DORA and the data centre – new Uptime DORA research brief

The Uptime Institute has released the first in a promised series of research briefs for the data centre industry. The Institute’s initial foray analysis the potential effect of the EU’s Digital Operations Resilience Act, or DORA, on third-party data centre operators and service providers.

Governments and regulators are becoming increasingly concerned with the resilience of digital  systems, particularly in critical sectors including financial services, telecom, transportation and cloud services. However, while some of these industries – for example, financial services – are highly regulated and subject to government oversight others – like cloud services – are not.

The proposed DORA Act is intended to improve this situation by increasing regulation across colocation, cloud, and third-party IT service providers that work with financial entities. Under DORA, regulators will be given the authority to conduct investigations and review software and hardware for these companies, and to require changes to improve the resilience of networks. These requirements will be backed by the ability to levy strict fines on service providers if stipulated conditions are not met. Regulators can also terminate contracts between financial entities and third-party IT services providers if they determine that there is a risk to the stability or security of the financial network.

“These supervisory bodies monitor all aspects of IT operational resiliency, both of end-to-end financial services and of individual companies. They are concerned about cybersecurity, capacity overruns, system malfunctions or failures (i.e. power) and physical disruptions.”

Financial services companies will also have increased responsibilities under DORA, which the Uptime report describes as simply “formalising the processes that many companies already have in place as part of their overall risk management.” These include implementing comprehensive business continuity and DR plans, incident reporting, resilience testing, and third-party risk management.

While the DORA regulations increase the responsibilities of financial entities to their IT service providers, they also increase the amount of control that these companies have. This means that companies can monitor the performance of service providers and require them to comply with their authority. Moreover, financial companies can require third-party service providers to implement and test business contingency plans and guarantee secure services.

DORA regulations have a lot of support, even from within the financial sector, which will bear the burden of increased responsibilities for reporting and oversight. By formalising procedures that are currently standard practice, but unregulated, DORA gives businesses a level of control that they otherwise may not be able to enforce.

However, there are some questions about how DORA will be enforced across the borders of different countries, which may have conflicts with existing regulations. There may also be some confusion with data centre and ICT service providers that have customers across different industries.

On one hand, DORA and similar EU regulations may make it difficult for international businesses to establish a new footprint in the EU. There is also increasing concern that the requirements placed on third-party service providers will limit the financial services company options in selecting support services. On the other, it may represent a template for other countries to establish similar regulations of their own.

Evidence of U.S. interest in DORA regulations was highlighted in a recent article from NASDAQ, which focused on the cyber security aspect of the act. DORA sets strict requirements for incident reporting and incident severity classifications, which are intended to improve the cybersecurity incident prevention and recovery. NASDAQ noted that in March, the U.S. Security and Exchange Commission (SEC) “proposed regulations that would require public companies to disclose how their boards oversee cyber security and to report cyber security breaches within four days of the corporation’s determination that a breach is a material event. Thus, public companies and their boards need reliable methods to discern whether an incident exceeds the threshold for materiality requiring disclosure.”