Adapting to DORA Requirements
Digital Operational Resilience Act instigating regulatory shake-ups
The clock is ticking toward the 17 January 2025 application deadline of the Digital Operational Resilience Act (DORA) in the EU. DORA is set to incur major structural developments in the capital markets space, as it seeks to strengthen the IT security and operational resilience of financial firms and critical third-parties under one unified framework.
By nature, DORA is a progressive regulation, with changes and amendments being added to the regulations as the application deadline moves closer. As such, firms facing the DORA regulations must maintain an agile and nimble approach to the ever-evolving guidelines in order to ensure compliance. At the same time, the requirements of DORA are set to co-exist with existing financial legislation in the EU, with concerns that overlapping regulatory guidance could cause confusion and add complexity to compliance in an area where financial firms will already have to grapple with new and unfamiliar DORA standards.
One such example concerns the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), who announced last week they are actively reviewing how their own existing cloud outsourcing guidance sits alongside the DORA requirements. Compared with more traditional forms of IT outsourcing, cloud services tend to be more specific, standardised and provided to clients in a highly automated manner at a large scale. ESMA and EIOPA enforced cloud outsourcing guidelines for EU financial firms from 31 July 2021 and 1 January 2021 respectively. At the same time, DORA advocates rigorous third-party risk management, which includes the management of cloud service providers.
Following the reviews from ESMA and EIOPA, there is a likelihood that some of their guidelines may be amended or deleted to ensure clear coherence with the new rules of DORA.
However, following the actions from ESMA and EIOPA, and the prevalence of vulnerabilities in EU banks’ IT outsourcing strategies, the European Central Bank (ECB) has also stated that producing its own cloud outsourcing guidance has become “necessary” after previously refraining from doing so. Banks are now increasingly using cloud computing services offered by third-party service providers. These services are generally cheaper, more flexible and more secure, but dependency on third parties can also expose banks to risks, through IT security and possible business disruptions. For example, if a bank cannot easily substitute outsourced services during a failure, its functions may be interrupted. In addition, the market for cloud services is highly concentrated, with many banks relying on just a few service providers located in non-European countries. As such, the ECB has initiated a public consultation on this new cloud outsourcing guide.
The ECB’s intervention in the space creates risk of further overlapping, confusion and potential contradictory guidelines that will need to be navigated by banks and their service providers. This could arguably takes DORA further away from its objective of harmonising the digital operational resilience landscape due to the potential for a patchwork of different rules and guidelines to evolve.
European Supervisory Authorities such as ESMA and EIOPA, have extensive responsibilities under DORA, which includes developing draft regulatory technical standards around operational resilience and cyber risk that financial firms will have to comply with to operate in the EU. Given their intertwining with existing frameworks outlined above, in-scope firms may have their work cut out when it comes to achieving compliance on several fronts.
Generally, in the case of managing cloud service providers and achieving compliance across DORA, ESMA and EIOPA, in-scope financial firms can;
Ensure Cloud Provider Compliance: Conduct thorough due diligence on all third-party cloud providers to verify that their security practices align with regulatory standards and establish strict contractual agreements that bind to these standards. In-scope companies must continuously monitor the security level of cloud providers and implement information security measures.
Map out Cloud Providers: Understand where cloud providers exist within your IT landscape, as well as their connectivity, data pathways, and potential attack vectors. Identify their criticality to the company, their business impact and what type of data they have access to.
Build a strategy for dealing with third-party vulnerabilities: Developing an actionable risk containment strategy so you can mitigate vendor risk and remediate the vulnerabilities they pose.
Governance and Oversight: Firms should establish a cloud outsourcing oversight function or designate a member of senior staff who will be directly accountable to the management body and responsible for the management and oversight of risks associated with cloud outsourcing arrangements.
Stay Informed: Putting in the right systems that enable you to stay up to date with legislative updates and changes.
More more information on DORA, check out our ‘Cracking the DORA code’ report here.