With Digital Operational Resilience Act, Europe Eyes Harmonised IT Rules

A “single EU Hub for major ICT-related incident reporting by financial entities”, anyone?

A sprawling Digital Finance Package, adopted by the European Commission this week, includes proposals for a new Europe-wide Digital Operational Resilience Act (DORA) — that would see regulators tighten up financial services sector IT incident reporting in a bid to reduce cybersecurity and operational risks; including via a standardised approach to monitoring, logging, and classifying “ICT-related” incidents, EU-wide.

The Commission is even, it admits, considering establishing a “single EU Hub for major ICT-related incident reporting by financial entities”, and has requested a feasibility report on deploying this. It is also set to mandate threat-led penetration testing on every three years that, crucially, “shall be performed on live production systems.”

The Commission also has cloud services providers firmly in the spotlight: “Despite some efforts to tackle the specific area of outsourcing… the issue of systemic risk which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers is barely addressed in Union legislation,” the DORA package notes, in a nod to the FS sector’s growing use of cloud hyperscaler SaaS and IaaS.

Cloud Service Providers Face “Continuous Monitoring”

Saying risk is compounded by a lack of “tools allowing national supervisors to acquire a good understanding of ICT third-party dependencies and adequately monitor risks arising from concentration of such ICT third-party dependencies” the EC claims the need for an “oversight framework allowing for a continuous monitoring of the activities of ICT third-party service providers that are critical providers to financial entities.”

The regulation also includes stringent rules “designed to ensure a sound monitoring of ICT third-party risk”, along with “full service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recover and return in the case of failures of the ICT third-party service.”

It comes six months after Europe’s systemic risk watchdog warned that a single cyber incident could escalate from operational disruption into a major liquidity crisis.

Only “Union Harmonised Rules” Will Work 

“For matters such as ICT-related incident reporting, only Union harmonised
rules could reduce the level of administrative burdens and financial costs associated with the reporting of the same ICT-related incident to different Union and national authorities,” the Commission claimed on Thursday September 24, pointing to “uncoordinated national initiatives” that it claims have led to “overlaps, inconsistencies, duplicative requirements, and high administrative and compliance costs.”

Financial entities will be required to “set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk, to identify on a continuous basis all sources of ICT risk, to set-up protection and prevention measures, promptly detect anomalous activities, put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.” While most no doubt already feel they are doing this, “DORA” will mandate  harmonised demonstrability/reporting across Europe’s member states.

Digital Operational Resilience Act: Who’s Affected?

Who’s set to be affected? The list is expansive.

The EC cites “credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers” in the Digital Finance Package.

“No Union financial services legislation has until now focussed on operational resilience and none has comprehensively tackled risks emerging from digitalisation, not even those whose rules address more generally the operational risk dimension with ICT risk as a subcomponent,” the 102-page DORA proposal [pdf] claimed this week.

(Graciously, the regulation “allows” financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.”)

Yet while the proposals sound sweeping, under closer inspection many proposals are less ferocious than some had feared. DORA allows financial entities to “determine recovery time objectives in a flexible manner” for example and the Act is designed, in part, to reduce the reporting burden on multi-nationals working with disparate requirements from member state supervisory authorities.

True to European form, the current Regulation foresees an “enhanced role” for European regulators “by means of powers granted upon them”.

Just how ferocious supervision will be remains unclear. The Act proposes just six new staff each for the European Banking Authority (EBA), the  European Securities and Markets Authority (ESMA) and EIOPA (European Insurance and Occupational Pensions Authority) and additional budget of €30 million for the period 2022 – 2027.

See also: Financial Services IT Failures – Regulators Must Have Sharper Teeth