Why Europes DORA regulation is a band aid but not a cure

Whenever theres a global financial calamity, whether its on the horizon or if it has already happened, you can expect to see a flurry of regulation to stem the flow of disruption. Even as far back as the 1720s, Britain enacted the Bubble Act, to regulate the stock market after the South Sea Companys stock bubble burst amid accusations of insider trading and to cool down inflated markets. The Great Depression spawned the Emergency Banking act of 1933 in the United States, and the 2008 credit crunch precipitated Dodd-Frank in the U.S., and in Europe, MiFID and ESMA. Theres no end in sight for regulators because just as the ink is drying on one piece of legislation, another event or innovation emerges that requires attention.

Regulators will always be on the hamster wheel of change, never quite getting to the point where they can claim victory over errant markets, and perhaps the next decade will see their toughest challenges yet. While they are still finessing traditional market reforms, they now have to ensure that users of the expanding Web3 ecosystem defined by blockchain, decentralized finance (DeFi) and centralized finance (CeFi) platforms, including digital assets are protected from being exploited by criminals and other bad actors.

DORAs broad reach

The European Councils recent approval of the Digital Operational Resilience Act (DORA) is the latest addition to the raft of regulations that are currently in the pipeline. DORA aims to consolidate and harmonize essential cybersecurity requirements regarding digital resilience in the financial sector. Under DORA, there are 21 types of financial institutions in its scope, including large enterprises like banks, insurance companies and pension funds as well as smaller digital e-money providers, token issuers and crypto asset providers.

The DORA regulation is part of a broader European package of policy measures for fintech that includes proposed regulation on crypto-asset markets (MiCA) and one on distributed ledger technology (DLT). In view of the recent FTX fallout, it comes at an opportune time as the knock-on effect of the collapse is precisely what this legislation is aiming to mitigate. In its essence, DORA aims to ensure that firms can cope with cyberattacks and operational disruptions by implementing governance, cybersecurity, and ICT risk management and incident-reporting measures.

More legislation on the way

DORA and MiCA are not the only pieces of legislation that are coming on line. We have the Digital Financial Assets (DFA) consultation papers being drafted independently by the U.S. and the U.K., the Digital Markets Act (DMA), which is more focused on internet businesses, the Digital Governance Act (DGA), which creates a framework for increased data availability and re-use within the European Union, and AI Reg, the regulatory proposal that aims to provide developers, deployers and users with clear requirements and obligations regarding uses of artificial intelligence. All of these regulatory initiatives have fundamental game-changing capabilities, and the aim is to have them solidly in place by 2030. This date, however, feels a little pessimistic, as the rapid rate of innovation is likely to render this deadline moot.

As with all regulatory processes, DORA has gone through many drafts, and its recent approval has been welcomed by all players in the industry. Cyberthreats have been growing with alarming intensity over the last decade, and the impact this has on global economies, as well as organizations and individuals, is massive. While Gartner predicts organizations will spend nearly US$6.69 billion on cloud security in 2023, rising almost 27% year-over-year, the Web3 industry is still not doing its part in tackling the potential US$10 trillion cyber-damage problem that we could face by 2025. While DORA is a great foundation, the proposed regulations are somewhat ambiguous and by no means complete. For example, it does not mandate how much companies should aim to spend on cybersecurity, and there is a lack of clarity on what methods should be employed in order to achieve a higher capability of threat mitigation.

Plugging the holes

The biggest issues requiring attention include the proliferation of remote devices, the internet of things (IoT), remote working, social networks, and cloud servers all of which can act as single points of failure within a security system. In the past, companies could ringfence their cybersecurity within the confines of the organization, but these borders no longer exist, and firms are vulnerable to attack from literally thousands of access points.

DORA will now hold companies accountable for breaches caused by weak security, so there will be a big scramble to mitigate these threats. However, if organizations are going to beat cybercriminals at their own game, using old technology will simply not work. Companies will need to change the game, and this means an entirely different approach to technology.

Unfortunately, DORA doesnt go far enough to incentivize companies to adopt new leading-edge technology. The legislation is firmly seated in traditional and centralized cyber security solutions, which have been proven to be ineffective in protecting Web2 and Web3 ecosystems. The central argument against current cybersecurity solutions is that not only are they woefully outdated, with some technology being 40 years old, traditional cybersecurity solutions have not been designed to integrate with Web3. In essence, companies are using centralized technology to mitigate the risk in decentralized markets.

Decentralized cybersecurity mesh

Cybersecurity mesh a holistic approach to improving cybersecurity for organizations has recently been championed by Gartner as a recent trend. However, we need to flip the narrative to decentralized cyber security mesh, which protects devices in real time from cyber threats while enforcing cyber security standards across networks. Decentralized cybersecurity tech companies should focus on fit for purpose cybersecurity solutions that facilitate more robust cybercrime prevention tactics. They could create real-time, zero-knowledge proofs of the cyber status of all devices, networks and environments, by utilizing Swarm AI and blockchain technology. The benefit of this approach is that they would be able to prove to auditors and businesses the state of security at a specific point in time. The solution could also be useful for courts to help them analyze forensics data.

The biggest threat people

There is a risk that the regulation will create a tick-box culture among companies that claim that they are compliant but fail to address the biggest issue the lack of integration of a cybersecurity mindset amongst all its employees. Leaving it to the IT team to defend a companys borders means that the most significant point of failure is overlooked. It is estimated that over 90% of all security breaches come from individuals within an organization. So cybersecurity is not just about the technology, it is about arming individuals with the mindset and tools to act as part of the defense.

Enforcement needs resources

When rules are put in place they need to be enforced. In order to do this you need a large network of skilled individuals who can monitor and evaluate non-compliant entities, and they must have the supporting infrastructure to be able to enforce the rules. The sheer volume of organizations that are affected by this legislation, coupled with complex global networks that often underpin Web2 and Web3 organizations, will pose a human resource challenge for the regulator.

The only tenable solution is a blend of self-regulation that uses automation, blockchain and external regulations, where all stakeholders participate in monitoring the industry. This is not an unworkable situation because every party will benefit from a safer cyber-threat-free landscape.

Increasing trust

Another key issue that needs to be addressed in the cybersecurity ecosystem is to ensure that the data being fed into systems from multiple sources is known and trusted. Currently, processes that generate data are not trusted. Decentralized cybersecurity leverages these single points of failure by turning them into nodes for distributed validation. This then creates exponential resilience for digital operations, compared to local or internal validations i.e., no single bad actor can tamper with the settings or code. This eradicates the vulnerability in a network.

This is where a blockchain-based, decentralized cybersecurity mesh really comes into its own because it allows us to for the first time trust the validation process itself. It also unifies every device at the cybersecurity and governance level. It negates the single point of failure weaknesses that are inherent in centralized cybersecurity systems today. In addition, it creates an intelligent trust network by using Swarm AI, that detects behavioral changes and vulnerabilities in near real-time, potentially before hackers can infect and take over the entire network.

This is what DORA is all about. Its all about maintaining truth and trust and negating single points of failure within untrusted environments. Until we use decentralized cybersecurity to address Web3 vulnerabilities, we will continue to see the same high levels of cybercrime currently plaguing blockchain and discouraging cryptocurrency mass adoption.