DORA FAQ

DORA (Digital Operational Resilience Act) is an EU regulation imposing an obligation on financial entities to ensure digital operational resilience, including the management of ICT third-party risk.

Vercom S.A., as an ICT service provider, is subject to DORA requirements exclusively regarding cooperation with Financial Entities, provided a relevant DORA Annex to the agreement with the given Entity is concluded. This annex specifies, among other things, mutual obligations regarding security, business continuity, incident reporting, and audit rights. We are implementing DORA standards with full commitment.

What does this mean for our Clients and Partners?

DORA imposes stringent standards regarding ICT risk management, incident reporting, and system resilience testing. By aligning our processes with these guidelines, we ensure:

• Continuity of service provision even in crisis situations.

• The highest level of data protection and infrastructure stability.

• Transparency in relationships with suppliers and sub-processors.

Below we present a detailed breakdown of our actions.

Upon every occurrence of a breach. Additionally, we prepare a consolidated semi-annual report (CERT report) covering all incidents and corrective actions taken.

Yes. The test environment is fully isolated from the production environment. New functionalities and system changes are verified exclusively in the test environment, with no impact on client data and operations. Furthermore, we utilize modern technologies (e.g., Kubernetes) that isolate individual parts of the infrastructure.

Yes.

• External Penetration Tests: Once a year, we subject our infrastructure to rigorous tests conducted by independent, accredited external entities. This allows for an objective assessment of the effectiveness of our security measures from the perspective of a potential attacker. We understand that key services require the highest level of transparency and specific guarantees. The detailed scope, methodology, and frequency of tests for provided services are found in the Vulnerability Management Policy.

• Regular Internal Tests: Our security team conducts cyclical planned tests and ad hoc checks. This allows us to monitor system integrity on an ongoing basis.

In accordance with the Vulnerability Management Policy, we conduct:

1. Regular scanning (Nessus Professional, SIEM – weekly/monthly);

2. Internal and external penetration tests (min. once/year);

3. Vulnerability classification based on criticality and determination of response time;

4. Remediation and re-testing;

5. Ongoing updates to documentation in the form of a Vulnerability Register.

We have implemented integration with CERT systems and the Artemis system, which cyclically scans key domains and informs about new threats and potential leaks. Automation of scanning and orchestration using dedicated tools reduces the attack surface on workstations and servers. Broad deployment of MFA is in place.

We install security updates on our resources regularly and centrally. On workstations, we are supported by solutions that allow for central management of application versions, patch distribution, and automatic installation following verification by the Security Team. The status of patch currency is monitored via the SIEM system; devices without required patches are identified, and information is passed to the Security Department. Windows Server systems are updated after prior testing of patches in the test environment.

We ensure the deployment of every component in accordance with internal procedures. This takes place in phases: from submitting a change request and approval, through security requirement testing, configuration consistent with configuration standards (CIS Benchmark), installation of protective software (XDR, Nessus Professional scans), to including the component in the asset inventory.

Providers are assigned to one of three categories based on the ICT Provider Classification Sheet:

• Critical – disruption significantly impacts operations, security, or compliance; meets criteria of DORA Art. 28/31.

• Important – supports important processes, but disruption does not threaten overall operations; a contingency plan exists.

• Other – low operational impact, auxiliary services, easily replaceable (<6 months).

Assessment proceeds in accordance with internal procedures ensuring monitoring of providers, analysis and assessment by the Security Team before selecting a new provider, appropriate provider classification, and maintenance of a Provider Register.

Our rules are clearly defined in internal policies. Cryptographic security regulations include: AES-256 encryption for backups, disk encryption using BitLocker, web application traffic encryption, use of SSH and VPN mechanisms, as well as securing data transmitted in transit using the TLS protocol and encrypting long-term data in the form of backups.

Security logs covering servers, applications, network devices, and workstations are aggregated in a SIEM solution. The SIEM additionally analyzes in real-time, detects anomalies and potential attacks, classifying alerts by criticality, and automatically escalates critical events to appropriate teams via the company messenger.

Administrator access requires:

1. Multi-Factor Authentication (MFA) (Cisco Duo);

2. Connection exclusively via VPN with encrypted communication.

Access to resources is always restricted solely to authorized users.

In our organization, data protection and operational continuity are built on a foundation of uncompromising security. We apply rigorous physical and technical protection measures to ensure the integrity and availability of resources at all times.

1. Multi-Level Access Control and Supervision

   Access to critical infrastructure is strictly limited and monitored around the clock:

   • Authorization System: Employee badges with assigned privileges, guaranteeing access to resources only for authorized persons.

   • Physical Security and Monitoring: Facilities are protected by 24/7 physical security and a CCTV video surveillance system.

   • Alarm Systems: Infrastructure is secured by an advanced intrusion detection system, integrated with immediate response procedures.

2. Power Supply Continuity

   Guarantee Our systems are resilient to power supply disruptions thanks to a multi-stage guaranteed power architecture:

   • Emergency Power: In the event of external grid failure, operational continuity is ensured by Uninterruptible Power Supply (UPS) systems and high-performance b that take over the load immediately.

3. Fire Protection

   Technical infrastructure security is supported by certified fire suppression systems designed to protect electronic equipment, and strategically placed extinguishing units enabling rapid response in crisis situations.

4. Data and Media Protection

   We protect data not only at the network level but also at the hardware level.

5. Network Segregation and Segmentation

   Network separation and traffic restriction between subnets have been implemented using VRF mechanisms and Access Control Lists (ACL). The local (office) network is made available based on a wireless network secured by the WPA3 protocol. A separate, isolated Guest Network functions completely apart from the production network. The test environment is segregated with restrictive permissions and a "deny all" ACL rule, utilizing test data.

6. Data Storage

   We utilize advanced disk arrays with high redundancy, protecting against the effects of individual component failures.

7. Full Encryption

   All data carriers, including drives in portable computers, are subject to mandatory encryption. Thanks to this, even in the event of physical loss of equipment, data access by unauthorized persons remains impossible. Furthermore, business continuity assurance is based on foundations of the highest physical security.

8. Data Centers

   We utilize Beyond.pl and b data centers, which set European standards regarding critical infrastructure protection. They ensure multi-level access control, constant security, alarm systems, resilience to random and environmental events, as well as compliance guarantees and certifications such as ISO 27001, EN 50600 Class 4, SOC 2 (Type II), Tier III/Tier IV, PCI DSS. Moreover, the Data Center infrastructure provided by NTT used by us is compliant with DORA requirements. NTT DATA Inc. has been designated by the European Union as a critical ICT third-party provider in accordance with Art. 31(9) of the DORA regulation, meaning it is subject to appropriate EU oversight mechanisms regarding operational resilience and digital service security.

Yes, in accordance with the Change Management Policy. The process includes: change classification (standard/normal/urgent), risk assessment, testing in dev/staging/production environments, code review, version control (GitLab), monitoring, and documentation (GitLab, Jira). Rollback mechanisms and emergency change procedures are ensured.

Before deploying changes, penetration tests (internal and external) are conducted. For key changes or new functionalities, the Security Department conducts dedicated security tests to identify and eliminate vulnerabilities.

Defined in internal procedures on Security Incident Management. The documentation specifies mechanisms used for monitoring (SOC, SIEM).

CERT Vercom has also been established.

A designated person supervises SLA and prepares reports. Zabbix is used to monitor service operation, enabling ongoing supervision of availability and performance. SLA reports include: downtime duration, API availability charts, downtime calculations. Reports are made available upon client request in accordance with contract terms. In the case of Financial Entities, detailed SLA parameters and reporting rules may result from the DORA Annex.

The organization has implemented internal procedures related to ensuring business continuity maintenance and implemented the ISO 22301 standard. Tests for both BCP (Business Continuity Plan) and DRP (Disaster Recovery Plan) are conducted regularly.

We possess an extensive training program that includes annual mandatory training for Employees regarding ISO/GDPR knowledge, as well as Cybersecurity. Furthermore, following main training sessions, Employee knowledge is verified via knowledge tests. In accordance with internal procedure, we also implement training for individual departments; they receive dedicated training consistent with the scope of their duties.

We exercise the rights of data subjects regarding requests to stop processing personal data in accordance with applicable laws and internal procedures – to the extent that these obligations rest upon our company as the Personal Data Controller. In a situation where our company does not act in the role of Controller (nor the processor competent to fulfill the request), we provide the applicant with information about the entity competent to consider the request and contact details enabling the direct submission of the request to that entity.

DORA requirements apply to Vercom exclusively in relationships with Financial Entities within the meaning of the DORA regulation. The condition is the conclusion of a relevant DORA Annex to the main agreement, which specifies, among other things: the scope of ICT services covered by the regulation, information and reporting obligations, the right of the Financial Entity and its supervisory authorities to audit, requirements regarding ICT sub-processors, exit strategy, and data processing location. Without concluding such an annex, Vercom is not bound by additional obligations resulting from DORA.