In 2020, the European Commission published a proposal for a Digital Operational Resilience (Financial Sector) Regulationto improve the cyber risk situation in EU countries. The final form of the Digital Operational Resilience for the Financial Sector (or Digital Operational Resilience Act, DORA) is expected to be adopted in 2022. In the world of cloud services for financial institutions, the regulation will introduce several interesting innovations. Let’s take a look at them.
What is “digital operational resilience”?
The DORA proposal is part of the Digital Finance legislative package, which aims to promote competitiveness and innovation in digital financial services. In the proposal, digital operational resilience refers to the ability of a financial institution to build, ensure and review its operational integrity from a technological perspective.
The regulation therefore focuses on:
- risk management area of Information and Communicatiion Technology (ICT)
- testing the digital operational resilience of financial institutions
- reporting serious ICT incidents to the authorities
- sharing information related to cyber threats and vulnerabilities
The ECUC has already commented quite favourably on the draft regulation on its website.
ICT risk management for financial institutions under DORA
What’s in store for you as a financial institution? DORA starts with the requirement to have internal management and control frameworks in place to effectively and prudently manage all ICT risks. Therefore, you must first draw up the following documents:
If any of the documents are missing, you cannot manage your ICT risks well enough to ensure a quick and appropriate response at all times.
First, adopt a digital resilience strategy that includes methods for addressing ICT risks and meeting set objectives. These include, for example. information security, not exceeding the chosen level of risk tolerance, establishing mechanisms for detecting and protecting against ICT incidents, etc.
Test your digital operational resilience and have a communication strategy in place for ICT incidents.
Also define your approach to the ICT suppliers you use – and keep track of key dependencies.
DORA also regulates and unifies the system for reporting ICT incidents and determining their impact.
Most importantly, however, DORA introduces a classification of ICT service providers. Why is this significant news?
Not only banks but also their key suppliers will be under scrutiny
It seems that companies belonging to the Amazon or Microsoft group will soon come under the direct supervision of European supervisory authorities (such as the EBA).
The draft regulation imposes obligations not only on financial institutions but also on their major ICT providers – i.e. providers of software, data analytics, data centres and cloud service providers (but not internet connectivity or hardware providers).
European supervisors will determine which ICT service providers are critical for financial institutions. And depending on the predominance of the provider’s customers, it will also be assigned a lead supervisory authority – this will be the EBA, ESMA or EIOPA.
EBA, ESMA or EIOPA? The criteria for the designation of the lead supervisory authority will be The total value of the assets of the financial entities. If it exceeds half of the value of the assets of all financial entities that provide services of the total value of the financial assets that use the critical service provider, the supervisory authority will be the Authority, which supervises those financial entities. (The draft regulation for a critical service provider uses in most in most cases the designation "critical third party ICT service provider".)
Paragraph 9 of Article 28 of DORA even prohibits financial institutions from the use of certain ICT service providers. These providers are, who are established in a third country (i.e. outside the EU) if they would, if they were established in the EU, they would be designated as a critical provider (or - in the words of the draft Regulation - would be designated as a "critical third ICT service provider").
How do you know if a supplier is a critical ICT service provider?
You will know that the supplier is on the list published by the Joint Committee of the European Institutions. Whether it makes the list depends on several factors:
- Systemic impact of the provider on the stability, continuity and quality of financial services in the event of a sudden problem
- Systemic importance of financial institutions using the supplier’s services
- Concentration – i.e. the degree of reliance on one and the same provider to provide important functions of a financial institution
- Degree of substitutability of a specific provider
INSERT WITH LEGAL DETAILS
Let’s look at these factors in a little more detail:
For systemic impact and systemic relevance, the following will be important:
- Number of financial institutions, or number of global systemically important institutions or other systemically important institutions relying on the supplier
- The interdependence of these systemically important institutions and other financial entities
In the case of concentration, it will be relevant whether the services of one supplier are used to provide essential or critical functions of the financial entities. It does not matter whether it is a critical supplier involved directly or indirectly as a subcontractor.
The criterion of subsitutability of critical supplier means that the committee will consider factors such as:
- Lack of viable alternatives to a given provider in a particular market
- The technical complexity or sophistication of the services provided or the specific characteristics of the critical supplier as an organisation (or its activities)
- Difficult migration of data and work tasks when switching to another supplier (due to high financial costs, increased operational risks or e.g. time consumption)
Finally, the number of EU countries in which the supplier provides its ICT services, as well as the number of EU countries in which the financial institutions using the supplier’s services are located, will also come into play.
Under DORA, the lead supervisor will focus on risks to financial institutions
The role of the lead supervisor will be to assess how your financial institution’s critical ICT service providers have addressed the risks they may pose to you.
INSERT WITH LEGAL DETAILS
Specifically, according to Article 30 of DORA, these areas are:
- Security, availability, continuity, scalability and quality of service
- Ability to continuously maintain high standards for security, confidentiality and data integrity
- Physical security of premises, facilities and data centres
- Risk management strategies, business continuity plans and recovery plans
- Clear division of responsibilities in risk management in the organisational structure
- Reliable incident reporting to financial institutions
- Reliable handling of incidents (especially cyber attacks)
- Ensuring that the financial institution can effectively terminate the contract (i.e. data portability and application portability and interoperability)
- Systems testing, ICT audits as well as compliance with relevant national and international standards
What will the oversight body want from the critical supplier?
The supervisory authority shall draw up an individual supervision plan for the critical provider and communicate it to the provider.
It will also be able to request information and documentation, carry out investigations and inspections, make recommendations (e.g. on security measures or contractual conditions) and restrict the use of subcontractors (e.g. if the ICT subcontractor is established in a third country).
And to make matters worse, the supervisory authority will collect fees from the provider to cover the costs of supervision.
Interesting fact: The maximum penalty under DORA is lower than under GDPR
DORA also empowers the supervisory authority to impose a sanction on a critical ICT service provider. When? Then, if the provider:
- fails to provide information and documentation
- will not allow investigation and control
- fails to submit a remediation report following a recommendation from the supervisory authority
The authority will be able to impose fines every day for up to 6 months. The daily rate is 1% of the average daily worldwide turnover of the critical provider. The penalty can thus rise to a maximum of about 0.5% of the provider’s worldwide annual turnover for the previous year after 6 months.
By comparison, a breach of GDPR obligations can result in a penalty of up to 4% of the offending organisation’s worldwide annual turnover. The maximum penalty under DORA is thus roughly 8 times lower.
The above applies when comparing fines determined as a percentage of turnover. The GDPR allows for an even higher fixed amount to be imposed. To avoid being fined, read the Cloud Encyclopedia to find out what standard contractual clauses are good for or how to transfer personal data to non-EU countries.
We continue to monitor the evolution of technology and its regulation
We are all used to the fact that regulation sometimes makes it difficult to put new technologies into practice. It can be difficult to decide exactly when to start regulating a new technology. It must not be too soon, lest regulation stifle the new technology. But it must not be too late either, lest the technology has already caused a lot of damage in the meantime. A lot of literature has been written about this in recent years.
That is why we at ORBIT are curious to see how the legal environment for ICT service providers, cybersecurity and risk management will evolve. We will therefore continue to monitor developments regarding the regulation of cloud services and let you know about important changes.
Legal obligations and requirements form an important part of the compliance study that we at ORBIT prepare for our financial institution clients. We help them to implement local and international projects focused on cloud journey or implementation of cloud solutions.
We are happy to help your organisation with a compliance study.
This is a machine translation. Please excuse any possible errors.