On May 11, 2022, the European Union (EU) reached provisional agreement on the new Digital Operational Resilience Act (DORA). Despite the phrasing, there's nothing "provisional" about DORA. In fact, one of the world's most far-reaching cybersecurity regulations for financial services and their supply chains is mostly a done deal.
All that remains prior to formal adoption, expected sometime this October, primarily involves a handful of technical changes and translation into the 24 official languages of the EU's member states.
DORA represents the EU's response to the ever-increasing number of cyberattacks against financial institutions. It's designed to strengthen the security of EU financial firms, such as banks, insurance companies, investment firms, and more, by imposing resilience requirements and regulating the supply chain. But, as I noted in an earlier post, the tenets of DORA extend far beyond the EU and its financial sector.
DORA's uniform requirements for the security of network and information systems encompass not only enterprises in the financial sector but also critical third-party vendors providing information and communications technology–related services to the financial sector, such as cloud platforms and data analytics.
Indeed, DORA's reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether or not that enterprise or service is based inside the EU. In fact, under DORA, the complexity of the supply chain or the lack of EU presence are both considered risk factors.
Mandating New Regulatory Perspectives
DORA is unique in that it brings a new and different level of regulatory scrutiny to a wide variety of global enterprises. DORA's requirements mandate — not merely suggest — compliance with its provisions. Just as important, the impact of this new level of regulatory scrutiny differs depending on the point of view of the enterprise.
Financial institutions accustomed to a regulatory environment primarily designed to assess financial risk and stability will now have to take the potential risk posed by their ICT operations just as seriously. Financial institutions are accustomed to address risk in the form of capital requirements. DORA takes a different approach by mandating specific behavior and performance-based requirements. From the point of view of financial institutions, that elevation of risk has consequences across multiple aspects of their business, such as how they consume technology and how they transform their business by transitioning to new technologies like cloud computing. This includes overall risk management strategies and capabilities, supply chain security, and organizational staffing and policies for ensuring proper ICT risk assessment and compliance.
DORA also changes the regulatory perspective of ICT organizations. Up to now, they've been regulated primarily on data-related issues, such as data privacy, and data breach notification, based on concerns about personal data and political objectives like digital sovereignty. Groundbreaking rules, such as the General Data Protection Regulation (GDPR) in Europe, and the more recent California Consumer Privacy Act (CCPA) in the United States, come to mind.
ICT organizations might also have other regulatory obligations on security, or have been classified as critical infrastructure, depending on where they are located, such as under the Network and Information Security Directive (NIS) in Europe, the Cybersecurity Act 2018 in Singapore, or sector-specific legislation for specialized industries, such as telecoms in the United States.
Now, if ICT companies are servicing financial institutions in the EU, they most likely will be subject to DORA as well. So, in addition to their prior regulatory frameworks, those ICT providers designated as offering a critical service will suddenly be regulated under DORA in a way that very much feels as if they are becoming extensions of the EU financial institutions they're servicing. Regardless of how one looks at it, that's a dramatic change — for both financial institutions and ICT providers.
But that's not all. DORA changes the perspective for the EU's regulatory establishment. Regulators who are experts on financial institution compliance must now extend their scope to include ICT providers offering critical services, such as cloud providers, data analytics services, and other non-financial businesses. In countries with complex regulatory structures, there will also be the need to cooperate with other bodies tasked with regulating these additional types of non-financial industries.
Meeting the Challenges
DORA requires EU financial institutions to assess their own cybersecurity and risk management maturity. Understanding and managing their supply chain risk performance will be central to this effort.
In general, financial institutions are adept at stress tests for determining security and financial stability. It's a different challenge to extend those kinds of tests to other organizations. So, for the EU's financial sector, how to manage vendors, risk management, and operational capabilities in an ever more complex and extended supply chain poses the biggest puzzle.
For example, a financial institution might be headquartered in Europe but have all its support activities outsourced to businesses based in India. These support services may not technically be financial institutions. But DORA will require the financial institution to assess if the vendor is critical to its operations and apply the relevant DORA requirements to that relationship.
For enterprises not based in the EU, the key question is one of jurisdiction and market access. Financial institutions or ICT providers operating outside the EU are not affected. But if the enterprise is a financial institution or ICT service provider servicing the EU finance sector in any way, it will most likely be subject to DORA — directly or indirectly.
Countdown to 2024
Unless something changes in the final text, DORA goes into effect 24 months after its official adoption. Realistically, that is likely to be somewhere near the close of 2024. The good news is that this provides plenty of time for organizations to prepare for compliance. Most importantly, it is not too long for inclusion in a typical enterprise budget cycle.
But before that deadline sneaks up on you, start preparing now. Here are five key steps:
- Use the time until 2024 wisely.
- Understand where you are. Search, find, and identify your compliance gaps.
- Determine what you need to remediate your gaps.
- Educate and get buy-in from senior management.
- Budget for the 24 months.
The clock is ticking.