Does the EU 2025 cybersecurity [DORA] law apply to those outside the EU? If yes, what are you doing?

DORA is an EU regulation.

• The full name of the regulation is:-
  • "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on
    • DIGITAL OPERATIONAL RESILIENCE FOR THE FINANCIAL SECTOR and
    • Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
  • or
• DORA came into law on 16 January 2023 and will start to apply from 17 January 2025.
• So, we all have two years to prepare.

The EU's Digital Operational Resilience Act  [Dora]

• Is a wide-ranging regulation that ensures financial institutions and their service providers are mitigating the operational risks that arise from their reliance on
  • INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT]
• It impacts contracting, legal departments, procurement, HR (for training), governance, compliance, risk and audit functions, and more.
• Organisations must begin their change management process to comply when the regulation comes into force.

DOES THE EU 2025 CYBERSECURITY LAW [DORA] APPLY OUTSIDE THE EU? AND IF YES, WHAT ARE YOU DOING?

• Suppose your organisation is outside the EU but has offices in the EU or provides services to a financial institution that offers services in the EU.
  • In that case, it's considered in scope if
• For example,
  • If you're US-based and provide services to a US-based bank, you may still be affected in some way if that bank operates in the EU.
• Whether in the EU, UK, or otherwise, all organisations should assess whether they will fall within the scope of DORA and what actions they'll need to take to comply.

For those directly in scope, there is a lot to do to comply with  

EXPLORING DORA: WHAT IS THE NEW EU LEGISLATION, AND WHO WILL IT IMPACT?

What is DORA?

In short, DORA is an EU regulation that will ensure financial institutions follow strict rules to protect their operational resilience, specifically around ICT risk.

The five critical pillars of DORA are:

• ICT risk management
• Incident reporting
• Operational resilience testing
• Managing third-party risk
• Intelligence sharing

Financial services institutions must actively manage the risks associated with their digital operations arising from their reliance on ICT, focusing on ensuring a high level of cybersecurity protection. Or suffer the consequences.

Which organisations are affected by DORA?

If you're a financial institution in the EU, DORA probably applies. There are 22,000 financial entities and ICT service providers operating in the EU that will be affected, plus many more outside.

The list is quite extensive:

• Banks
• Credit institutions
• Account information service providers
• Credit agencies
• Pension funds
• Investment firms
• Crypto firms
• Insurers
• Intermediaries
• Alternative investment fund managers
• Crowdfunding providers

Crucially, ICT third-party service providers are also affected by DORA. While the details differ, if your organisation provides services to any institution in scope, you're also in scope.

In terms of organisation size, there is a principle of proportionality.

• The bigger the risk, the greater the expectations of the regulation. This may not directly correlate with the size of an organisation, but it can be something of an indicator.
• There are also exclusions for micro-organisations (companies with less than 50 employees), and some details may vary from country to country.

How will DORA impact cybersecurity controls?

DORA explicitly states that security and ICT tools must be continuously monitored and controlled to minimise risk.

This suggests that an institution's security posture must be actively managed and its controls continuously monitored, giving organisational and cascading views of performance against cybersecurity policies and appropriate regulation.

To illustrate, article 9.1 of DORA reads:

• "For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures."
• DORA also requires that organisations set, evolve and evidence risk-based policies to ensure continued resilience. To achieve this, they must measure KPIs across their security metrics program. Many organisations will already be doing this, but it's often a manual process.
• Without advanced automation, it will be almost impossible to measure these and evidence them to a regulator continuously.

How will DORA affect the board?

• One of the crucial mandates of DORA is that boards of financial services organisations will be accountable for ICT risk, by law.
• This is a big step forward – while cybersecurity is recognised as a board-level risk, it's now codified in EU law.
• The board must also be educated in the threats and risks of their digital estate. This means that scrutiny on CISOs and other cybersecurity leaders will likely increase, as will their influence within the boardroom.

How will DORA affect the concentration of risk?

• DORA prohibits the concentration of risk and states that organisations shouldn't rely on a single service provider for business-critical processes.
• This means that if you're running Azure as your cloud service provider, all your devices are Surfaces running Windows 11, and you're reliant on MS 365 E5, you're in trouble. Because if Microsoft goes down, then your organisation will follow it.
• Under DORA, organisations will likely need to use multiple cloud service providers, a range of security vendors, etc., so that if one of them stops working, you still have others in place.

Source

• https://panaseer.com/business-blog/exploring-dora-new-eu-legislation/#:~:text=For%20example%2C%20if%20you're,it%20will%20become%20UK%20law.