DORA is finally here.
On 27 December 2022, the European Parliament published a new piece of legislation, Regulation (EU) 2022/2554, about digital operational resilience in the financial sector.
This law will come into effect on 16 January 2023.
Member states must adopt the necessary measures by 17 January 2025. So, the clock is ticking.
The act aims to tackle the growing cybersecurity threats faced by institutions like commercial banks, investment firms, insurance companies and fintech startups. It seeks to guarantee the continuity and reliability of products or services by implementing strict standards and regulating the supply chain to protect against potential threats in cyberspace.
Post-pandemic, organisations increasingly depend on technology to provide their products or services. European business’s ability to withstand and quickly recover from disruptions has become a critical concern – and legislators are taking notice.
What is the Digital Operational Resilience Act (DORA)?
Current global events mean we cannot overstate the importance of operational resilience in the digital age. Besides causing financial losses or reputational damage, exposure to these risks is severely devastating to organisations.
With DORA, regulators have built a structure that oversees operational resilience in financial institutions. This framework ensures that they can continue to provide essential services in the face of disruptions. To achieve this, DORA will hold firms accountable and require them to implement appropriate plans that foster a culture of preparedness. Locally, the Malta Financial Services Authority (MFSA) will ensure that the legislation’s key provisions are adhered to.
For the benefit of our readers, DORA differs from regulations like the General Data Protection Regulation (GDPR) or the Network and Information Systems Directive (NISD) in a few key ways:
- GDPR regulates the handling of personal data
- NISD regulates the security of information systems
- DORA regulates the operational resilience of financial firms
While DORA, GDPR and NISD all address varying areas of concern, they share the same objective: ensuring the security and continuity of critical products or services in the digital age. Therefore, it complements existing regulations by providing a basis to analyse their systems, processes and controls to determine potential shortcomings. These include:
- ICT risk management
- ICT-related incident reporting
- Digital operational resilience testing
- ICT third-party risk
- Information-sharing arrangements
What effect will it have on businesses and consumers?
DORA is expected to have far-reaching impacts on businesses, especially those in regulated industries. How? Organisations must first conduct risk assessments to devise plans to address disruptions. Most companies will need to invest significantly in technology and staffing to ensure they have the resources to respond to these scenarios. DORA will also require firms to send regular reports to regulators outlining their operational resilience strategies, progress and testing results. This second requirement will lead to more transparency and accountability, enabling relevant stakeholders to address potential vulnerabilities. Finally, apart from business, DORA will directly impact consumers by minimising disruptions to essential products or services. This output, in turn, will be an important step forward towards better financial stability and consumer protection.
It’s 2023. How will DORA end up shaping the year ahead?
As the year progresses, more and more institutions will begin implementing DORA’s requirements. As they do so, organisations will face both opportunities and threats. Companies can quickly gain a competitive edge by demonstrating their commitment to resilient operations. This step in the right direction can lead to increased customer loyalty. Furthermore, transparency and accountability can yield considerable cost savings as it helps them remove inefficiencies. However, smaller players in the market may be impacted by the budget needed for implementation and ongoing compliance. Without the proper guidance of a trusted partner, it may be counterintuitive since the complexity can be daunting for some to set up. Good or bad, one thing is for sure. This year, DORA will bring a paradigm shift and become the industry’s de-facto standard.
So, where do we go from here? How can we be ready?
If you fail to plan, you are planning to fail.
Companies must start preparing for DORA today – because the runway is not long.
To successfully navigate the unchartered waters of this regulation, businesses must not wait until the last minute. With the proper guidance and experience, you can ensure that your organisation is ready when the time comes. At ICT Solutions, our certified experts assist firms with the necessary resources to ensure compliance. We help them implement the ‘to-be’ from your ‘as-is’ state. Considering that DORA is a significant game-changer for the industry and the year ahead, it is a must to have access to all the latest technologies. Operational resilience will no longer be an option. It will be a necessity. Would you like to learn more? Get in touch with ICT Solutions today. We can help you get up to speed with how you can leverage DORA to your advantage.