Financial-service companies and the tech giants that supply them must show how quickly they can recover from a cyber attack under new operational resilience obligations passed by the EU.
The Council of Ministers has approved the Digital Operational Resilience Act (DORA), comprising a regulation and a directive, which aims to prevent and mitigate against cyber threats. Under the legislation, financial institutions must ensure they have robust mechanisms in place for reporting major technology security incidents, for business continuity and for disaster recovery.
DORA also introduces direct regulation of major technology firms to financial institutions under a framework that gives powers to European supervisory authorities to designate specific third-party service providers for regulation, and then oversee their compliance.
The move follows increasing fears among regulators about the speed and scale at which insurers and banks are shifting crucial functions and operations to cloud platforms managed by Amazon, Microsoft, Google and IBM.
“Financial firms already have plans for IT security but more was needed so they stay resilient through a severe disruption,” said Zbynek Stanjura, finance minister for the Czech Republic, which holds the EU presidency. “If a large-scale attack on the European financial sector is launched, we will be prepared for it.”
Observers commented that DORA’s impact will be felt beyond the EU. “Even though DORA will not apply directly in the UK, UK companies with business in Europe will be subject to its requirements,” said Pinsent Masons partner Yvonne Dunn, who specialises in technology contracts for financial services. “Even for UK businesses that will be outside the scope of DORA, the legislation offers an insight into how UK policy and regulation around operational resilience is likely to develop.”
Ms Dunn pointed to rules set last March by the Prudential Regulations Authority, the Financial Conduct Authority and Bank of England, which showed that UK regulators want firms to shift away from considering the resilience of individual systems and operational resources and towards “the continuity of the services that they provide to their external end users, customers or participants.”
Image credit | iStock