Laws to prevent and mitigate cyber risk are on the horizon

The Digital Operational Resilience Act (DORA) is gearing up to ensure that financial institutions, insurers, and banks within the EU (European Union) are better equipped and more prepared to prevent and mitigate cyber risk.  

Being able to detect and resolve digital operational risks is key to protecting the public. DORA has yet to be passed in plenary session, however this is normally just a tick box exercise after there is a political consensus. 

Who does DORA apply to? 

A provisional agreement was reached on 11th May 2022 when the EU Parliament, European member states and the council of the European Union voted. The legislation will make cybersecurity requirements for firms stricter as a way of reducing the risks of cyber-attacks. Businesses within the financial sector will be affected by the Digital Operational Resilience Act, but so will third parties who supply information and communications technology (ICT) services. This includes Google, Amazon, Microsoft, and other cloud platforms. These service providers must create a subsidiary within the EU if they do not already have one so that correct oversight is possible. Under the new legislation, the European Supervisory Authorities (ESAs) are allowed to gain access to ICT service providers directly and impose sanctions if needed. 

Network and Information Security (NIS) Directive 

Another cybersecurity law, addressing the same risks as those addressed with DORA, was approved by the EU Parliament on Friday 13th May 2022. The directive applies to more firms and industries than just those within the financial sector. It will overlap with DORA in certain instances, however in areas of conflict amongst the provisions, DORA will apply first. This directive comes after the EU member states reached political consensus to implement measures for stricter levels of cybersecurity across the EU. Especially relating to medium and large businesses in a variety of sectors, including digital service providers, waste management, critical product manufacturing, electronic communications services, and the postal and courier networks to name a few. 

Main ways to mitigate cyber risk according to DORA 

The main goal of DORA is to enforce a regulatory framework on digital operational resilience. It mandates all firms to ensure they can endure and recover from ICT-related threats and other disruptions to mitigate cyber risk.  

What do firms need to do? 

Not only is DORA implementing tougher measures to mitigate cyber risk, but NIS 2 is addressing the security risks within various supply chains. It aims to establish greater accountability of senior management for non-compliance with business’ cybersecurity obligations. 

These legislations will come into effect in a little under two years’ time, so it is recommended that companies begin preparing their compliance departments and cybersecurity systems now.

The first step would be a thorough assessment of the new requirements against current practises to identify any potential compliance gaps. This may include assessing whether the classification as a ‘critical’ ICT third-party service provider applies. If it does, it may be wise to start thinking about the compliance strategy that will need to be planned and implemented in time for the compliance window to be met. 

To speak to us or subscribe to our newsletter please contact us here.

Or message us via the chat icon in the bottom right corner of your screen.