The European Commission first published its draft Digital Operational Resilience Act (DORA) regulation in 2020 to:
In-scope entities should not delay their regulatory compliance journey any longer. The final version of DORA was published on 16 January 2023, beginning a 24-month implementation period during which entities must implement necessary measures to meet DORA requirements.
In addition to DORA requirements, you should also monitor the publication of additional Regulatory Technical Standards (RTS), which will start being released by ESAs 12-18 months after DORA’s entry into force. The RTS must be implemented by the end of the full 24-month period when DORA will become applicable.
The current version of DORA introduces new obligations. Although the topics addressed are not completely new, they are precisely defined and have specific implementation steps. An entity’s ability to face these obligations can help to demonstrate its overall digital maturity.
Some financial industries, already regulated on topics addressed by DORA, will focus more on updating and adapting their existing measures. This is the case for the banking sector, which is already subject to comprehensive ICT and digital resilience requirements under EU Law.
For other sectors, such as Investment Management, requirements before DORA have not been as stringent so implementation will be more intensive. If your firm is in this sector, you might need to define new measures for their specific digital environment. Correctly assessing your firm’s current level of readiness is crucial to defining an action plan that is customized for each entity in a cost/benefit approach.
The Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity and aimed to achieve a universally high level of cybersecurity across Member States. While NIS increased Member States' cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation across the internal market. To respond to growing threats posed by digitalization and cyber-attack surges, the European Commission submitted a proposal to replace the NIS Directive with the Network and Information Security 2 (NIS2) Directive.
Both DORA and NIS Directive cover topics to increase digital resilience in the European Union and to reduce the impact of cyber incidents. However, DORA clearly states that the NIS2 Directive still applies, and the overlap between NIS2 and DORA is avoided thanks to a lex specialis provision contained in DORA which gives it precedence over the Directive, which is lex generalis.
Even though DORA does not introduce specific personal data protection rules, it targets your information systems security, which indirectly affects firms’ GDPR compliance. DORA requirements do not take precedence over GDPR requirements but builds on them, which means that GDPR provisions continue to apply.
Personal data breaches (under GDPR) and ICT-related incidents (under DORA) have similar requirements but some key differences in application. For instance, you will have to report one incident to both the competent authority under DORA and notify the competent data protection authority under GDPR. The deadline to submit such notifications will also be different: where GDPR allows for up to 72 hours to notify after you become aware of a data breach, DORA sets a general deadline of “end of business day” to notify. This example illustrates how DORA and GDPR will interact; DORA requirements are generally broader, and compliance with them will, in many cases, mean compliance with GDPR requirements. However, your firm will still have to assess compliance with each separately as each law targets distinct aspects of similar subject matter.
Some actors in the financial sector, such as large cross-border groups, which have a high overall level of maturity might already have a great amount of ground covered when preparing for DORA compliance.
Supervisors, however, are likely to expect better-developed capabilities from larger entities, and market-leading capabilities in entities where operational disruptions could have systemic consequences due to the criticality of their services. All entities are, therefore, likely to be challenged by DORA and the 24-month implementation period. There’s no time to waste as you begin to plan for DORA implementation today.
You should now assessyour readiness for meeting DORA requirements, while considering their specific industry, to perceive the complexity of your unique compliance journey.
As the ESAs develop and publish new RTS during the initial 12-18 months of the implementation period, you should also monitor and implement RTS when published.
Given the breadth of topics addressed by DORA, you should launch a coordinated project to cover all DORA requirements while capitalizing on your existing digital security and resilience measures. Top management support will be key to success, as DORA requires their involvement in managing digital resilience.