Transcript

Speaker 1 0:00

Welcome to another episode of Privacy Pleased , where we break down complicated tech stuff into bits everyone can understand . I'm your host , gabe Gumbs , and today we're talking about something pretty important . Dora no , not the Explorer . We're talking about Europe's new Digital Operation Resiliency Act . Now I know what you're thinking Great , another boring regulation . Those Europeans sure do like their digital regulation with their GDPR . Now , stick with me , just hang in there , right ? Because this one's actually pretty interesting .

Speaker 1 0:36

So let me start with just a real easy question . You ever try , using your banking application , logging in phone , online . Whatever wasn't working . Yeah , pretty frustrating , right ?

Speaker 1 0:45

How long would it take for panic to set in if enough people were affected ? What do you think ? 30 minutes an hour , two days ? Now think about outages caused by things like ransomware . 22 days , that's the average . What would that do to critical infrastructure like banks ? Well , that's exactly what Doar is trying to prevent . Think of it as a rule book that makes sure banks and financial companies they keep their computer systems super durable and reliable .

Speaker 1 1:17

Again , ransomware an absolute plague on society , and its number one impact is availability . Taking your business offline is the leverage to make sure you pay up . Banks are getting attacked more than ever before , and almost everything we do with our cash these days is online , right ? Some cash banks , we say back in Brooklyn , whether you're paying your bills , checking your accounts , sending money , just all of our I don't even know when's the last time you've held a significant amount of actual cash in your hand . I think for most of us that's not really a thing . I don't really walk around with a lot of actual cash . It's all digital these days . It's all being done through computers and I think most of us are very comfortable with that . I think most of us are comfortable that if the systems have an issue , that the banks will resolve it . But Dora goes further than that . Dora is meant to make sure that the systems are always there , always available , that you always can have access to your money . So if a bank's computers crash or get hacked , it's not just annoying , that's going to be a disaster for a lot of people .

Speaker 1 2:16

Now here's where it gets extra interesting , right ? So since DORA is a European rule , you might think it only affects European countries , european companies . But not too dissimilar at all from GDPR . That arm is pretty large . Europe is a significant part of the global economy , as much as the global banking system , and so here's the scoop . So , first off , in Europe , it affects all banks , that's right , all banks . It affects all insurance companies . It affects all banks , that's right , all banks . It affects all insurance companies , all investment firms and any companies that provide technology services to those financial companies . So if you provide technology services to a bank , an insurance company , investment firm in the EU and it is part of that critical infrastructure , that means that door is going to affect you as well . It's interesting too , though , right ? So a little bit of a twist , it affects a lot of American companies in that way . And so if you're an American bank with offices in Europe , yep , those offices , they're going to need a follow door . If you're an American tech company helping European banks with their computer systems , got it . You gotta follow Dora too , right ? And so it's got a pretty wide reach .

Speaker 1 3:28

And the next obvious question is well , what in the world do I need to do to make sure I'm compliant with Dora ? And there's ? This is very much just an introduction to the topic , so you know , for more detailed prescriptive information we'll get into that in some future episodes We'll bring some guests on . We wanted to just get that topic out there . So there's really four main rules that companies need to follow . The first one is you got to find and fix your problems early . Pretty straightforward , right . So prioritization of the issues that affect that operational resilience of your systems Hell , even better if those systems self-heal themselves , right , like great Problem found and fixed all on its own . You got to report those problems quickly . That's the second big rule . So the first big rule is you got to find and fix those problems . Second one is you got to report those problems quickly . So if something goes wrong , you have to tell the authorities right away .

Speaker 1 4:21

No keeping secrets . A lot of times when breaches occur , it could be weeks , it could be months before that information is shared while they're doing air quotes . Root cause analysis , right ? Well , when there's an operational outage , when something's out , that knowledge is immediate , like everyone knows it . When a business gets hacked , everyone might not know it . It might be weeks or months before you even knew that . You know company A or B or whatever . It might only be when you get that notice in the mail saying hey , your data was leaked , that you even knew that that company was hacked . But when your bank is unable , when you aren't able to log into it , everyone knows that . So you've got to report right away what's going on , and no more of this . We'll tell you once we think we know all the things right .

Speaker 1 5:05

Third rule we covered this a little bit already , but you've got to make sure that your partners are safe . So if your suppliers are part of your critical operations , they're going to need to be checked as well . And then , number four , you've got to practice emergency plans . Practice them . I love that . That's part of the regulation . So , a , you're going to need a business continuity and disaster recovery plan God forbid . If you don't already have one , you're going to need one . And B , you're not just going to have to have it , you're going to have to test it , just like fire drills at school , you're going to have to practice handling these emergencies . You have to be prepared for when it happens . It should go without saying that just having a response playbook that you've never once exercised is not going to serve a lot of value if the first time you try to go through these exercises is during a live fire exercise , during when it's actually happening to you .

Speaker 1 6:01

But here's some other interesting things , right ? So some American companies are choosing to follow those rules , even if they don't have to , even if they're not within scope . It might just be that they recognize the good hygiene for what it is , which , quite honestly , it literally is . But let's be honest , we're not that far off from these rules hitting our shore in the exact same way . They are there and around us to a large degree , because American banking infrastructure has already been deemed critical infrastructure , but we don't have a federal regulation like Dora . It's not at the federal level , right ? You've got things like NYCR 500 out of New York that has some provisions around things like this . It's mostly focused on security , though , but again , I would always argue that security being the combination of confidentiality , integrity and availability , that those types of things should have already been codified into both what we do and to the technologies we build and into the rules that we follow .

Speaker 1 7:02

But companies might want to follow DORA , if one . If you want to work with other European companies someday , then you're going to want to follow DORA . It's going to become similar to SOC 2 processes , where you have to demonstrate your security capabilities . You're going to have to demonstrate your resiliency capabilities as well . If you have partners and customers in Europe , yeah , you might want to follow DORA . If you just want to stay competitive globally , you're probably going to want to follow DORA , even if you're outside of Scud , right ? Or if , again , you're just simply looking for good security practice . So DORA was officially adopted back in November 2022 .

Speaker 1 7:39

I don't think we talked about it much on this show Maybe not at all , if I'm being transparent and so it's been a couple of years for folks to prepare but it goes into effect on January 17th 2025 . So not that long from now , and by that date , all entities within scope of DORA , including financial institutions and critical third parties operating in the EU , are going to have to be fully compliant with its requirements . Now , there it is . There you have it , folks . Dora might sound complicated , but it's really just about making financial systems unbreakable and , whether you're in Europe , america or anywhere else , these rules are really going to help shape the future of everyone's digital currency . That's all for today's episode of Privacy , please . Please , remember to like , subscribe and share if you found this helpful . Until next time , gabe Gumbs .