How DORA and GDPR work together to protect financial organisations from digital threats and ensure the security of personal data.
1. Introduction
With Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience in the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, the European Union obliges financial institutions to strengthen their digital operational resilience.
The Digital Operational Resilience Act (DORA) is a cross-financial sector European regulation that consolidates and harmonises the provisions of existing sectoral European regulations and directives.
What are financial sectors?
In addition to the banking sector, the financial sector includes investment companies, leasing companies, private equity companies, asset management companies, insurance companies and central banks. The term “cross-financial sector” refers to the increased interconnectedness of the various sectors.
One of the main objectives of DORA is to ensure that financial organisations maintain full control over the risks associated with the use of information and communication technologies (ICT). To this end, firms must implement comprehensive ICT risk management. ICT risk management requires financial institutions to meet certain requirements. It does not prescribe the requirements that ICT risk management must meet. The Digital Operational Resilience Act therefore aims to strengthen the digital resilience of financial organisations.
2. Key requirements of the DORA
The main requirements of the DORA are
- ICT risk management:
Organisations need to develop and implement robust strategies and procedures for managing information and communication technology (ICT) risks.
- ICT security requirements:
Introduction and maintenance of state-of-the-art security measures to protect IT systems and data.
- Reporting obligations for ICT incidents:
Obligation to notify the competent authorities of significant ICT incidents within defined deadlines.
- Monitoring of third-party service providers:
Strict regulations for monitoring and controlling third-party providers who provide critical IT services.
- Resilience tests:
Regularly carry out tests to check resilience to ICT threats, including penetration tests and other simulations.
Although the basic objectives and principles of IT security and risk management are similar across sectors, there are specific adaptations and requirements that are tailored to the particular needs and risks of each sector.
3. Interfaces between DORA and GDPR
There are important interfaces between DORA and data protection law, the General Data Protection Regulation (GDPR). Both regulations pursue the goal of ensuring data security and data protection, albeit from different perspectives.
The most important interfaces and their effects are described below:
3.1 Protection of personal data
DORA | GDPR | |
Focus: | Ensuring the operational resilience of financial organisations against digital threats, which indirectly includes the protection of personal data. | Protection of privacy and personal data of natural persons. |
Requirements: | Introduction of robust security measures, including the protection of data integrity and confidentiality. | Regulations on the processing, storage and protection of personal data. |
Interface: |
Both regulations require the implementation of security measures to ensure that (personal) data is protected against unauthorised access, loss or misuse.
|
3.2 Notification of security incidents
DORA | GDPR | |
Requirements: | Requires financial organisations to report significant ICT security incidents to the relevant supervisory authorities within a short period of time. | Obliges companies to report data breaches that result in a risk to the rights and freedoms of natural persons to the supervisory authorities within 72 hours. |
Target: | Minimising the impact of security incidents on operational resilience and the financial market. | Protection of privacy and the rights of data subjects. |
Interface: |
Both regulations emphasise rapid notification of incidents in order to minimise the impact on data subjects and companies. Companies must introduce mechanisms to ensure that both data breaches and ICT security incidents are reported efficiently.
|
3.3 Risk management
DORA | GDPR | |
Requirements: | Development and implementation of comprehensive ICT risk management to identify, assess and manage risks, including those that could affect personal data. | Data protection impact assessments (DPIA) are required for processing operations that are likely to pose a high risk to the rights and freedoms of natural persons. |
Interface: |
Both regulations require systematic risk management that includes the identification and assessment of risks, including those that affect personal data.
|
3.4 Technical and organisational measures (TOMs)
|
DORA |
GDPR |
Requirements: |
Financial companies must implement suitable technical and organisational measures to ensure the resilience of their IT systems. |
Companies must take technical and organisational measures to ensure a minimum level of protection for personal data appropriate to the risk. |
Interface: |
Both regulations require the implementation of suitable measures to ensure the security and protection of IT systems and data.
|
3.5 Controls and audits
|
DORA |
GDPR |
Requirements: |
Regular review and auditing of ICT risk management and security processes. |
Obliges companies to regularly review compliance with data protection regulations and to carry out data protection audits. |
Interface: |
Both regulations require regular reviews and audits to ensure the effectiveness of the measures implemented. |
4. Summary
The interfaces between DORA and GDPR show that both regulations aim to ensure data integrity, confidentiality and availability, albeit with a different focus. While DORA is primarily focused on operational resilience and IT security in the financial sector, the GDPR emphasises the protection of personal data. The implementation of measures to comply with both regulations requires an integrated approach that takes into account both IT security and data protection aspects.
Author: Regina Mühlich, Managing Director of AdOrga Solutions GmbH; Member of the Board of the Professional Association of Data Protection Officers in Germany (BvD) e.V.