DORA and its impact on data sovereignty

According to the European Commission, no less, ‘data is immensely valuable to all organisations, a significant resource for the digital economy and the ‘cornerstone of our EU industrial competitiveness’.

Hardly surprising when you consider the data economy is projected to deliver more than €829b and nearly 11m jobs to the region by 2025. Capitalising on and nurturing numbers of that scale are precisely what is behind evolving EU strategies and regulations coming into play. The latest of which is the Digital Operational Resilience Act (DORA) while updates to the Cybersecurity Act and the Data Act are likely to follow soon (relatively) afterwards. The key difference with DORA is that it extends its scope to encompass your financial business as well as all supply chain businesses and services integrated with your company. DORA aligns with the EU Cybersecurity framework (EUCS) and could become mandatory for sectors classified as highly critical under the EU Networks and Information Systems Directive (NIS2) from 2024 onwards.

Regional ‘protectionism’

To give some context to the extent to which Europe is looking to take back control of its own data, there has been investment by the EU in research and innovation with regulations, policies and standards to the tune of €1.8 trillion. DORA is particularly crucial legislation because it addresses the notion of ownership and control head-on, initially for financial organisations, but expanding to a broader scope. Fundamental to its being is that businesses must ensure alignment with the latest regulations as local auditors will be introduced to ensure compliance, which subsequent legislations will reinforce – the Cybersecurity Act (EUCS) will eventually protect EU data, out of reach of a foreign jurisdiction, for instance.

These, and other global data privacy regulations, such as EUCS, the AI Act and the Data Act are creating an environment of regional ‘protectionism’ and concerns regarding data ownership and privacy. According to this paper, globally 145 countries have data privacy laws, up from 132 in 2018. These laws vary by country and region, requiring local experts and multiple clouds meaning businesses are feeling the pinch in resourcing and skills.

Recent research we conducted with IDC, more than 70% of businesses believe financial and environmental regulations will become more of a threat, while source suggests 88% of boards regard cybersecurity as a business risk. Moreover, companies are grappling with macro issues such as global economic pressures, like inflation and ongoing geopolitical uncertainties. All of this is compounded with the UN triple crisis of climate change, pollution, and biodiversity changes.

The upshot being that digital operational resilience and a business’s ability to control and manage its sovereign data under any circumstances has been catapulted to the top of the boardroom agenda.

Driving the need for data sovereignty

Yet the challenges of managing and storing sensitive and critical data are growing. The volume of highly sensitive data now hosted in the cloud is on an upward trajectory. 64% percent of EMEA organisations have actually increased their volume of sensitive data, and 63% have already stored confidential and secret data in the public cloud, according to the IDC report previously cited. At the same time, 95% of businesses cite the need to manage unstructured data as a problem for their business and 42% of business leaders are very or extremely concerned about critical data managed by U.S. cloud providers – Statista found that 66% of the European cloud market is controlled by US-based providers, who are subject to external jurisdictional controls like the US Cloud Act.

Managing this exposure of highly sensitive classified data is driving the need for data sovereignty – where this intelligence is bound by the privacy laws and governance structures within a nation, industry sector or organisation. Maintaining stability within a sovereign scope requires businesses to utilise a cloud endpoint that offers the same sovereign protections as the original location, yet many multinational cloud companies cannot guarantee this.

A ‘cloud smart’ strategy

This is why businesses need to adopt a Cloud Smart strategy. One that ensures flexibility, allowing business-critical systems to be seamlessly moved from one cloud provider to another to ensure continuity. The recent political agreement of the Data Act (as of the 27th June 2023), seeks to remove legal, financial (egrees fees) and technical barriers to enable easier cloud switching between cloud service providers. Taking this approach means comprehensively addressing all aspects of a business, including sovereign supply chain (in the case of DORA) and will require audits to check all components meet the same standards of operational resilience. It is unsuitable to have a strategy that involves copying data out of a sovereign zone or that could lead to extended outages due to the absence of a secondary site or instance. The EUCS recent updates to the draft proposal now include a High+ category whereby no entity outside the EU would have effective control on cloud data.

Additionally, relying on a single cloud vendor is not recommended for achieving true resilience. Instead, a resilient service should leverage multi-cloud and hybrid solutions to efficiently shift workloads and data as needed to avoid downtime and outages.

Foundations of a future Europe

Ultimately, the reason why sovereignty is so important, is that it enables organisations to be innovative with their data and deliver new digital services. The upcoming legislations may be cloaked with the objective of protection but, long-term they are being brought in to meet and exceed the numbers projected around data by the European Commission – you don’t invest €1.8 trillion if you don’t expect it to pay back big.

These legislations are the building blocks for the foundations of a future Sovereign Europe. One where we’re not only in charge of own own data, but our own destiny as a result.