DORA's legal aspects: a practical guide for legal counsel
The Digital Operational Resilience Act (“DORA") tightens the requirements for regulated firms in the financial sector concerning cybersecurity and operational resilience, and affects the ICT sector either indirectly or, for providers that are designated as critical, directly. As the full name of DORA itself suggests, some of the main challenges of the new regime will be of an operational nature.
This publication focuses on those aspects of DORA that benefit from an early involvement of either in-house or external counsel, along with some practical steps the legal function can take to ensure a smooth implementation. The success of any regulatory implementation project – even in a highly technical area such as this – is greatly enhanced by the proactive involvement of legal counsel, especially during the initial stages of the project, to sharpen gap or impact analyses and the drafting of business requirements. Strong legal interpretation and drafting skills are key during these important stages of your project. DORA also includes contract management and content requirements that we expect will need to be translated into a dedicated contract/repapering workstream, which legal counsel should take the lead on, as well as training and various notification and consent requirements towards the regulator, in which legal counsel also has an important role to play.
This publication is relevant both for financial entities as well as the ICT third-party service providers on whom they rely.