DORA's Wide Net: More Than Just Cybersecurity for Financial Services
The recent release of draft technical standards for the European Union’s Digital Operational Resilience Act (DORA) paints a clearer picture of its sweeping reach. While many associate DORA with cybersecurity for financial institutions, it casts a wider net, encompassing third-party providers and demanding a stronger integrated risk management approach. Let's unpack the key takeaways for businesses navigating this evolving landscape, incorporating insights from various sources.
Beyond Financial Firms: The Global Impact
DORA doesn't solely focus on European financial institutions. While directly targeting EU entities, its impact extends globally, affecting companies outside the EU that do business with them. Even non-EU companies serving critical functions for these institutions will need to comply with DORA's standards. This has significant implications for:
Global cloud service providers: Their security measures and incident response protocols will be under scrutiny, regardless of their location.
International software vendors: They'll need to demonstrate secure development practices and robust risk management, even if they primarily serve non-EU clients.
Tech consultancies with EU clients: Their cybersecurity practices and oversight of client systems will be evaluated, regardless of their headquarters' location.
Did you know?
The Digital Operational Resilience Act (DORA) becomes effective in January 2025. It impacts over 22,000 financial entities and information and communication technology (ICT) service providers across and outside the EU, setting rigorous requirements for the financial sector. This regulation enhances ICT risk management, mandates resilience testing, including threat-led penetration tests, and tightens third-party risk management to ensure consistent service delivery.
Central to DORA are five key areas:
ICT Risk Management
Incident Management and Reporting
Operational Resilience Testing
Third-Party Risk Management
Information Sharing
Source: PwC
Integrated Risk Management Takes Center Stage
DORA emphasizes the need for a holistic approach to managing digital operational resilience. This means siloed systems and fragmented risk assessments are no longer sufficient. Financial institutions must:
Map their global dependencies: Identify and assess the risks associated with all third-party relationships, including non-EU providers and potential fourth-party suppliers.
Implement robust governance: Establish clear accountability and oversight mechanisms for managing global digital risks.
Conduct comprehensive testing: Regularly test their resilience to cyberattacks and operational disruptions, including those impacting non-EU third-party providers.
Enhance incident response: Develop clear, well-rehearsed procedures for responding to incidents effectively, regardless of their origin.
Preparing for DORA's Implementation
While DORA takes effect in January 2025, proactive action is crucial. Wheelhouse Advisors recommends the following steps:
Review DORA's requirements: Gain a thorough understanding of the regulations and their implications for your organization, regardless of your location.
Assess your current state: Identify any gaps in your IT security, risk management, and third-party oversight practices, including non-EU relationships.
Develop a compliance roadmap: Create a comprehensive plan to address identified gaps and ensure timely compliance, considering global dependencies.
Engage with all third-party providers:Ensure their awareness of DORA and their commitment to compliance, regardless of their location.
Compliance with DORA may seem daunting, but it's an opportunity to strengthen your digital resilience and build a more secure, reliable foundation for your global business. By taking action now, you can navigate the new regulatory landscape with confidence and emerge as a leader in operational resilience. Wheelhouse Advisors is here to guide you through this evolving regulatory landscape, regardless of your location. Contact us today to discuss your specific needs and develop a tailored DORA compliance strategy.
Disclaimer: This blog article is for informational purposes only and does not constitute legal advice. Please consult with qualified legal counsel for guidance on interpreting and complying with DORA regulations.
Sources:
Financial Firms Expect Big Changes from European Cyber Rules, Wall Street Journal, February 13, 2024, Catherine Stupp
ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification, European Banking Authority, Press Release, January 17, 2024
One year to go on DORA! Why financial services should get ready now, FinExtra, January 17, 2024
