So, what is the DORA?

The DORA is a comprehensive EU regulation that establishes a unified framework for Information and Communication Technology (ICT) risk management in the financial sector. It came into force on January 16, 2023, and financial entities must comply with its requirements by January 17, 2025.

Before explaining the DORA in more depth and its new mandatory compliance obligations for entities in-scope – it is worth keeping uppermost in mind what the implications could be for your business and in certain instances, the possible consequences to you as an individual. Personal liability can be attributed and sanctions levied.

Fines and Consequences of Non-Compliance

The DORA introduces a stringent enforcement mechanism to ensure compliance across the financial sector. The consequences of non-compliance can be severe, including:

Financial Penalties:

• Fines of up to 2% of the total annual worldwide turnover for financial entities.
• Individual fines of up to €1,000,000.
• For critical third-party ICT service providers, fines can reach up to €5,000,000 for companies or €500,000 for individuals.

Administrative Measures:

• Mandatory remedial actions to address compliance gaps.
• Public reprimands and disclosure of violations, leading to reputational damage.
• Withdrawal of authorization to operate in extreme cases.

Legal Consequences:

• Potential legal action and scrutiny from regulators or affected parties.

It’s important to note that the exact nature and amount of penalties may vary depending on national laws of EU member states. However, the overarching message is clear: non-compliance with the DORA can have significant financial, operational and reputational consequences for financial entities and their ICT service providers.

The DORA’s primary objectives are:

1. To create a cohesive approach to ICT risk management across the EU financial sector.  
2. To harmonize existing ICT risk management regulations among EU member states.  
3. To enhance the overall digital operational resilience of financial entities and their critical ICT service providers.

The DORA represents a significant shift from previous regulatory approaches, which primarily focused on capital requirements to mitigate operational risks. Instead, the DORA mandates specific technical standards, capabilities, and outcomes to ensure a unified set of best practices for digital resilience across the financial sector within its “Five Pillars”:  ICT Risk Management, ICT Incident Reporting, Digital Operational Resilience Testing, ICT Third-Party Risk Management, and Information Sharing Arrangements (encouraged by not “required”) .

The DORA Scope and Applicability

The DORA’s scope is extensive, covering a wide range of financial entities operating within the European Union, as well as non-EU entities with operations in the EU market. It’s important to note that the DORA’s applicability extends beyond EU-based entities. Non-EU financial entities operating within the EU market are also subject to the DORA’s regulations. For example, a Canadian bank with a single branch or office in the EU would fall within the DORA’s scope, as would its ICT service providers.

The regulation applies to:

In Scope examples

To better understand the DORA’s wide-ranging impact, let’s explore some specific examples of how the regulation applies to different sectors within its scope:

If your business falls within scope of these sectors or is similar to the in-scope example and you have not yet begun a detailed the DORA Gap Analysis, reach out to us today to discuss how to get on track with these new mandatory legal requirements. It is best to avoid assuming that the DORA only applies to large financial institutions. Remember that it covers a wide range of entities, including smaller firms and non-EU companies operating in the EU market.   

The post Navigating the DORA – The Digital Operational Resilience Act (DORA) – A high level overview and Gap Analysis appeared first on TechGDPR.

On Confidentiality

Before getting into the details, I first want to emphasize that TechGDPR works with a wide variety of clients, and we approach our specialized consulting for each client with the utmost confidentiality–unless, that is, a client states otherwise. Zcash is among our clients that have taken steps to publicly discuss this GDPR-compliant assessment. It is with permission of both Zcash and Least Authority that TechGDPR released our report.

Zcash GDPR assessment on the P4 protocol

In October 2018, TechGDPR conducted a GDPR compliance assessment of the P4 protocol specification on behalf of the Zcash Company and Least Authority. This assessment reflects important conversations among regulators, compliance advisors, and implementers of blockchain and other cutting edge technologies in the context of the GDPR and other privacy-protecting regulations.

Data gathered while utilizing the P4 protocol is mostly anonymous, and only a few types of data could potentially be flagged as personal, and therefore in scope of the GDPR. The risk of identifying natural persons through the use of Least Authority’s S4 storage service is significantly mitigated by the use of zero knowledge proofs in Zcash’s shielded transactions. Other regulations, such as financial regulations, anti-money laundering regulations, and know-your-customer regulations, may be triggered by anonymous online services. And although new regulations around the world are attempting to make services providers responsible for their users’ content, Zcash has been favorably received by financial regulators.

TechGDPR’s Findings

The assessment conducted by TechGDPR (PDF available here) asserts that implementation of P4 does not likely raise any major issues regarding GDPR compliance, apart from the consideration whether or not to allow customers to use S4 for data processing under GDPR, and how to effectively prevent this (see finding #11: “Possible role of data processor”). A few matters require highlighting as they may become an issue in the future as the usage of the service changes (finding #2: “File deletion, garbage collection”), or the interpretation of the GDPR evolves further (findings #1: “Logging IP Address” and #3:”Consequences of maintaining a full node”). The biggest concerns are related to the processing of data within S4, not within P4. The P4 protocol itself only presents concerns if subscribers insist on paying from transparent addresses.

TechGDPR also concluded that as long as Zcash transactions cannot be linked back to a natural person, because they are private or because no link between the t-address and the user exists, the transaction within Zcash and payment information itself should be considered anonymous and therefore out of scope of the GDPR.

In our opinion, the P4 service allows for as close to anonymous usage as you can get with current technology, with important caveats regarding user practices and user volume. The full benefits of P4 can only be realized if the user is extremely cautious with how they use it, as is the case with most privacy-preserving solutions today. Least Authority has tried to make it harder for users to make mistakes (i.e., by requiring Tor), however, it is still possible to gather some information through leaked metadata or trivial mistakes by the user that may, over time, be enough to link the usage back to a person. As the user base grows, maintaining anonymity will become easier to establish a relationship between specific users and their data or metadata will become increasingly difficult.

Privacy-enhancing technology, including P4, is not perfect. It is difficult to use, and requires perfect handling by both the user and Least Authority. Still, technologies like P4 go a long way toward challenging the advertising-surveillance model of the modern internet, and illustrate how blockchain-based technologies could show a new way forward.

Zcash looks forward

A statement released on Friday by Zcash declared, “We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology.”

Total anonymity may not be possible, but the policies outlined in the GDPR show legitimate demand and P4 demonstrates that we can get pretty close.

The post Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close. appeared first on TechGDPR.