What It Is

Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is an EU regulatory framework bolstering ICT resilience in finance against disruptions like cyberattacks. Applicable to 20 financial entity types and critical third-party providers across 27 member states, it employs a proportional, risk-based approach for proactive management over reactive buffers.

Key Components

• **ICT Risk ManagementStrategies for risk identification, mitigation, annual reviews.
• **Incident Reporting4-hour alerts, 72-hour updates, monthly root-cause analysis.
• **Resilience TestingAnnual vulnerability scans, triennial TLPT.
• **Third-Party OversightContractual clauses, monitoring of CTPPs via ESAs. Built on harmonization; enforced through RTS/ITS, no formal certification.

Why Organizations Use It

Legally mandated to avert 2% turnover fines; mitigates systemic risks amid rising threats (74% ransomware hit). Enhances trust, operational continuity, integrates with Solvency II/NIS2 for competitive edge.

Implementation Overview

Conduct gap analyses, develop frameworks, implement testing/vendor strategies. Targets ~22,000 EU entities; full application January 17, 2025. Proportionality aids SMEs; requires audits, reporting.

What It Is

Gramm-Leach-Bliley Act (GLBA) is a U.S. federal regulation enacted in 1999. It establishes privacy and security standards for financial institutions handling nonpublic personal information (NPI). GLBA uses a risk-based approach via Privacy Rule and Safeguards Rule, enforced primarily by the FTC for non-banks.

Key Components

• Privacy Rule (16 C.F.R. Part 313): Initial/annual notices, opt-out for nonaffiliated sharing.
• Safeguards Rule (16 C.F.R. Part 314): Written security program with 9+ elements including risk assessment, Qualified Individual, board reporting, encryption, MFA, testing.
• **Pretexting protectionsAnti-social engineering measures. No formal certification; compliance via self-attestation and audits.

Why Organizations Use It

• Mandatory for broad financial entities (banks, lenders, tax firms, auto dealers).
• Mitigates enforcement risks (fines up to $100K/violation).
• Builds customer trust, operational resilience, vendor oversight.
• Enables competitive edge in data handling.

Implementation Overview

Phased: scoping, risk assessment, policy development, technical controls (IAM, encryption), training, testing, continuous monitoring. Applies to U.S. financial activities; audits by regulators like FTC.