What It Is

Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is an EU regulation bolstering ICT resilience for financial entities against disruptions like cyberattacks. Applicable from January 17, 2025, to 20 entity types and CTPPs across 27 states, it uses a risk-based, proactive methodology harmonizing rules.

Key Components

• **ICT Risk FrameworksIdentify, mitigate risks with annual reviews.
• **Incident Reporting4/72-hour notifications, 1-month analysis for major events.
• **Resilience TestingAnnual basic; triennial TLPT.
• **Third-Party OversightDue diligence, ESAs supervision of CTPPs. Proportionality-based; promotes information sharing. Compliance via reporting, penalties up to 2% turnover.

Why Organizations Use It

Mandatory for EU finance to avert fines, mitigate threats (74% ransomware hit). Enhances third-party management, systemic resilience, stakeholder trust amid rising incidents like CrowdStrike outage.

Implementation Overview

Gap analysis against RTS/ITS, policy development, testing programs, vendor contracts. Tailored to size/risk; financial sector focus. Ongoing audits, no certification but ESAs oversight.

What It Is

PDPA (Personal Data Protection Act) refers to a family of data protection laws in jurisdictions like Singapore (2012), Thailand (2019), and Taiwan, primarily regulating collection, use, disclosure, and transfer of personal data by organizations. These are principle-based regulations balancing individual privacy rights with legitimate business needs, employing a risk-based approach with consent, exceptions, and accountability.

Key Components

• Core obligations: consent/notification, purpose limitation, data subject rights (access/correction), security safeguards, retention limits, transfer controls, breach notification, accountability (often DPO).
• Built on GDPR-influenced principles; 8-10 main requirements varying by jurisdiction.
• Compliance via self-assessment, no universal certification but regulator enforcement.

Why Organizations Use It

• Mandatory in applicable jurisdictions for data handlers; avoids fines (up to SGD 1M, THB 5M).
• Enhances risk management, builds trust, enables cross-border operations.
• Strategic for regional business, GDPR alignment, competitive differentiation.

Implementation Overview

• Phased: governance, data mapping, policies, controls, training, audits.
• Applies to all sizes handling local data; Singapore/Thailand focus.
• No certification; ongoing DPMP, regulator guidance (PDPC).