EU’S DORA ADOPTION IS A PRESSING PRIORITY, INDIAN COMPANIES NEED TO WATCH OUT FOR THE IMPACT ON COMP

“When digital transformation is done right, it’s like a caterpillar turning into a butterfly, but when done wrong, all you have is a really fast caterpillar.” Realising the importance of this fact and the need for companies to transform digitally, the European Union (EU) proposed a regulation called the Digital Operational Resilience Act (DORA) to enhance the operational resilience of the financial sector in the EU. The resolution will apply to banks, payment service providers, central counterparties, trading venues and third-party service providers. 

The DORA proposal was published in response to the European Commission’s Digital Finance Strategy (September 2020) to create one unified approach amongst regulators and the financial services industry across Europe. 

DORA’s mission is to equip the financial sector with the capability to endure, react to and emerge from the negative impact of ICT (Information and Communication Technologies) incidents without affecting critical tasks or causing inconvenience to consumers. DORA’s success depends on strict adherence to robust measures and protocols on systems, tools, and third parties. Equally, it requires appropriate operational continuity plans that continuously verify its efficacy.

The increasing digitalisation in the financial sector and the growing interconnectivity across financial institutions and third parties make financial institutions’ operations vulnerable to internal as well as external ICT and security risks that can potentially compromise their viability. As a result, sound ICT and security risk management are key for financial institutions. DORA is supported by five pillars: 

  • ICT Risk Management
  • ICT Related Incident Reporting
  • Testing Digital Operational Resilience
  • ICT Third-party Risk
  • Sharing Information to Achieve Strategic, Corporate, Operational and Reputational objectives.

Each of these five pillars to some degree are a part of every nation’s compliance today and overlaps partially with Cyber Security, Network and Information Security. While not all the requirements are entirely new, the criteria that need to be fulfilled are now based on binding EU and national laws and regulations, and not just the ICT standards and authorities’ guidelines – which has largely been the case so far. 

Impact in India

Since DORA is a regulation proposed by the EU, it is intended to apply to entities operating within the EU or providing services to its customers. However, the specific scope and extraterritorial application of DORA in countries like India would depend on the final version of the regulation, which may be subject to changes during the legislative process. 

For now, since India is not a member of the EU it would not be directly subject to DORA. However, DORA’s applicability to India would depend on various factors, including the negotiations and discussions between the EU and India, any bilateral agreement and regulatory developments in India. 

Also, it is worth noting that India has its regulatory framework for the financial sector, which includes regulations and guidelines issued by the Reserve Bank of India (RBI) and other relevant authorities. As financial systems and technologies evolve, India can soon update the regulatory framework and adopt DORA to address the cyber and digital risk under one umbrella. The successful implementation of DORA in the EU may influence other jurisdictions, including India’s, to consider adopting similar regulations to enhance the resilience of digital services and protect consumer interests.

Depending on the nature of business operations and interactions between entities in India and the EU, the establishment of DORA may have the following potential implications for India:

  • Compliance requirements: Indian companies providing digital services to customers in the EU, particularly financial institutions, may need to comply with additional regulatory requirements under DORA. This could include measures such as enhanced cybersecurity and risk management standards, mandatory incident reporting and business continuity planning.  This could mean an increase in compliance costs for Indian companies.
  • Market access: DORA may introduce new market access requirements for Indian companies operating in the EU, particularly in the financial services sector. Indian companies may need to meet certain operational resilience and cybersecurity criteria to access EU markets. This may impact their ability to enter or expand in the EU market.
  • Data protection and privacy: DORA emphasises the importance of data protection and privacy in digital services. Indian companies operating in the EU or processing personal data of EU customers may need to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and other data protection requirements which could require additional efforts and resources.
  • Reputation and trust: Compliance with DORA could impact the reputation and trust of Indian companies operating in the EU. Non-compliance with DORA requirements or cybersecurity incidents could result in reputational damage, financial penalties and loss of customer trust. This could adversely affect Indian companies’ business operations and opportunities in the EU.

DORA’s implementation can create opportunities for Indian technology providers that offer cybersecurity, risk management and operational resilience solutions. It will be interesting to see how EU companies comply with DORA in the coming times and the implications it brings to India.

 

Source:-  The Times of India