, build the supplier inventory, and define criticality criteria.
3. Weeks 7–9: Finalize incident classification and reporting playbooks; begin contract remediation with critical suppliers.
4. Weeks 10–13: Run resilience tests, close key findings, and publish a board-level compliance dashboard.

This sequence gives organizations both quick wins and a structured route to full compliance.

Conclusion

DORA is not just a new regulation—it’s a cultural shift toward evidence-based operational resilience. For Hungarian financial institutions, the path to compliance is manageable if approached methodically.

By following Copla’s five practical steps—governance uplift, robust ICT risk management, incident readiness, disciplined third-party oversight, and resilience testing—firms can satisfy both EU and Hungarian expectations.

Done right, DORA becomes more than a compliance exercise. It creates stronger defenses, faster recoveries, and more trust in the financial system. And in an era of escalating digital threats, that resilience is worth far more than regulatory approval.

Disclaimer: the author(s) of the sponsored article(s) are solely responsible for any opinions expressed or offers made. These opinions do not necessarily reflect the official position of Daily News Hungary, and the editorial staff cannot be held responsible for their veracity.