Top 5 Things to Know About Digital Operational Resilience Act (DORA)

This is the first blog in a series that will explore various aspects of DORA, the EU’s new financial risk and cybersecurity regulation.

Government regulations may come and go, but DORA is different. Are you ready?

Since November 2022, Broadcom’s Regional Technology Officers (RTOs) have been preparing for the launch of the Digital Operational Resilience Act (DORA) and by the first quarter of 2024, the European Union (EU) will complete much of the technical tweaks and implementation details for DORA, the world’s most comprehensive and far-reaching cybersecurity regulation for the financial industry. As it inches closer to the finish line, one thing is certain: DORA will redefine the scope and global reach of cybersecurity and supply risk management regulation for the financial and the ICT industry. As I wrote in a previous blog, the clock is now ticking for financial services institutions such as banks, insurance and pension providers, and ICTs with European operations.

DORA changes the game for any enterprise considered critical to the global supply chain supporting the European financial sector -- regardless of whether that enterprise or service is based in or outside the EU. DORA is unique because for the first time it puts certain parts of the supply chain of the EU financial services industry under the direct supervision of the EU financial services regulator.

Here are 5 top things to know.

1. DORA is not just an EU initiative.

DORA’s uniform requirements for the security of network and information systems will extend beyond EU financial institutions to encompass any critical third-party vendor providing information communications technology (ICT)-related services, such as cloud platforms, data analytics, and software as a service (SaaS) offerings.

DORA is the first regulation to incorporate cybersecurity requirements, both for the financial institutions and their supply chains, within the same regulatory statute to holistically address a larger and more comprehensive issue: overall operational risk. It creates a new paradigm that, for the first time, requires the financial industry to treat cybersecurity risk at a comparable level of significance as it does financial risk. In terms of its actual security requirements, DORA basically addresses everything. It is the most comprehensive regulatory framework so far. 

2. DORA is different from existing USA regulations. 

Several existing ICT regulations in the United States are not in the form of a law. Those regulations take the form of establishing an industry standard or Best Practice. So, enterprises in the USA know what they need to do. They know the opportunity. They make the customer decision. It is up to them to decide if, for example, they wish to sell or not sell to the federal government depending on whether they are willing to adopt a certain standard or set of standards that are required if they decide to do so.

DORA’s design is different. It is mandatory. Its requirements although risk-based are considerably less flexible. It is a law in place of a choice. Enterprises can decide to not sell to EU financial institutions, but it is a much more difficult choice. DORA also regulates the supply chain — even if the provider does not want to sell directly to the financial institution. DORA creates a chain reaction: even businesses not selling directly to the financial institution may still be caught within the blast radius of its reach and impact if it is part of the financial services industry supply chain as the terms will be contractually pushed.

3. DORA changes the vendor relationship.

The requirements of DORA for managing security across the supply chain are so comprehensive they will create a symbiotic relationship between an EU financial institution and its vendors. ICT vendors will no longer be just technology suppliers to a financial institution, they will become DORA compliance partners subject to meeting operational resiliency tests and requirements like those that the financial institutions are subjected — such as penetration testing, disaster recovery and security controls.

For customer and vendor, the relationship will also become symbiotic in the sense that even if one of the parties to the vendor relationship seeks an alternative to that partner, the reality is that there may not be one. DORA raises the bar, but such a high bar can potentially become a significant barrier to entering the market. There may not be many DORA-compliant alternatives, and given the investment already made in DORA compliance with an existing vendor, it may not be worth it. 

4. DORA has requirements of concentration.

Another unique aspect of DORA is its requirements around concentration, which impacts how much buying one can do from the same vendor before being considered as having a “concentration risk”.  Financial institutions should reduce their operational risk by ensuring they don’t put all their most critical eggs in one provider’s basket. Although this sounds simple in theory, it may prove complicated to execute. Customers may need a vendor to operate on more than one cloud platform to avoid concentration — especially when that platform is used to provide critical functions. 

DORA’s objectives are designed to increase competition, promote digital sovereignty, and avoid vendor lock-in. But it may be tough for the market to deliver on these goals. Every financial services organization would need to reflect on its procurement mix and every decision on moving to the cloud would need to factor DORA compliance and supplier risk within that context.

5. Broadcom is preparing for DORA.

DORA is a law we have been monitoring from its initial proposal. We have been preparing for DORA for quite a while, even before the European Banking Authority (EBA) Outsourcing Guidelines entered effect. Since November 2022, Broadcom’s Regional Technology Officers (RTOs) have been preparing for its eventual launch. We have built strong data governance processes; we have taken the necessary steps to support our customers meeting the EBA guidance, and we have further reinforced our security and risk management posture. 

Thanks to these preparations not only we have gained a strong understanding of DORA’s impact across the EU market ecosystem, but we are also well positioned to support our financial services customers as they prepare for this new compliance journey. What I call the grand DORA experiment is about to begin and with that the broader transformation of cybersecurity for the financial services industry and its supply chain.

Government regulations may come and go, but DORA is different.

Are you getting ready? 

***

This is the first blog in a Broadcom series that explores the impact of DORA. Stay tuned for future blogs that dive into how DORA impacts technology, business, financial risk management, and cybersecurity worldwide. Next up: DORA and the Vendor Relationship.