Why Should You Care About DORA?

So what is DORA?

DORA stands for Digital Operational Resilience Act, not the charming child cartoon character that appears when inputting the acronym in a search engine. It’s one of the latest EU sectoral cyber security legislative initiatives. It is specifically focused on the financial sector and complements horizontal cyber security requirements already in place, such as the Network and Information Security Directive (NISD) or the famous General Data Protection Regulation (GDPR).

Is DORA a legal requirement?

DORA is not EU law yet. It is a proposal from the European Commission to the co-legislatures (the EU Parliament and Council) that is currently going through the regulatory process.

As this is draft legislation, what is the expectation on the likely timescales?

Although not EU law yet, DORA is nevertheless quite advanced in the EU co-decision process, which is akin to a typical two-chamber parliamentary system. It is fair to assume that sometime in 2022 DORA is going to become part of the EU legislative arsenal and like GDPR it will be directly applicable in each EU Member State without having to go through national parliaments.

So I assume this just applies to financial services, correct?

The answer depends on where you are in the “food chain”. If you are working for a financial institution, be that a bank, a stockbroker, or an insurance company, DORA is regulating you directly. It means that your cyber security, transparency, contractual commitments, supply chain, incident response and risk management obligations become part of what the finance regulator can scrutinize. In fact, even your choice or dependency on certain suppliers may be something the regulator could be entitled to look into.

If on the other hand you are part of the technology supply chain DORA is impacting you directly or indirectly depending on your role in that supply chain.

Hang on, did you say this applies to tech companies too?

If your organization is a direct supplier to financial institutions providing them with services that within the meaning of DORA meet a certain criticality threshold, this results in your organization being subjected directly to the supervision of the relevant financial regulator. If the technology services your organization provides are not designated as critical or important, still DORA means that the financial institutions will be required to demand certain terms of their suppliers. If the suppliers are not willing to accept the DORA terms, such as very time constrained breach notification requirements or invasive audit rights for customers and their regulators, the finance institutions will not be able to do business with the supplier in question. Realistically this means that DORA will dictate the contractual terms and technology capabilities suppliers will need to offer to the financial industry. Even if a supplier is not directly servicing financial customers but it is part of the overall supply chain to the financial industry, it is fair to assume that most of these terms will flow down indirectly as part of the subcontracting process.

You mentioned time constrained breach notification requirements. GDPR already mandates 72hrs breach notification. Could this notification window be even shorter under DORA?

Yes, in fact quite shorter. In the original Commission proposal it was suggested that an initial notification should happen within 2hrs from the moment a major incident was discovered with further notification requirements as time goes by and more information is discovered. Industry has pushed against that and we need to see how the final negotiation result will look like. Overall we see efforts across the world to constrain the notification window below the 72hrs of GDPR. In the recent recast of NISD the Commission proposed an initial notification window of 24hrs.

Aren’t companies already managing cyber security and risk? What’s the difference about DORA?

DORA builds on the European Banking Authority Guidelines on Outsourcing (EBAG) but instead of repeating the guidelines and turning them into law, it goes a lot further by introducing a system of oversight for technology service providers, mostly targeted around cloud computing, that are perceived to perform critical or important functions. Moreover, DORA requires financial institutions to build a risk management system around their information technology practices and elevates information technology risk at the same level as financial risk. DORA establishes concrete cyber security obligations, it regulates contractual terms, it describes the prudential role financial regulators have on cyber security and creates requirements around supply chain risk management. Overall, it is probably the most comprehensive cyber security legislation we have seen to date by the EU.

DORA has received quite some criticism especially for going beyond EBAG. Some consider it as requiring the creation of a cloud only for financial institutions. Others raise concerns about competitiveness of the EU financial industry due to the increased governance and costs requirements, while others fear hidden data localization and national preferential treatment requirements. In the end the concerns are likely to be put aside by the realities that the pandemic has placed on all of us. Cyber is critical for our societies. Finance is a critical infrastructure, and it is cyber-dependent. The pandemic and the recent geopolitical tensions together with their cyber-links showed us what can go wrong. Therefore, both need to be regulated with clear rules and expectations.

DORA is a proposed piece of EU legislation, how is it relevant to a non-EU organization?

It is important also to remember that DORA is not just an EU initiative or, depending on your perspective, a European problem. If a non-EU financial institution is doing business in the EU or has an EU subsidiary, or a non-EU based technology company serves EU-based financial institutions remotely, then itself and its supply chain are caught by DORA. Moreover, non-EU regulators look at DORA and get inspired on how their prudential requirements need to look like. We start to see glimpses of that in places like the UK, Australia, South Africa, Singapore and Canada.

Finally what is your advice for readers to do now - given that DORA is still drafted and agreed upon?

The large players in technology and finance are already aware of what is coming and start preparing for it. The regulators are participating in the negotiations and try to shape them in accordance with their objectives. It’s important that all stakeholders understand what DORA will mean for their business and how they will operationalize its requirements into technologies and procedures that will deliver the desired results at manageable costs.

You can view the below links for additional information on DORA:

• https://www.ey.com/en_lu/consulting/the-dora--strengthening-the-operational-resilience-of-the-financ
• https://www.ey.com/en_be/financial-services/how-will-the-digital-operational-resilience-act-impact-your-organization
• https://ec.europa.eu/commission/presscorner/detail/en/IP_20_1684
• https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12090-Financial-services-improving-resilience-against-cyberattacks-new-rules-_en