The delay in the arrival of the Regulatory Technical Standards (RTS) does not help.
“The legislator has not completed the regulatory process,” says Giancarlo Butti, an auditor and expert in privacy and security. “To date, only some of the delegated regulations have been officially released, so financial entities that are, for example, redefining contracts with suppliers will subsequently have to — once the other delegated regulations arrive — add the part relating to the management of relationships with subcontractors. It is very important, in fact, that financial entities carefully consider the risk of the entire supply chain. An aspect that is not considered enough is that the impact of DORA does not only involve financial entities but, indirectly, the entire ICT supply chain.”
The complexity of DORA, therefore, is not in the text itself, although substantial, but in the work it entails for compliance. As Davide Baldini, lawyer and partner of the ICT Legal Consulting firm, points out, “DORA is a very clear law, as it is a regulation, which is applied equally in all EU countries and contains very detailed provisions. By comparison, NIS2 is based on principles and is a directive, so each member country has room to maneuver in its implementation. However, DORA is very prescriptive, and this makes compliance complex in terms of time and the human and financial resources that need to be deployed.”
