Europe has some new rules. That’s not unusual in the land of bureaucracy (the word joins bureau (French for ‘desk’) with kratos (Greek for ‘political power’), but DORA is different. The European Union’s Digital Operational Resilience Act, in force from Friday, extends beyond the old country trading bloc to reach third-party “Information and Communication Technology” providers with European clients in financial services.
DORA defines ICT companies as those delivering “digital and data services” to internal or external users on an ongoing basis. They include cloud vendors and data centres, data analytics companies, hardware services providers, and others. Non-compliance could result in potentially heavy fines, probably proportional to the severity of the breach. It could also damage customer relationships, so DORA awareness and action are important.
Beat the Interruptions
DORA requires regulated ICT companies to anticipate digital service interruptions and prepare resilience strategies. The plans should outline steps taken and procedures set out to minimise disruption and ensure businesses keep running smoothly.
To comply with DORA, ICT companies’ European financial-sector clients need an assurance that their digital suppliers have provisions in place that will allow them to continue to operate in cases of specific service interruptions. In other words, they need evidence of solid risk management practice.
Critical Systems
European supervisors will designate some ICT providers as “critical.” They are likely to be the ones relied upon by multiple financial services firms, like cloud providers and cellular networks. They are the ones that pose a systemic risk. Critical providers face a more onerous compliance regime, potentially including periodic audits.
DORA states: “The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools necessary to… protect all information assets and ICT assets… [and] all relevant physical components and infrastructures… to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.”
Digital Business Interruption Insurance
For any firm reliant on the digital supply chain, risk transfer through digital business interruption insurance is essential for DORA. It should be part of any such entity’s risk and resilience program, and can be structured, for example, to provide financial guarantees that sit behind service level agreements.
Coverage can even be structured to protect against the cost of DORA-related fines. Uninterrupted service is the better option, but systems that go up must (inevitably, occasionally) go down!
.svg)
