The Digital Operational Resilience Act (DORA) is an EU Regulation aimed at the financial sector. It contains extensive requirements that businesses need to be aware of and preparing for.
Although it will not apply directly to the UK, legislation is expected shortly to mirror the provisions. In any event, you need to be aware of the requirements if your business operates in any of the following sectors:
- Banks and financial institutions (PE houses, debt funds, alternative finance providers)
- Independent financial advisers
- Insurance providers
- Information and communication technology – such as cloud based service or IT providers
DORA is expected to come into force in the EU in August 2022, and its aim is to harmonise security standards across EU member states to "ensure the operational resilience of the financial sector". It will also apply to UK businesses that have an EU subsidiary, or who provide services to the EU.
Anyone that fails to comply with the provisions will be liable for a significant fine of up to 1% of the annual worldwide turnover of the company per day, until compliance is achieved, for up to 6 months. By way of example, HSBC announced revenue of $49.6billion in 2021. Were they to fall foul of the new legislation, the fine would be in excess of $135million per day for up to 6 months, a maximum fine of $24.8billion. This demonstrates how seriously the DORA requirements must be taken to ensure that compliance is achieved well in advance of the implementation date.
Anyone that fails to comply with the provisions will be liable for a significant fine of up to 1% of the annual worldwide turnover of the company per day, until compliance is achieved.
The most significant provisions of DORA, which are expected to be mirrored across other jurisdictions are:
- Regular and detailed risk management of ICT systems -to ensure continuing compliance with requirements.
- Digital operational resilience testing - to regularly test systems to identify potential weaknesses, deficiencies and gaps. The scope of the testing will vary according to the size and resources of a company or institution.
- ICT-related incident reporting - which will require an incident to be logged, classified in terms of severity and "major" incidents reported to the relevant authorities
- Establishing strong business recovery policies - to include disaster and recovery plans.
- Sharing information and intelligence - in relation to cyber threats and vulnerabilities identified.
- Specific contractual requirements - in contracts between ICT third-party service providers and financial entities.
In addition to DORA, there are several other important legislative changes in the pipeline worldwide which aim to build digital resilience and will significantly change the operating requirements in all markets. This legislation includes:
- The UK Telecommunications Security Act 2021 which will expand security duties for providers of public electronic networks and services covering identification and reduction of risks, incident response and breach notifications.
- EU Proposed NIS2 Directive - another political agreement reached on 13th May 2022 which will expand the sectorial base of regulation (e.g. public administration, medical device, manufacturing, critical product manufacturing) and nature of duties (e.g. management accountability, supply chains) with tougher enforcement measures.
- EU Proposed AI Regulation – which will introduce new cyber security rules for AI to reduce risks whilst allowing innovation.
- EU Digital Markets Act and Digital Services Acts - both aim to harmonise the law on digital services in the EU.
- Strengthening American Cybersecurity Act 2022 - focus on incident and ransomware reporting and a risk-based approach to cybersecurity management.
The legislative landscape is changing rapidly and businesses need to be prepared to avoid the huge potential fines. They should be conducting DORA Readiness Assessments at the earliest opportunity to identify risks and potential vulnerabilities in their systems. All IT policies and protocols must be reviewed and steps taken to prepare for digital resilience testing. Procedures for reporting and classifying incidents will also be necessary and all staff must be trained effectively on the wide range of increasing regulatory requirements.