Digital resilience is a concept that often needs to be revised and redefined within an organization. The pharmaceutical industry can be slow at times to identify potential external risks and assess the potential impact to operations. Much of the work we do here at Lachman helps regulated industry anticipate and mitigate Quality Management System risks (QRM), but the industry, in general, needs to direct more attention to emerging issues. Those who hear me speak at conferences get constant reminders about parallel legislation that can affect us all. Well, here’s one from the financial industry.
What is DORA?
The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, came into force on January 17, 2025, marking a significant shift in how financial entities and their Information and Communication Technology (ICT) service providers manage digital risk. While DORA primarily targets the financial sector, its implications extend to industries like pharmaceuticals, which increasingly rely on digital infrastructure and financial partnerships.
DORA establishes a harmonized framework for ICT risk management, incident reporting, resilience testing, and third-party oversight. It applies to over 22,000 entities across the EU including banks, insurers, and ICT providers. This is well explained in an article (here) by the European Insurance and Occupational Pensions Authority (eiopa). The regulation aims to ensure that organizations can withstand and recover from cyber threats and operational disruptions.
Why Should Pharma Pay Attention?
Pharmaceutical companies are deeply embedded in digital ecosystems with no end anticipated. From clinical trial platforms, supply chain logistics, and most cloud-based SaaS solutions, pharma firms depend on ICT providers and financial services that fall under DORA’s scope. If a pharma company provides critical ICT services to a financial entity, it may be designated as a Critical Third-Party Provider (CTPP), subjecting it to direct regulatory oversight. Moreover, the industry’s increasing use of AI, blockchain, and cloud computing for regulatory data transfers, product traceability, and pharmacovigilance also increase the potential for cyber threats and data integrity issues for organizations.
What are the Parallels?
One only needs to glance at DORA to see the parallels from a risk perspective. Some examples include:
- Oversight of third parties
- AI-powered systems
- Risk management framework
- Incident reporting
- Contractual provisions for data ownership and retention
All of these items can be integrated into a company’s QMS to mitigate the ever-growing interdependence of financial systems and quality or GxP systems, just ask any owner of an ERP application.
What are the Benefits?
Some top-level benefits of starting assessment via DORA include, but are not limited to:
- Increased confidence with third parties, such as SaaS providers or CDMOs
- Increased defense against cyberattacks, which often start with financial systems
- Increased data governance maturity
Conclusion
As DORA enforcement is expected to intensify, pharmaceutical companies should proactively assess their digital resilience. This should be incorporated into existing business continuity plans. Whether directly regulated or indirectly impacted, Lachman can help to assess and mitigate your digital risks and, in turn, strengthen your data governance program. Reach out to us at LCS@LachmanConsultants.com for a consultation today.
