Data has become a significant resource for all organisations. For all its benefits in improving competitiveness, the data economy is now being increasingly protected by regulation. The latest being the Digital Operational Resilience Act (DORA).
DORA addresses the notion of data ownership and control head-on. Alongside other global data privacy strategies, the regulation is creating an environment of regional ‘protectionism’ and concerns over data ownership and privacy.
DORA could become mandatory for sectors classified as highly critical from 2024 onwards, so it’s important to understand the challenges of managing and storing sensitive data, and why they are driving the need for data sovereignty.
How might DORA affect businesses?
Europe is looking to take back control of its own data, with investment by the EU in research and innovation with regulations, policies and standards reaching €1.8 trillion. DORA is particularly important as it extends to financial businesses, at least initially, and will see local auditors introduced to ensure compliance.
DORA and other data privacy laws, like the Data or AI Act, can vary by country and region, and require local experts and multiple clouds, leaving businesses feeling the pinch in resourcing. Our recent research found that more than 70% of businesses believe financial and environmental regulations will become more of a threat, while sources suggest 88% of boards regard cybersecurity as a business risk. Already grappling with macro issues such as economic pressures, businesses are now seeing digital operational resilience and the close control and management of sovereign data rise to the top of the boardroom agenda.
The need for digital sovereignty
Yet the challenges of managing and storing critical data are growing. We found in our research that 64% of EMEA organisations have increased their volume of sensitive data, and 63% have already stored confidential and secret data in the public cloud. What’s more, 95% of businesses cite that managing unstructured data is a problem for their organisation and 42% of business leaders are very or extremely concerned about critical data managed by U.S. cloud providers. It is known that over half of the European cloud market is controlled by US-based providers who are subject to external jurisdictional controls.
Navigating the implementation of DORA and managing high volumes of data is driving the need for data sovereignty. This is where intelligence is bound by the privacy laws and governance structures within a nation, industry sector or organisation. Maintaining a sovereign scope requires businesses to use a cloud endpoint that offers the same sovereign protections as the original location. The issue is that many multinational cloud companies cannot guarantee this.
Complying with DORA with a cloud-smart strategy
Businesses need a cloud smart strategy that ensures flexibility, and allows systems to be moved from one cloud provider to another to ensure continuity. The Data Act seeks to remove legal, financial and technical barriers to enable easier cloud provider switching. Taking this approach means addressing all aspects of a business, including sovereign supply chain (in the case of DORA) and will require audits to check all components meet the same standards of operational resilience. It is unsuitable to have a strategy that involves copying data out of a sovereign zone or that could lead to outages in the absence of a secondary site or instance.
Equally, relying on a single cloud vendor will not achieve true resilience. Instead, a service should leverage multi-cloud and hybrid solutions to efficiently shift workloads and data as needed to avoid downtime and outages.
Building the foundations of Europe in a DORA era
Sovereignty is important because it enables organisations to be innovative with their data and deliver new digital services. Data privacy legislations, like DORA, have the objective of protection but long-term they are designed to deliver returns on society’s investment into big data – and more.
DORA is one of many foundations of a future Sovereign Europe. One where we’re in charge of own data, and our destiny too.