First published in The Sunday Independent 12.05.2024: EU’s new Dora regulations means your board is now responsible for digital resilience | Irish Independent
The digital transformation of the economy has brought opportunities and challenges for businesses across all sectors. From cloud computing to artificial intelligence, fintech to e-commerce, the digital landscape is constantly evolving and creating new possibilities for innovation and growth. This also means businesses need to be more resilient and prepared for the potential risks and threats that are inherent in digital platforms. Cyberattacks, data breaches, system failures, and service disruptions are just some examples of the digital operational risks that can affect business performance, function, reputation, and customer trust. That’s why the EU introduced the Digital Operational Resilience Act (Dora), a new regulation to strengthen the defences of the financial sector. Although Dora came into force in January 2022, businesses have until January 2025 to achieve compliance, with obligations being imposed on most financial entities operating within the EU, along with significant obligations being put on their third-party service providers – regardless of their location. Between now and then, it’s incumbent on boardrooms to make sure their businesses are compliant with Dora, or they risk significant penalties. Dora establishes a common set of rules and standards for managing, testing, reporting, and mitigating digital operational risk, as well as for monitoring the use of third-party service providers – essentially any important IT service that are outsourced. For businesses, this means a regulatory framework will be in place that embodies best practices for digital operations in how to use third-party service providers safely and effectively. Dora requires complete buy-in from all parts of a business or financial institution – and one challenge IT departments have traditionally faced is getting ‘real’ management buy-in. But Dora emphasises the importance of board-level engagement and the mandatory requirement that the board ‘own’ the responsibility of ensuring the business is resilient – or else risk huge fines for non-compliance.
Companies found to be in violation can face fines of up to 2pc of total annual worldwide turnover – or, in the case of an individual, a maximum fine of €1m. Financial entities that fail to report major Information and communications technology-related (ICT) incidents or significant cyber threats, as required under Dora, may also face fines. Third-party ICT service providers designated as “critical” by the European Supervisory Authorities (ESAs) may face fines of up to €5m or, in the case of an individual, a maximum of €500,000 for non-compliance. In July, the ESAs will set out its second lot of technical standards with which businesses and financial institutions need to be compliant by January 2025. Dora requires financial entities establish a sound digital operational resilience framework, with policies, procedures, tools, and governance arrangements for identifying, assessing, managing, monitoring, and reporting digital operational risk. This helps them have a clear overview of their digital risk profile and to implement measures to prevent, detect, and respond to digital incidents. It introduces a harmonised reporting mechanism for digital incidents, enabling communication between financial entities, authorities, and customers, enhancing transparency and accountability for financial institutions to minimise the impact and escalation of digital incidents.
One of the key aspects of Dora is that it requires the board of directors of financial entities to ‘own’ the responsibility of ensuring their business is Dora compliant and that they have a sound and effective framework in place. This means the board must be actively involved in the design, implementation, and oversight of the framework. The directors must have adequate knowledge, skills, and resources to fulfil their responsibilities, and must receive regular reports on the digital resilience of the organisation and its third-party service providers. Board-level engagement is crucial for ensuring compliance with Dora, as it demonstrates the leadership and commitment of the organisation to digital operational resilience and to the protection of its customers. It also ensures the organisation has a clear and consistent vision and direction for its digital operations and that it can effectively manage and mitigate digital risks and challenges. Board-level engagement fosters a culture of digital operational resilience within the organisation and promotes the awareness and involvement of all staff and stakeholders. While the frameworks, processes, testing and all of the digital resilience obligations under Dora make good business sense, the act makes this a legal obligation – and holds your board of management responsible.
