Expert opinions
Paweł Ładna about DORA regulation
The DORA (Digital Operational Resilience Act) regulation is currently a key cybersecurity topic affecting the financial sector in the whole European Union. What does it consist of? What will it change? Paweł Ładna - Cybersecurity Consultant at Safesqr - answers these questions.
What basically is DORA?
The DORA regulation aims to unify existing regulations and better control the financial market in the European Union. It introduces new possibilities for EU regulators and supervisors, allowing them to audit entities and third parties that process their data. A financial entity will be required to check its suppliers, and when they fail to meet security requirements, they can face large penalties.
An important part of it is the establishment of targeted quality requirements aimed at protecting, detecting, deterring, remediating and repairing ICT incidents. DORA will take effect in each member country as of January 17, 2025.
Why was there a need for this regulation?
It will fill in the gaps and ambiguities that existed before and direct financial institutions to follow the same consistent approach to ICT risk. It will certainly affect confidence in the European financial system, its stability, and maintain a strong relationship between the financial sector and the EU’s overall cyber security vision.
How do you see the future of cybersecurity after the introduction of the DORA regulation?
DORA is linked to the European Critical Infrastructure Directive, which is still under development. If the ECI comes into force, both regulations will strengthen requirements for cybersecurity and critical infrastructure resilience, including for non-cyber threats. Together with the amendment of the UKSC, they will bring us to a world where cybersecurity is becoming one of the dominant aspects of many different industries.
How will DORA affect Polish financial institutions?
They will have to vet their suppliers for cybersecurity. If an institution operates an entity that is critical to the state’s infrastructure, it will have to provide additional security measures, which will be an incentive to provide the highest standard of cybersec services so that it can “bite” as much of the market as possible. This means that organizations will have to choose the only right one out of the available options for building cybersecurity: good instead of cheap.