What is the Difference Between DORA and GDPR?

What is DORA?

DORA, or the Digital Operational Resilience Act, marks a transformative milestone in financial regulation. Published in the Official Journal of the European Union on December 27, 2022, DORA officially came into force on January 16, 2023, with its full implementation slated for January 17, 2025.

The European Commission initially proposed this forward-looking regulatory framework in September 2020. It signaled a significant shift in the approach to digital risk management for financial entities and select ICT service providers.

DORA’s mission is clear: to increase digital resilience within the financial sector. Unlike its predecessors like the GDPR, DORA deviates from the principle-based legislation, instead offering a comprehensive set of detailed requirements meticulously crafted to elevate the operational and security capacities of financial entities. 

Key Components of DORA

Drawing from existing EU regulations, supervisory authority guidance, and global standards in security and ICT risk management, DORA sets out to harmonize qualitative criteria for ICT risk management. This is achieved through a set of regulations and standards that touch upon critical facets of digital resilience, including:

• Management of ICT Risks

The core of DORA’s strategy involves robust ICT risk management. It places the ultimate responsibility for managing ICT risk squarely on the shoulders of the management body within DORA finance entities. Under DORA’s directives, management teams are entrusted with a specific set of duties and obligations. These include cultivating and nurturing their understanding of ICT risk, which is now deemed fundamental.

FEs must also identify the intricate landscape of ICT risks they face. The DORA banking regulation mandates that they implement an internationally recognized information security management system unless they qualify as microenterprises. These measures provide a multifaceted approach to mitigating ICT risks, enhancing the sector’s resilience.

• Oversight of Critical ICT Third-Party Providers

DORA recognizes the critical role played by third-party ICT providers in the financial ecosystem. As such, it calls for vigilant oversight of these service providers. FEs must closely monitor the risks associated with outsourcing ICT services. Moreover, contracts with these third-party providers are expected to include comprehensive provisions, ensuring that ICT risks are appropriately managed. A consistent regulatory approach across supervisory authorities is essential to harmonize the industry’s efforts.

• Reporting and Information Sharing of ICT Incidents

To enhance digital resilience, DORA instates an incident management process that allows FEs to monitor, classify, and report ICT-related incidents effectively. Major incidents must be written in line with a standardized procedure and templates. This standardized approach streamlines incident management and reporting, reinforcing the financial sector’s capacity to respond to digital threats swiftly.

• Testing and Auditing of ICT Systems and Processes

DORA introduces a regimen of digital operational resilience testing. These tests, designed to be proportional to the entity’s size, business, and risk profile, are a critical component of DORA’s requirements. They encompass vulnerability assessments, open-source analyses, and network security assessments, ensuring that the sector’s ICT systems remain robust and resilient.

Is DORA Similar to GDPR?

In developing DORA, the European Union legislators drew inspiration from the GDPR. It’s important to note, however, that DORA and GDPR are complementary, not mutually exclusive. Both regulations share the same overarching goal: safeguarding the security, confidentiality, and integrity of data, as well as the rights and freedoms of data subjects within the digital realm.

DORA does not aim to replace existing EU data protection and privacy regulations; instead, it seeks to complement them. DORA and GDPR align in pursuing security and privacy, although they define specific scopes, roles, and responsibilities. Ensuring harmony and coordination between these two legislative frameworks will be imperative as the financial sector grapples with their simultaneous implementation.

DORA’s impending enforcement is set to have a substantial impact on financial entities and ICT service providers. These entities must embark on compliance journeys by mapping the obligations DORA imposes on them. A holistic approach to compliance, considering not only DORA but also other security and data protection obligations, is the prudent path forward. 

Where DORA and GDPR Intersect

One area where DORA and GDPR intersect is in the realm of personal data breaches and ICT-related incidents. Under GDPR, organizations must report personal data breaches, while under DORA, the focus is on reporting ICT-related incidents. 

There are similarities in the two reporting requirements, but there are some differences in their application. 

For instance, if an organization experiences an incident, it must report it to the competent authority under DORA and the competent data protection authority under GDPR. 

Notifications involve different timeframes under each respective law. GDPR allows organizations up to 72 hours to notify after becoming aware of a data breach, while DORA sets a general deadline of “end of business day” for notifications. 

DORA’s requirements are generally broader, and in many cases, complying with them will also mean compliance with GDPR regulations. However, it’s essential to recognize that firms must assess compliance with each regulation separately, as each law targets specific aspects of similar subject matter.

DORA’s Five Pillars

DORA is anchored in five key pillars, each addressing various aspects of ICT and cybersecurity to create a comprehensive framework for digital resilience. These pillars encompass:

1. ICT Risk Management: This pillar focuses on establishing resilient ICT systems and tools capable of minimizing the impact of ICT risk. It entails comprehensive business continuity policies and disaster recovery plans. An emphasis on gathering information from external events and FE’s ICT incidents bolsters the risk management framework.
2. ICT-Related Incident Reporting: The Digital Operational Resilience Act summary mandates implementing a management process for monitoring and logging ICT-related incidents. Incidents are classified based on criteria specified by relevant supervisory authorities, ensuring a standardized approach to incident handling.
3. Digital Operational Resilience Testing: Entities are required to conduct periodic testing of their ICT risk management framework to identify weaknesses. Advanced threat-led penetration testing is expected at regular intervals. These tests are proportionate to the entity’s size, business, and risk profile.
4. ICT Third-Party Risk: To monitor risks arising from outsourced ICT services, entities must adopt a strategy on ICT third-party risk. A comprehensive regulatory approach is encouraged to ensure consistency across supervisory authorities.
5. Information Sharing: DORA promotes the sharing of relevant information within the financial sector to enhance digital operational resilience. Sharing is aimed at increasing awareness of ICT risks, minimizing the spread of threats, and bolstering defensive and detection techniques. Information-sharing arrangements with trusted communities play a pivotal role in disseminating cyber-threat intelligence.

DORA – GDPR: Navigating Dual Compliance

DORA and GDPR, though distinct in their objectives, share a common goal: enhancing the privacy and cybersecurity of the digital financial sector in the European Union. Their overlapping mandates necessitate carefully considering how these regulations interconnect and how financial entities can optimize compliance with both. 

Below, we explore four key steps to navigate the intersection of DORA, GDPR,  and finance requirements effectively:

Navigating DORA and GDPR

1. Conduct an Integrated ICT and Privacy Risk Assessment:

Under DORA, financial entities (FEs) must conduct a comprehensive and regular assessment of their ICT risk profiles, encompassing the identification, classification, and mitigation of potential cyberattacks, ICT disruptions, and other digital threats. This assessment now extends to cover data protection and privacy risks. FEs must scrutinize the scenarios where data breaches may occur, including unauthorized access and data loss due to inadequate technical measures. By amalgamating these two assessments, FEs gain a holistic view of their risk landscape.

2. Implement Coherent ICT Policies and Procedures:

While adhering to DORA’s ICT policies and procedures, FEs should ensure they fully align with GDPR principles and obligations. This alignment extends to data minimization, data security, privacy by design and by default, and more. For instance, if FEs are required to conduct a Data Protection Impact Assessment (DPIA) under GDPR, it is likely that the security levels of ICT systems also need to be reassessed. Data-breach management policies should integrate reporting obligations stipulated by both DORA and GDPR. These policies and procedures should function seamlessly together, working as complementary gears within the same mechanism to ensure ICT and privacy security.

3. Establish an Integrated ICT Privacy Oversight Mechanism:

DORA demands that FEs effectively oversee their ICT service providers, especially when outsourcing critical ICT functions or services. This oversight aligns with specific provisions set forth by DORA. Simultaneously, FEs should review their data protection agreements to ensure they encompass not only GDPR’s mandates but also the additional security, resilience, and data protection requirements introduced by DORA. An integrated approach to oversight ensures that both ICT and privacy concerns are addressed effectively, streamlining compliance efforts.

4. Promote Privacy Risk Awareness in ICT and Staff:

Both DORA and GDPR emphasize the importance of training and instructions for staff in the financial sector. Employees must be well-versed in addressing ICT risks and data protection obligations. Training programs should be comprehensive, covering a broad spectrum of ICT risks, including cybersecurity threats that can compromise ICT security and potentially lead to data breaches. By providing this dual focus, FEs ensure that their workforce remains vigilant, proactive, and well-prepared to tackle the complexities of the digital financial sector.

What Lies Ahead in Your DORA Journey?

DORA and GDPR stand as essential and complementary legal instruments, offering a dual approach to safeguarding the privacy and cybersecurity of the digital financial sector in the EU. 

While these regulations introduce significant complexities and challenges, financial entities and ICT service providers can benefit from an integrated approach that harmonizes their ICT risk management and data protection principles. This integration offers a pragmatic path to achieving compliance with DORA and GDPR while minimizing risks. 

As DORA comes into full force in January 2025, financial entities and their ICT service providers face adapting their operations to meet these intertwined compliance obligations.