DORA - Understanding the new regulatory framework on digital operational resilience
In 2008 as the global financial crisis started to bite, countries, companies, and communities learned how interconnected the financial sector was. Later, to guard against a similar crisis, measures were introduced to strengthen the financial resilience of the financial sector. Overlooked at that time was the digital operational resilience of those same entities. The Digital Operational Resilience Act (DORA) from the EU goes a long way to redressing this apparent lacuna. DORA introduces requirements across five pillars:
- ICT risk management
- ICT incident reporting
- Digital Operational resilience testing
- ICT third-party risk management
- Information and intelligence sharing
The authors argue that the new regulatory framework is substantively not new. The apparent lacuna is largely illusory as the legal obligations contained in the first three pillars exist elsewhere in common law rules, equitable principles, or codified in law across a number of jurisdictions, including in the United States (US). By reference to recent class actions where the claimant shareholders were successful, the authors are able to evidence that shareholders recovered based on existing legal obligations without recourse to DORA or similar.
The authors examine the provisions contained in the final two pillars, which are novel, and though they do confer additional legal obligations on the firms, they also confer significant benefits. These provisions, if embraced, would be an asset not only to the individual firms but have broader applications for firms beyond the financial sector.
Rois Ni Thuama
Rois is a doctor of law and subject matter expert in corporate governance, cyber governance and risk management. She is an award-winning cybersecurity expert, Head of cyber governance for Red Sift, one of Europe’s fastest-growing cybersecurity companies. A recognised expert in the field of cyber governance, cybercrime & fraud prevention, Dr Ni Thuama is the winner the EU Cyber Woman of the Year and a Barclay’s Tech 100. In 2022, Dr Ni Thuama was part of a select team of cybersecurity experts tasked with the revision of NATO's cybersecurity curriculum as part of the Partnership for Peace Consortium's (PfPC) Defence Education Enhancement Program housed at the Austrian Defence Academy in Vienna. She presented on the legal implications at The Impact of Artificial Intelligence on Future Conflicts Conference in Washington D.C., United States.