Sean Costigan


DORA - Understanding the new regulatory framework on digital operational resilience

In 2008 as the global financial crisis started to bite, countries, companies, and communities learned how interconnected the financial sector was. Later, to guard against a similar crisis, measures were introduced to strengthen the financial resilience of the financial sector. Overlooked at that time was the digital operational resilience of those same entities. The Digital Operational Resilience Act (DORA) from the EU goes a long 

way to redressing this apparent lacuna. DORA introduces requirements across five pillars: 

  • ICT risk management 
  • ICT incident reporting 
  • Digital Operational resilience testing  
  • ICT third-party risk management  
  • Information and intelligence sharing 

The authors argue that the new regulatory framework is substantively not new. The apparent lacuna is largely illusory as the legal obligations contained in the first three pillars exist elsewhere in common law rules, equitable principles, or codified in law across a number of jurisdictions, including in the United States (US). By reference to recent class actions where the claimant shareholders were successful, the authors are able to evidence that shareholders recovered based on existing legal obligations without recourse to DORA or similar. 

The authors examine the provisions contained in the final two pillars, which are novel, and though they do confer additional legal obligations on the firms, they also confer significant benefits. These provisions, if embraced, would be an asset not only to the individual firms but have broader applications for firms beyond the financial sector. 

Sean Costigan

Sean is the Director of Cyber Policy at Red Sift, and professor of cybersecurity at the George C. Marshall European Center for Security Studies. He is an expert in emerging security challenges and a sought after speaker on matters of technology, national security and foresight. His current research and teaching is on the nexus of cybersecurity and hybrid threats. He is the lead author of NATO’s cybersecurity and hybrid threats curriculums and is widely published in national security matters. In addition to his work for the Marshall Center, he is presently serving as the Senior Adviser to the NATO/PfPC Emerging Security Challenges Study Group, where he heads cybersecurity education efforts; Publisher of Defense Press; Senior Adviser at Multivariate, and an Associate at i-intelligence.