The Digital Operational Resilience Act (DORA) is an EU regulation designed to ensure that financial institutions and their technology providers can recover quickly from cyberattacks, data breaches, or other digital disruptions. While it’s aimed at banks, insurers, and financial firms in the EU, its ripple effects may indirectly impact businesses across various sectors, including those in the legal cannabis and hemp industry.

For many Cannabis Trades Association (CTA) members—especially those with online payment systems, customer portals, or apps—this is an opportunity to get ahead of potential challenges and protect both your business and your customers.

What Is DORA?

DORA establishes rules to make financial institutions more resilient to digital risks. These include managing ICT (Information and Communication Technology) risks, reporting incidents, testing digital systems, and monitoring third-party providers.

Although your business might not be directly regulated under DORA, if you use third-party services like card payment providers or external platforms for customer portals, you may need to comply with new requirements passed down from these partners.

How Might This Affect CTA Members?

Your payment providers could be affected. Many CTA members use card payment providers or online gateways for transactions. If these providers operate in the EU, they are likely required to comply with DORA, which could mean changes to how they work with your business. This might include more stringent security measures, additional monitoring, or updated contractual obligations.

For members offering customer portals or apps, aligning with the core principles of DORA can safeguard your operations. Secure systems—such as encrypted data handling and strong login processes—are not just regulatory requirements for some sectors; they’re also critical for maintaining customer trust. Regular testing of these systems can also help you identify vulnerabilities before they become issues.

Third-party risk management is another area to consider. If your business relies on external ICT providers for essential operations like logistics, data storage, or payment processing, their compliance with DORA might impact your services. It’s worth understanding how they handle digital resilience.

Why Should You Care?

Even if your business isn’t directly regulated under DORA, the potential consequences of non-compliance through third parties can still affect you. Disruptions to services could arise if a critical ICT partner fails to meet their compliance obligations, leading to operational downtime for your business. Customers are also becoming more aware of data security issues, and being able to demonstrate that you prioritise digital safety and resilience will help maintain their trust.

What Should CTA Members Do?

The first step is to review your providers. Check the terms of your contracts with payment providers, ICT platforms, and logistics partners. Do they operate in the EU? Are they affected by DORA? If so, ask how they’re handling compliance and whether this might result in changes for you.

Strengthen your own ICT resilience. Even if DORA doesn’t directly apply, adopting its principles can help your business thrive in a digital-first world. Use secure data handling methods, introduce strong authentication processes for customer accounts, and regularly test your systems to uncover and fix any weaknesses. Have a clear plan in place for dealing with potential digital disruptions, so your business is prepared for unexpected events.

Lastly, stay informed about regulatory trends. The UK is no longer part of the EU, but similar regulations might emerge here in the future. By staying proactive, you can ensure that your business is always ahead of the curve.

Final Thoughts

For most CTA members, DORA compliance won’t bring immediate changes, but the principles it promotes—like strong ICT systems and careful management of third-party risks—are becoming standard practice across industries. Whether you’re working with payment providers, running a customer portal, or relying on third-party platforms, taking steps to improve your ICT security now will build trust, protect your business, and ensure stability in an increasingly digital world.

Published - 1st December 2024

The Hemp Trades Association UK Ltd t/a Cannabis Trades Association is a not-for-profit company limited by guarantee registered in England and Wales under company number 10472540 41 Wincolmlee, Hull, Yorkshire, HU2 8AG, United Kingdom.
Log in | Powered by White Fuse