In this fireside chat, we learn about DORA from Ilias Chantzos, the Global Privacy Officer and the Head of Government Affairs programs for Europe, Middle East & Africa (EMEA) of Broadcom. He leads the global privacy program across the company’s multiple business units and regions.
So what is DORA?
DORA stands for Digital Operational Resilience Act, not the charming child cartoon character that appears when inputting the acronym in a search engine. It’s one of the latest EU sectoral cybersecurity legislative initiatives. It is specifically focused on the financial sector and complements horizontal cybersecurity requirements already in place, such as the Network and Information Security Directive (NISD) or the famous General Data Protection Regulation (GDPR).
Is DORA a legal requirement?
DORA is not EU law yet. It is a proposal from the European Commission to the co-legislatures (the EU Parliament and Council) that is currently going through the regulatory process.
As this is draft legislation, what is the expectation on the likely timescales?
It is fair to assume that sometime in 2022, DORA is going to become part of the EU legislative arsenal and like GDPR, it will be directly applicable in each EU Member State without having to go through national parliaments.
So I assume this just applies to financial services, correct?
The answer depends on where you are in the “food chain.” If you are working for a financial institution, be that a bank, a stockbroker, or an insurance company, DORA is regulating you directly. It means that your cybersecurity, transparency, contractual commitments, supply chain, incident response and risk management obligations become part of what the finance regulator can scrutinize. In fact, even your choice of or dependency on certain suppliers may be something the regulator could be entitled to look into.
If on the other hand you are part of the technology supply chain, DORA is impacting you directly or indirectly depending on your role in that supply chain.
Hang on, did you say this applies to tech companies, too?
If your organization is a direct supplier to financial institutions providing them with services that meet a certain criticality threshold, this results in your organization being subjected directly to the supervision of the relevant financial regulator. If the technology services your organization provides are not designated as critical or important, still DORA means that the financial institutions will be required to demand certain terms of their suppliers.
What about time constraints around breach notification requirements? GDPR already mandates a 72-hour breach notification. Could this notification window be even shorter under DORA?
Yes, in fact quite shorter. In the original Commission proposal it was suggested that an initial notification should happen within 2 hours from the moment a major incident is discovered, with further notification requirements as time goes by and more information is discovered. Industry has pushed against that and we need to see what the final negotiation result will look like. Overall, we see efforts across the world to constrain the notification window below the 72 hours of GDPR. In the recent recast of NISD, the Commission proposed an initial notification window of 24 hours.
Aren’t companies already managing cybersecurity and risk? What’s the difference with DORA?
DORA builds on the European Banking Authority Guidelines on Outsourcing (EBAG). But instead of repeating the guidelines and turning them into law, it goes a lot further by introducing a system of oversight for technology service providers, mostly targeted around cloud computing, that are perceived to perform critical or important functions.
DORA establishes concrete cybersecurity obligations; regulates contractual terms; describes the prudential role financial regulators have on cybersecurity; and creates requirements around supply chain risk management. Overall, it is probably the most comprehensive cybersecurity legislation we have seen to date by the EU.
DORA is a proposed piece of EU legislation; how is it relevant to a non-EU organization?
It is important also to remember that DORA is not just an EU initiative or, depending on your perspective, a European problem. If a non-EU financial institution is doing business in the EU or has an EU subsidiary, or a non-EU based technology company serves EU-based financial institutions remotely, then itself and its supply chain are caught by DORA. Moreover, non-EU regulators look at DORA and get inspired about what their prudential requirements need to look like.
Finally, what would you advise readers to do now – given that DORA is still not drafted and agreed upon?
The large players in technology and finance are already aware of what is coming and have started preparing for it. The regulators are participating in the negotiations and will try to shape them in accordance with their objectives. It’s important that all stakeholders understand what DORA will mean for their business and how they will operationalize its requirements into technologies and procedures that will deliver the desired results at manageable costs.
Learn more about how Broadcom Software helps you stay compliant