Skip to content
Sign In Subscribe
The best new electronics.Reuven aronashvili

Title: Keep an Eye on DORA: Why U.S. Software and Service Providers Should Be Interested

Deregulating Open Research and Data (DORA) isn't merely a European obligation, but a global imperative.

 and  Administrator
3 min read
In a spacious conference room, a confident businessman assumes command, guiding his dedicated team...
In a spacious conference room, a confident businessman assumes command, guiding his dedicated team during a team meeting. The warm glow of overhead lights bathes the room, casting long shadows and illuminating the serious faces of the attendees.

Title: Keep an Eye on DORA: Why U.S. Software and Service Providers Should Be Interested

On January 17, the European Union's Digital Operational Resilience Act (DORA) will become enforced. This act is widely regarded as the world's most extensive and far-reaching cybersecurity regulation for the financial industry. It focuses on operational resilience, risk management, and cybersecurity within financial entities such as banks, insurance companies, investment firms, and information and communication technology (ICT) providers.

While DORA compliance may initially appear to be limited to Europe, many third-party software and service providers will also be impacted, even some based in the U.S. This is because any providers serving customers in the European Union's financial sector must comply with DORA. This becomes particularly relevant for "critical" third-party ICT service providers, those that play a central role supporting the operations of EU financial institutions.

In essence, DORA should be viewed as a global requirement rather than just a European one. As a result, tech providers should be prepared to meet these new compliance standards.

Implications and Challenges of DORA

DORA's requirements primarily focus on five areas:

  1. ICT risk management, including identification, protection, detection, response, and recovery strategies for ICT-related threats.
  2. ICT incident reporting, involving the development of processes for detecting and managing incidents.
  3. Digital operational resilience testing, such as business continuity and disaster recovery plans, along with threat-led penetration testing.
  4. ICT third-party risk management, which includes risk assessments and continuous monitoring of third-party services.
  5. Governance and oversight, requiring senior management and board involvement in ICT risk management practices.

Perhaps the most significant challenge of DORA compliance is its associated cost. ICT service providers needing to comply with this new regulation will likely need to invest more in their environments, data protection, and security programs. They will also need to comply with requirements, like those of financial institutions, such as penetration testing and threat intelligence, and ensure that their solutions align with DORA without compromising efficiency or performance. These costs can be substantial.

Business Implications of Non-Compliance

U.S.-based providers failing to take action to comply with DORA risk losing contracts with EU-based financial institutions requiring DORA compliance. These providers could also face legal and financial repercussions for non-compliance, including substantial monetary fines and criminal sanctions, up to 1% of their average daily global turnover being applied for up to six months. European Supervisory Authorities might temporarily suspend these providers' services.

Preparing for DORA

Software and service providers based in the U.S. can benefit greatly from DORA compliance, but failing to comply can potentially lead to significant losses. Here are some steps providers should already be taking to meet requirements:

  1. Thoroughly assess systems, processes, and policies to understand the necessary changes for aligning with DORA.
  2. Implement controls, such as data encryption, secure software development practices, and vulnerability assessments, to strengthen risk management frameworks.
  3. Focus on incident detection and response capabilities and procedures, ensuring their accuracy and timeliness.
  4. Conduct regular penetration testing, disaster recovery simulations, and other continuity assessments to safeguard systems from cyber threats and operational disruptions.
  5. Manage third-party risk with thorough assessments and continuous monitoring, including DORA compliance in contracts.
  6. Establish governance structures that ensure executive oversight of ICT risk management and resilience strategies.

In conclusion, being prepared for DORA is crucial for U.S.-based software and service providers aiming to continue serving European customers in the financial industry. Although DORA compliance may incur increased costs passed on to customers, those who have yet to take action to meet these requirements would be wise to consult legal and compliance experts now.

Reuven Aronashvili, a renowned cybersecurity expert, highlighted the global implications of the European Union's Digital Operational Resilience Act (DORA). He emphasized that while the act primarily applies to European financial entities and their third-party providers, it could also impact U.S.-based tech providers serving European customers.

In light of DORA, Aronashvili advised tech companies to proactively assess their systems, processes, and policies to prepare for potential changes. By implementing controls such as data encryption, secure software development practices, and vulnerability assessments, providers can strengthen their risk management frameworks and align with DORA's requirements.

Read also:

    Comments

    Related

    Latest