Whether we’re reviewing our account balances, transferring money, applying for payment cards, or simply paying our bills, banking has become more digital, and requires financial firms to adapt to this new world of transacting business.
This adaptation has seen EU-based financial firms adopting and relying more heavily on cloud services. While financial entities such as banks and investment firms are staying digitally relevant by migrating their banking functions to the cloud, the scale, and speed at which they’re making this migration troubles regulators.
The EU Council is concerned that, in light of financial firms’ rapid growth and digitization, it will become increasingly tougher to address payment-related security vulnerabilities and subsequent cyberattacks. That’s where the Digital Operation Resilience Act – or DORA – comes in. The act intends to modernize the financial sector’s Information and Communication Technology (ICT) risk requirements in order to arm financial firms with the standards necessary to stand up to bad actors.
To that end, let’s cover how EU-based financial institutions are migrating their functions and market operations to the cloud, and how DORA can improve their cybersecurity posture.
The migration of EU financial firms
Long before EU-based financial firms began their migration to the cloud, banks in the United States and Asia had already begun embracing cloud computing. Largely unconstrained by complicated data privacy regulations that are common in Europe, and without federal standards for online banking security, early cloud adopters relied on cloud providers whose technologies – while reliable and effective – created tech silos that made it difficult for firms to scale-up their applications and migrate the majority of their workloads.
European banks have had the privilege of learning from the past mistakes of early cloud adopters. They are better able to recognize cloud providers’ technologies as services, rather than tech suites. This perspective allows EU-based financial firms to rapidly scale-up their applications and pounce on attractive business opportunities. This, of course, brings us back to the worries the EU Council has surrounding the rapid adoption of cloud-based banking solutions.
Digital Operational Resilience Act
In an effort to establish laws that would compel EU-based financial firms to hold themselves to higher ICT risk requirements, the European Commission introduced the legislative proposal known as DORA. The act takes already established ICT risk management requirements as well as EU initiatives, and combines them to create a single piece of legislation.
DORA ensures that entities operating in the financial sector abide by a standardized set of rules that mitigate ICT risks. DORA comes in the wake of the Financial Conduct Authority’s (FCA) warning to UK banks that a cyber war is on the horizon. This war would, according to the Authority, specifically be an entanglement with Russia, providing bad actors with myriad opportunities to compromise digital financial services as well as blocking access to essential materials and services, such as fuel and medical care.
In acknowledgment of the fact that millions of people now access their funds via online banking services, the FCA is emphasizing the importance of stronger security measures, while US authorities also urge financial firms on the other side of the Atlantic to be vigilant of imminent cyber-attacks. The FCA even created a five-step plan that aims to help financial sector participants prepare for cyber threats. The plan’s five steps cover cybersecurity, business services, business continuity, incident reporting, and false information.
What DORA means for financial organizations
At the same time as the DORA proposal was introduced, authorities across the globe have been trying to determine how to best strengthen the financial sector’s operational robustness. For organizations in the financial sector, DORA ideally means adherence to a consistent approach that spans Europe and its banking regulators, ultimately impacting the collaboration between financial institutions and the world of fintech.
Thanks to DORA, ICT enterprises would be beholden to the EU’s regulatory authority, significantly altering the way organizations in the tech industry conduct their business. Specifically, these organizations would fall under the purview of the European Supervisory Authorities and would be required to present information on an as-needed basis and consent to inspections and requests on an ad-hoc basis.
DORA is still being drafted, but financial regulators urge financial firms to begin prioritizing their operational robustness and avoid waiting for the formal regulation. If officially legislated, DORA would aim to achieve objectives, including strengthening resilience in the world of digital banking, enhancing ICT incident reporting capabilities, establishing the means with which to evaluate security resiliency measures, and investing in the exchange of threat intelligence.
The EU Council has stated that DORA has passed its last approval stage, and financial firms apparently have begun efforts to invest in their security. It will be up to the Council’s securities and banking watchdogs to draft technical rules in order for DORA to be enacted into law. DORA has already received the green light from the European Parliament, and it’s slated to come into effect by the end of 2024.
In the meantime, financial institutions and ICT service providers have ample time to get ready for DORA. These same entities should remember, however, that establishing operational resilience isn’t an option; it’s mandatory. While it’s true that DORA will primarily impact entities operating in the financial sector, DORA’s regulations focus on establishing greater cyber-resilience, and will, therefore, also impact information technology roles and companies.
Entities that are able to signal a history of having taken necessary precautions to tackle cyber threats stand to make themselves more accessible to clients who care deeply about the protection and safeguarding of their digital assets. In other words, organizations that invest early in operational resilience will likely remain competitive over organizations that don’t prioritize operational resilience.
It’s also important that countries that do not belong to the EU still remain abreast of DORA, considering Europe’s history of paving the way for data protection regulations and spearheading ways to regulate data quality and privacy. DORA is almost certain to become a regulatory model to which other parts of the world can look as they invest in their operational resilience.