What will DORA bring? Major cloud providers will come under the supervision of the authorities
In 2020, the European Commission published a proposal Digital Operational Resilience (Financial Sector) Regulationto improve the cyber-risk situation in EU countries. Final version Digital Operational Resilience for the Financial Sector (or also Digital Operational Resilience ActIn the world of cloud services for financial institutions, the regulation will introduce several interesting innovations. Let's take a look at them.
Jan Kubicek
What is "digital operational resilience"?
The DORA proposal is part of the legislative package Digital finance, which aims to promote competitiveness and innovation in digital financial services. Digital operational resilience is defined in the proposal as the ability of the financial institution build, ensure and review its operational integrity from a technological point of view.
The regulation therefore focuses on:
- risk management in the field of information and communication technologies (ICT)
- digital operational immunity testing financial institutions
- reporting of serious ICT incidents authorities
- information sharing related to cyber threats and vulnerabilities
The draft regulation has already been quite favourably on the ECUC website.
ICT risk management for financial institutions under DORA
What is ahead of you as a financial institution? DORA starts by requiring you to have internal management and control frameworks in place for Effective and prudent management of all ICT risks. So, first you need to prepare the following documents:
- Strategies
- Policies
- Procedures
- Protocols
- Tools
If any of the documents are missing, you cannot manage ICT risks well enough to ensure a quick and appropriate response at all times.
First, accept digital resilience strategywhich includes methods for addressing ICT risks and meeting the objectives set. These include, for example, information security, not exceeding the chosen risk tolerance level, establishing mechanisms for detecting and protecting against ICT incidents, etc.
Its digital operating resistance Test and keep a list of all your ICT incidents communication strategy.
You also define His access to ICT suppliersthat you use - and keep track of key dependencies.
DORA also regulates and unifies the system for reporting ICT incidents and determining their impact.
Most importantly, however, DORA introduces classification of ICT service providers. Why is this significant news?
Not only banks will be under scrutiny, but also their key suppliers
Companies belonging to the Amazon or Microsoft group are apparently about to get directly in sight European Supervisory Authorities (such as the EBA).
The draft regulation imposes obligations not only on financial institutions, but also on their major ICT providers - i.e. providers of software, data analytics, data centres and cloud service providers (but not to ISPs or hardware providers).
The European Supervisory Authorities will determine which ICT service providers are critical for financial institutions. And, depending on the predominance of the provider's customers, they will also assigned by the lead supervisory authority - the EBA, ESMA or EIOPA.
EBA, ESMA or EIOPA? The criterion for the assignment of the lead supervisor will be the total value of the assets of the financial entities. If it exceeds half of the value of the assets of all financial entities that use the services of a given critical service provider, the supervisory authority will be the authority that supervises those financial entities. (The draft Regulation uses the term "critical third party ICT service provider" for a critical service provider in most cases.)
The European institutions will establish Joint Committeewhich will publish annually current list of critical ICT service providers for financial institutions. Suppliers not on the list may apply to be included.
Paragraph 9 of Article 28 of DORA even prohibits financial institutions from using certain ICT service providers. These are providers that are established in a third country (i.e. outside the EU) if, if they were established in the EU, they would be designated as a critical provider (or - in the words of the draft regulation - would be designated as a "critical third party provider of ICT services").
How do you know if a supplier is a critical ICT service provider?
You'll know that the contractor will be on listed on the list published by the Joint Committee of the European Institutions. Whether it makes the list depends on several factors:
- Systemic impact the stability, continuity and quality of financial services in the event of a sudden problem
- Systemic relevance financial institutions that use the supplier's services
- Concentration - i.e. the degree of dependence on one and the same provider to provide important functions of the financial institution
- Degree of substitutability of a specific provider
Let's look at these factors in a little more detail:
U systemic impact and systemic relevance the following will be important:
- Number of financial institutions, or number of global systemically important institutions or other systemically important institutions relying on the supplier
- The interdependence of these systemically important institutions and other financial entities
U Concentration whether the services of one supplier are used to provide essential or critical functions of financial entities will play a role. It does not matter whether it is a critical supplier involved directly or indirectly as a subcontractor.
Criterion substitutability critical supplier means that the committee will consider factors such as:
- Lack of viable alternatives to a given provider in a particular market
- The technical complexity or sophistication of the services provided or the specific characteristics of the critical supplier as an organisation (or its activities)
- Difficult migration of data and work tasks when switching to another supplier (due to high financial costs, increased operational risks or e.g. time consumption)
Finally, the following also come into consideration Number of EU countriesin which the supplier provides its ICT services, as well as the number of EU countries in which there are financial institutions using the supplier's services.
Source: freepik.com
Under DORA, the lead supervisor will focus on risks to financial institutions
The role of the lead supervisory authority will be to assesshow your financial institution's critical ICT service providers are risk-managedthat may represent for you.
Specifically, under Article 30 of the DORA, the following areas will be covered:
- Security, availability, continuity, scalability and quality of service
- Ability to continuously maintain high standards for security, confidentiality and data integrity
- Physical security of premises, facilities and data centres
- Risk management strategies, business continuity plans and recovery plans
- Clear division of responsibilities in risk management in the organisational structure
- Reliable incident reporting to financial institutions
- Reliable handling of incidents (especially cyber attacks)
- Ensuring that the financial institution can effectively terminate the contract (i.e. data portability and portability as well as application interoperability)
- Systems testing, ICT audits as well as compliance with relevant national and international standards
What will the oversight body want from the critical supplier?
The supervisory authority shall develop for the critical provider individual supervision plan and shall make the provider aware of it.
He'll also be able to request information and documentation, he will be able to carried out investigations and controls, make recommendations (e.g. on security measures or contractual terms); and limit the use of subcontractors (e.g. if the ICT subcontractor is established in a third country).
And to make matters worse, the supervisory authority collect fees from the provider to cover the costs of supervision.
Interesting fact: The maximum penalty under DORA is lower than under GDPR
DORA also empowers the supervisory authority to imposing a sanction on a critical ICT service provider. When? When, if the provider:
- fails to provide information and documentation
- will not allow investigation and control
- fails to submit a remediation report following a recommendation from the supervisory authority
The authority will be able to impose fines every day for up to 6 months. The daily rate is 1 % of average daily worldwide turnover of a given critical provider. The penalty can thus rise to up to 6 months after maximum of approx. 0.5 % worldwide annual turnover of the provider for the previous year.
By comparison, a breach of GDPR obligations can result in a penalty of up to 4 % of the offending organisation's annual worldwide turnover. The maximum penalty under DORA is thus roughly 8 times lower.
The above applies when comparing fines determined as a percentage of turnover. The GDPR allows for an even higher fixed amount to be imposed. To avoid a fine, read what the Cloud Encyclopedia is good for standard contractual clauses or how to transfer of personal data to non-EU countries.
We continue to monitor the evolution of technology and its regulation
We are all used to the fact that regulation sometimes makes it difficult to put new technologies into practice. It can be difficult to decide, when exactly to start regulating the new technology. It must not be too soon, lest regulation stifle the new technology. But it must not be too late either, lest the technology has already done a lot of damage in the meantime. A lot of literature has been written about this in recent years.
That is why we at ORBIT are curious to see how the legal environment for ICT service providers, cybersecurity and risk management will evolve. We will therefore continue to monitor developments regarding the regulation of cloud services and will let you know about important changes.
Legal obligations and requirements form an important part of compliance studies, which we at ORBIT process for clients from financial institutions. We help them to implement local and international projects focused on cloud journey or implementation of cloud solutions.
We will be happy to help your organisation with a compliance study.
PS: If you would like to have an enlargement made for your wall, here are the links to the images used, for the sake of clarity: header (woman in white), blue hand a wooden cubes.
EDIT 5/30/2023: I wonder if anyone knows what the RTS will do with DORA?
Regulatory Technical Standards (RTS) will soon influence the shape that the Digital Operational Resilience Regulation will take in real life. And financial institutions' nervousness is rising.
What are the most common concerns in the market? How to prepare for them when information and time are scarce? Cluelessness is definitely not an option - at least after my colleague Dana Yussupova compiled valuable advice into one article.