We live in the information age – an age defined by its creating, sharing, and storing of data. This has, of course, endowed the world many benefits – not least being the ability to quickly access information anywhere without the need for a physical copy – but in this information age it is becoming increasing critical for businesses to take seriously the very real threat of malicious online parties. The Digital Operational Resilience Act (“DORA”) is a new piece of EU legislation that has been designed to combat exactly this threat. The regulation creates a legally binding IT risk management framework for companies in the member countries’ financial sectors to follow as they go about their operations.
So how will this affect your company? What’s in the legislation? And will we see something similar written into UK law?
The aims of DORA are twofold: to fully address the IT risk present in the financial sector and to homogenise the patchwork of existing IT risk policies in its EU member states. Whereas previous EU regulation failed to address all financial firms involved in the handling of data within the finance industry, with legislation more focused on firms having enough capital to offset operational risks, DORA will bring together a universal framework that applies to all financial entities, though with proportional implementation. Smaller entities will not be held to the same high standards of major institutions.
More than this, DORA will apply to those companies that traditionally have been untouched by such legislation. Third-party service providers to finance firms, such as cloud storage or data centres, as well as third-party information services such as credit rating or data analytics providers, will also be covered by the legislation and made to report regularly on their diligence in this area. The thought here is to leave no part of the information supply chain untouched, as these third parties can often be the target for cyberattacks due to their connections to and storage of enormous datasets.
While DORA has been officially adopted by the EU, the regulators responsible for its financial system – the European Supervisory Authorities (“ESAs”) are still ironing out key details of the legislation. This is expected to be agreed some time this year, with the scheme coming into effect starting January 2025. This gives companies just under one year to adapt to the change that’s coming – so what can we expect?
DORA sets technical requirements for financial entities and IT providers in the following areas:
Once January 2025 comes around and DORA is ready to be implemented, enforcement will become the task of designated regulators in each of its member states, known here as “competent authorities”. These authorities can request financial firms to take specified security measures and remedy known vulnerabilities. They will also have the power to impose both administrative and criminal penalties on entities that fail to comply fully, though the severity of these penalties will be decided by each member state individually.
Financial and IT entities affected by the new legislation will see their management teams becoming responsible for all DORA oversight and reporting. Business owners, leaders, and board members alike will be expected to outline all known risk management strategies, actively assist in executing them effectively, and to stay up to date on their knowledge of the ICT risk landscape. These business leaders can be held personally responsible for compliance failures within their firms – so it will pay to brush up now, whether you do trade with EU bodies or are simply trying to future proof for potential copycat legislation here in the UK.
In conclusion, DORA represents a firm statement of intention from the EU, and it’s likely other governmental bodies will be watching the results carefully. Financial entities and ICT providers must proactively navigate these regulations, making use of their new management frameworks and strategic partnerships to foster a secure and lasting ecosystem. As enforcement looms, compliance with DORA will not only mitigate regulatory risks but also bolster trust and stability in the financial sector, while presenting an opportunity for well-positioned consultancies to become experts in the field.
Will your business be affected by the new regulations? Or perhaps you trade with one that will? As always, if you have any questions about your business, don’t be a stranger – get in touch.