The impact and implications of DORA
"Security is not a choice any more… it’s time for a significant evolution in thinking and behavior”
Written by a human
This article was featured in Issue 6 of Orbit TRC Magazine, Global Relay’s exclusive publication focusing on Technology, Risk, and Compliance.
We’ve become so used to developments being described as “game-changers” that the term has lost impact. When you get to know DORA, you’ll be left in no doubt that nothing will be the same again for digital information.
DORA is the EU Digital Operational Resilience Act and, by Q4 2024, financial services firms must be in full compliance. The key phrase is that firms must “adopt a broader view of resilience, with accountability firmly established at senior management level”. The full text of the agreement is available on the European Parliament website and will be passed into law by each EU member state. That
means if you do business in any EU member state, or anyone you do business with does, it applies to you.
DORA builds on a rigorous approach established in other aspects of information systems, similar to Critical Infrastructure Protection. It sets up a framework requiring financial services supervisors to
not only oversee ICT risk factors but also to oversee the work of critical third-party providers (CTPs), including cloud providers.
Everyone in financial services and regulation needs to grasp the implications. Understanding DORA means knowing how to comply with regulation and embracing the thinking behind the regulations. Technological advances have made the world a more connected place, and DORA seeks to more fully recognize and address the fact that all of us are far more likely to be affected by something
that happens elsewhere in a system we are linked to than used to be the case. The convenience of being connected comes with risks. It is no longer possible to operate in an isolated space, so our approach must be based on a recognition of our connectedness.
What that means, for example, is that entities can no longer refuse to disclose or share information on the data they hold on the basis of business confidentiality. DORA requires companies to actively manage how they share information and sets an obligation to share. So customers can now access information companies may previously have declined to share on the pretext of commercial confidentiality.
And remember, DORA is a framework based on legal requirement.
That’s the crux of the “broader view”. DORA sets out five pillars around which its approach is based. Those pillars not only
require significantly more detail around specifying risk tolerance and identifying critical functions, they also establish a binding framework through primary legislation that a firm’s management must take “full and ultimate responsibility” for complying with. And oversight of CTPs is a pillar itself.
What should be clear from even a basic understanding of DORA is that security is no longer a choice. Resilience and interconnectedness need to be central considerations in the way anyone in the financial services ecosystem does business. The preamble to the EU agreement observes that “the ubiquitous use of ICT systems and high digitalization and connectivity are nowadays core features” of all financial entities, before going on to say that “digital resilience has yet to be sufficiently built in their operational frameworks”.
The broader view of resilience required is bound up with an enhanced responsibility to ensure delivery. I am not overstating the case at all when I say this will require a significant evolution in thinking and behavior.
Orbit TRC, offers a unique blend of perspectives for corporates and regulated entities on the latest developments that impact technology, risk and compliance.