BBH’s Whelan on global implications of EU’s DORA

The Digital Operational Resilience Act (DORA) is an EU regulation that creates an Information and Communication Technology (ICT) risk management framework for the financial sector. However, its impact will be felt globally due to the wide net of those captured either as DORA- regulated entities or their service providers located outside of Europe. Brown Brothers Harriman’s (BBH’s) Adrian Whelan deconstructs some of the complexities of the regulation as the January 17, 2025, deadline looms.

Owing to the complexity of DORA, the European Supervisory Authorities (ESAs) are releasing more details on DORA implementation in two distinct batches:

• Batch 1 was published on January 17, 2024, made up of three regulatory technical standards (RTS) and one implementing technical standard (ITS).
• Batch 2 is expected in July 2024 and is made up of four distinct regulatory technical standards, one implementation standard, and accompanying guidelines.

Two types of firms are affected by DORA – (1) those directly in scope including banks, asset managers, central securities depositories (CSDs) and (2) those deemed critical ICT providers to in scope entities. It also applies to in-scope entities’ service providers materially supporting their ICT stacks. Such organizations could include software providers, data centers and cloud providers, as well as internet and email hosts.

A firm could face a penalty of 1% of their average daily worldwide turnover for non-compliance. This period of non-compliance accrues daily for up to six months.

Three regulatory principles underpin this gargantuan regulation:

1. Convergence – common language, standards around cyber and ICT risk across the E.U.
2. Proportionality – DORA implementation may consider the size and overall risk profile of an entity as well as the nature, scale, and complexity of services.
3. Security by Design – firms should consider elements such as the design of products, services, and distribution channels. Security and proper governance to mitigate risks should be present throughout the entire life cycle of the product.

Five primary areas of activity are contained within DORA:

1. ICT Risk Management
2. Reporting of ICT related incidents
3. Digital Operational Resilience Testing
4. Thid Party Risk Management
5. Information and intelligence sharing

Six stages are outlined in the DORA implementing technical standards (ITS) as best practice when it comes to assesssing ICT risk management:

1. Identify
2. Protect and Prevent
3. Detect
4. Respond and Recover
5. Learning and Evolve
6. Communicate

Read the full article