Could Data Classification Help Towards DORA Compliance?

If you’ve started to become sick of all the webinars, LinkedIn content, the vendor proclamations that the Digital Operational Resilience Act (DORA) is worming its way into being then you’ll be pleased to read that this isn’t just another DORA blog!

The reason you’re seeing so many of those is that the real guts of the legislation is still not available in any tangible format. The result is that whilst everyone in IT is desperately trying to market against the legislation and tell you how their solution or consultancy will make your life hassle free, they still don’t actually have a technical requirement to say “We resolve X”. Thus, their only option is to bombard you with DORA is coming, DORA – what we know so far etc.

Whilst I’m sure we’re as guilty at doing that as the next business, and I’ll just say sorry, not sorry. What would be great if someone took a punt on something which might help us in preparing for it this far out.

There’s a considerable amount of text to read it is fair to say, and if you read it, you’ll agree none of those draft Regulatory Technical Standards (RTS) or Implementing Technical Standards (ITS) we’ve studied have a definitive must have requirement making the headlines.

Whilst what I’m about to tell you is open to interpretation, I think it’s the closest thing, so far, which might be digestible enough to make anyone’s life easier. And that thing is Data Classification.

Throughout those RTS and ITS documents there are multiple references to applying controls, albeit not defined controls, based on “approved data classification” or considering requirements appropriate to the “data classification and ICT risk assessment results”.

Short of saying you must have a Data Classification solution; the legislation is likely to mean we must have a way of classifying or at the very least understanding the data. This is nothing new, ISO and other legislations or frameworks make similar references to applying security based on the classification of the information in question.

When it comes to Data Classification solutions, interpretation once again intervenes. To some organisations this means and requires persistent meta data markings. To others it is delivered via policy and process. For others it involves understanding data at rest through governance platforms.

HANDD have long been singing the praises of applying classification either through process or through computational means and everything that comes with it. It is categorically undeniable that by classifying data in some capacity (a blog for another time perhaps?) is going to strengthen our data understanding, management and application of security to it.

Whilst the jury is still out on what DORA mandates you do or adopt, I’d consider talking about classifying data at board level within the coming months as a step in the right direction.

HANDD will be continually releasing content as the DORA deadline approaches; working with partners and consulting the great and the good to ensure that our customers can plan well in advance.

If you would like to discuss how HANDD can help your organisation with Data Classification or a wider data protection project please contact us.


Need more support on DORA?

You may be interested in reading our previous blog, DORA don’t panic!