As we approach the new year, businesses in the financial sector must prepare for the implementation of the European Union's (EU) Digital Operational Resilience Act (DORA) scheduled to take affect in late 2024, early 2025. This groundbreaking legislation will bring significant changes, not just within the EU but also for global entities interacting with the region's financial market. Here's what you need to know about DORA and its impact on businesses, both inside and outside the EU.
Key Aspects of DORA
1. Scope and Aim: DORA targets financial entities (FEs) like banks, insurance companies, and investment firms, as well as their information and communication technology service providers (ICTSPs). The act aims to bolster the IT security and operational resilience of these entities.
2. Comprehensive Risk Management Rules:** DORA introduces uniform requirements for the security of network and information systems, applicable across all EU Member States. These include rigorous ICT risk management, incident reporting, resilience testing, and reviewing contracts with ICTSPs.
3. Interaction with Other EU Laws: DORA complements existing regulations like the Payment Services Directive, the General Data Protection Regulation (GDPR), and the Data Governance Act (DGA). Entities must navigate these overlapping legal frameworks harmoniously.
4. Requirements for ICTSPs: ICTSPs supporting FEs and considered critical or important will be mandated to establish a subsidiary within the EU. This requirement reflects the EU's focus on closer oversight and control of essential ICT service providers.
5. New Oversight Framework: DORA establishes a new oversight framework for critical ICTSPs, involving regular monitoring and the potential for direct intervention by EU financial authorities.
Implications for Businesses
- Enhanced ICT Risk Management: FEs will need to strengthen their internal governance and control frameworks to manage ICT risks effectively.
- Incident Response and Reporting: Entities must have robust mechanisms for detecting and responding to ICT-related incidents, along with comprehensive incident reporting procedures.
- Third-Party Risk Management: The relationships between FEs and ICTSPs will be scrutinized more closely, requiring diligent vendor management and contract review processes.
- Global Impact: DORA's reach extends beyond the EU. Non-EU companies operating as FEs or providing ICT-related services to EU FEs will need to evaluate whether they fall under DORA’s scope.
Preparing for DORA
Businesses must start preparing now to ensure compliance by the 2025 deadline. This includes reviewing and updating ICT risk management policies, enhancing incident response capabilities, and reassessing relationships with ICTSPs. Companies outside the EU should also assess their exposure to DORA and take necessary steps to comply, including the potential establishment of an EU subsidiary.
The EU's DORA represents a significant shift towards a more resilient and secure digital financial landscape. Businesses must proactively adapt to these changes, not only to comply with the new regulations but also to safeguard their operations in an increasingly interconnected global financial system.
#DORA #EURegulations #CyberResilience #FinancialSector #Compliance