AWS for Industries
AWS responds to European Supervisory Authorities’ Consultation on Technical Standards under the Digital Operational Resilience Act (DORA)
If you have been following the regulatory agenda related to operational resilience, outsourcing and cloud in financial services, you know the EU is now entering the second phase of its policy-making process. With the Regulation on Digital Operational Resilience Act (DORA) published in the official journal back in December 2022, the focus has shifted to the implementing legislation, often referred to as “Level 2”.
DORA mandates the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA) and the European Securities and Markets Authorities (ESMA), together with the European Supervisory Authorities (ESAs), to draft “Level 2” measures in the form of Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs). These standards will implement DORA requirements at the practical level.
On 8 September, AWS submitted our response to the ESAs’ consultation on the first batch of four draft RTSs and a draft ITS. The ESAs’ plan is to publish the responses to its public consultation, including ours, in the coming weeks. These technical standards aim to ensure a consistent and harmonized legal framework for ICT risk management, major ICT-related incident reporting, and ICT third-party risk management. AWS welcomes the overall approach taken by the ESAs to harmonize requirements across the financial sector, as well as to deliver a proportional and technology-neutral approach.
The majority of requirements in the consultation apply directly to financial entities. AWS is focused on ensuring the regulatory framework for DORA is both effective and efficient, and we will continue to support our financial services customers as they look to implement the relevant requirements.
Though the requirements are still subject to change, broadly speaking, they will directly impact the governance, policies, procedures, and protocols of financial entities across the whole European financial sector (banking, insurance, and capital markets). The adoption of technology, including cloud, is characterized by an evolution in the financial entities’ risk profile, for example, during a migration from on-premises to digitally-native operations. In the context of DORA, financial entities will be required to identify the on-premises, migration, and digitally-native (end state) risks, and the controls associated with each of them. Further, to update the current risk framework, financial institutions will need to explain the changes in their risk profile over time.
As part of this process, financial entity risk and security functions and controls will likely need to evolve to align to the new technological environment. Financial entities using traditional risk-and-security management practices will likely be required to adapt to a new operating model as technology creates new ways of working. In this context, we believe financial entities will benefit from active collaboration between business units and ICT risk and security functions.
In our consultation response we have identified two main areas for consideration:
1. Maintain technological neutrality, while accommodating different ICT business models
Physical security is a top priority for AWS. The proposed requirements concerning physical and environmental security in the RTS, which suggest that financial entities will be required to have “measures to protect the premises, data centers of the financial entity and sensitive designated areas identified by the financial entity where ICT assets and information assets reside,” do not consider that in relation to cloud computing services, the ICT third-party service provider is responsible for protecting the infrastructure that runs all of its services.
AWS has stringent physical and environmental security controls, which service our global customer base, including customers in industries outside of financial services. It is our view that cloud service providers’ security can be evaluated by financial entities through third-party European and internationally recognized certifications or pooled audits in order to use audit resources more efficiently, while also minimizing security risks. Regarding specific certifications, we have proposed the ESAs refer to internationally recognized certifications which would include certifications such as Germany’s C5, ISO 27001, ISO 27017, ISO 22301, NIST 187800-53 (FEDRAMP & DOD), SOC 2 COMMON CRITERIA, SOC 1 & 2 CONTROLS, among others.
2. Future proof DORA by ensuring the reporting framework is effective while not over-burdening financial entities
While we support the ESAs’ focus on identifying and reporting “major incidents”, our view is the proposals of the ESAs could be further improved so that financial entities don’t over-report. Under the current proposals, financial entities will be required to report costs and losses incurred from a major incident if the economic impact exceeds, or is likely to exceed, EUR 100 000. This threshold may be either too low in the context of a large financial entity, or too high for a small fintech. Considering risk-based definitions would give regulators access to the most important information and avoid ‘reporting fatigue’, allowing financial entities, as well as regulators, to focus on incident management.
In addition, regarding the classification of “significant cyber-threats,” AWS supports the ESAs’ proposed approach of requiring that all three criteria under proposed Article 17(1) of the incident reporting RTS be met for a cyber threat to be classified as “significant,”1 and that the probability of a threat must be high in order to meet the criterion under proposed Article 17(1)(b). However, our view is the current drafting provides low thresholds for “significant threats,” which would be met by most threats, significant or otherwise. In light of the overlap with requirements under NIS22, we believe revising the proposed Article 17(1) of the draft RTS would avoid over-reporting and ensure NIS2 and DORA remain aligned. This would better enable financial entities and ICT third-party providers to focus on cyber threats relevant to the NCAs’ and ESAs’ overall objective of enhancing the resilience of firms and the financial system.
AWS remains committed to working with the regulatory community to provide practical input for the implementation of DORA and we look forward to contributing to the next set of RTSs and the implementation of DORA.
We will also continue supporting our customers as they implement the changes needed to comply with requirements ahead of the January 2025 commencement date. We have a team of dedicated compliance experts that can help with this. Please reach out to your account team if you would like to discuss DORA in detail and how we can help you.
1 a) the cyber threat could affect critical or important functions of the financial entity, other financial entities, third party providers, clients or financial counterparts; b) the cyber threat has a high probability of materialization at the financial entity or other financial entities; and c) the cyber threat could fulfil the conditions set out in Article 8 if it materializes
2 Specifically, under the second paragraph of Article 23(11) and Article 23(3) of NIS2.