Navigating the Digital Operational Resilience Act

Catherine Castaldo, Christian Leuthner and Asélle Ibraimova break down DORA, the Digital Operational Resilience Act, which is new legislation that aims to enhance the cybersecurity and resilience of the financial sector in the European Union. DORA sets out common standards and requirements for these entities so they can identify, prevent, mitigate and respond to cyber threats and incidents as well as ensure business continuity and operational resilience. The team discusses the implications of DORA and offers insights on applicability, obligations and potential liability for noncompliance. This episode was recorded on 17 January 2025. ----more---- Transcript:  Intro: Hello, and welcome to Tech Law Talks, a podcast brought to you by Reed Smith's Emerging Technologies Group. In each episode of this podcast, we will discuss cutting-edge issues on technology, data, and the law. We will provide practical observations on a wide variety of technology and data topics to give you quick and actionable tips to address the issues you are dealing with every day.  Catherine: Hi, everyone. I'm Catherine Castaldo, a partner in the New York office of Reed Smith, and I'm in the EmTech Group. And I'm here today with my colleagues, Christian and Asélle, who I'll introduce themselves. And we're going to talk to you about DORA. Go ahead, Christian. Christian: Hi, I'm Christian Leuthner. I'm a Reed Smith partner in the Frankfurt office, focusing on IT and data protection law.  Asélle: And I'm Asélle Ibraimova. I am a council based in London. And I'm also part of the EmTech group, focusing on tech, data, and cybersecurity.  Catherine: Great. Thanks, Asélle and Christian. Today, when we're recording this, January 17th, 2025, is the effective date of this new regulation, commonly referred to as DORA. For those less familiar, would you tell us what DORA stands for and who is subject to it? Christian: Yeah, sure. So DORA stands for the Digital Operational Resilience Act, which is a new regulation that aims to enhance the cybersecurity and resilience of the financial sector in the European Union. It applies to a wide range of financial entities, such as banks, insurance companies, investment firms, payment service providers, crypto asset service providers, and even to critical third-party providers that offer services to the financial sector. DORA sets out common standards and requirements for these entities to identify, prevent, mitigate, and respond to cyber threats and incidents as well, as to ensure business continuity and operational resilience.  Catherine: Oh, that's comprehensive. Is there any entity who needs to be more concerned about it than others, or is it equally applicable to all of the ones you listed?  Asélle: I can jump in here. So DORA is a piece of legislation that wants to respect proportionality and allow organizations to deal with DORA requirements that will be proportionate to their size, to the nature of the cybersecurity risks. So, for example, micro-enterprises or certain financial entities that have only a small number of members will have a simplified ICT risk management framework under DORA. I also wanted to mention that DORA applies to financial entities that are outside of the EU, but provide services in the EU so they will be caught. And maybe just to also add in terms of the risks. It's not only the size of the financial entities that matter in terms of how they comply with the requirements of DORA, but also the cybersecurity risk. So let's say an ICT third-party service provider, the risk of that entity will depend on the nature of that service, on the complexity, on whether that service supports critical or important function of the financial entity, generally dependence on ICT service provider and ultimately on its potential to disrupt the services of that financial entity.  Catherine: So some of our friends might just be learning about this by listening to the podcast. So what does ICT stand for, Asélle?  A