The Digital Online Resiliency Act (DORA) is a legislation that has been passed by the EU Commission and they’ve given companies till 17 January 2025 to get in line. What does this mean for Nigerian companies?
The act aims to foster resilience of digital systems in the EU and globally, especially in the wake of cyber threats and attacks.
The act seeks to promote the adoption of best practices and standards for cybersecurity, establish reporting and incident response mechanisms, and promote collaboration between government agencies, private sector actors, and other stakeholders.
While the DORA is a EU-centric initiative, its impact would be felt globally, especially by companies that operate globally or have business ties with EU-based entities. Nigerian companies are not an exception, and the act could have significant implications for their operations, especially those that rely on digital systems to deliver their products and services.
One of the primary ways in which the DORA could affect Nigerian companies is through the proposed cybersecurity standards and best practices. The act calls for the establishment of a framework for cybersecurity risk management, which would set minimum standards for companies that handle sensitive data or critical infrastructure. The standards would cover various aspects of cybersecurity, such as data protection, access controls, incident response, and security testing.
For Nigerian companies that operate globally, complying with the DORA standards would be a legal requirement. Failure to comply could result in penalties, fines, or legal actions. Even for companies that do not have a presence in the EU, complying with the DORA standards could become a competitive advantage, as customers and partners would see them as more trustworthy and reliable.
However, complying with the DORA standards would also come with additional costs and overheads for Nigerian companies. They would need to invest in cybersecurity technologies, processes, and personnel to meet the standards, which could be challenging for small and medium-sized enterprises (SMEs) that have limited resources. Moreover, the standards could be updated periodically, requiring companies to continuously monitor and update their cybersecurity practices.
Another way in which the DORA could affect Nigerian companies is through the proposed incident reporting and response requirements. The act calls for the establishment of a reporting mechanism for cybersecurity incidents that affect critical infrastructure, federal agencies, or companies that handle sensitive data. The mechanism would require companies to report incidents within a specified timeframe and provide detailed information about the incident, its impact, and the remediation steps taken.
For Nigerian companies that operate in the EU or handle sensitive data, complying with the incident reporting requirements would be mandatory. Complying with the reporting requirements could also be challenging for Nigerian companies that lack the expertise or resources to handle cybersecurity incidents. They would need to have a designated incident response team, a communication plan, and the necessary tools and technologies to detect and mitigate incidents.
On the other hand, the proposed incident reporting and response requirements could also benefit Nigerian companies. They would have access to a centralised platform for reporting incidents and sharing information with other stakeholders, such as government agencies, industry associations, and security vendors. This could help them to stay informed about the latest threats and trends in cybersecurity and take proactive measures to protect their systems and data.
To summarise, the DORA could affect Nigerian companies through the proposed collaboration and coordination mechanisms. The bill calls for the establishment of a National Cyber Director, who would be responsible for coordinating the government’s cybersecurity efforts and engaging with private sector actors and other stakeholders. The director would also oversee the implementation of the cybersecurity framework and incident reporting mechanisms. They would have a voice in the development of cybersecurity policies and practices and could provide feedback and insights on how the policies affect their operations. Moreover, they could access the director’s expertise and resources to enhance their own cybersecurity resilience. These are critical times and Nigerian companies should start creating businesses that are globally reputable.
-
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com
