View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
September 25, 2020updated 08 Oct 2020 5:10pm

Europe Sharpens IT Incident Reporting Requirements, Puts Cloud SLAs Under Microscope

A "single EU Hub for major ICT-related incident reporting by financial entities", anyone?

By CBR Staff Writer

A sprawling Digital Finance Package, adopted by the European Commission this week, includes proposals for a new Europe-wide Digital Operational Resilience Act (DORA) — that would see regulators tighten up financial services sector IT incident reporting in a bid to reduce cybersecurity and operational risks; including via a standardised approach to monitoring, logging, and classifying “ICT-related” incidents, EU-wide.

The Commission is even, it admits, considering establishing a “single EU Hub for major ICT-related incident reporting by financial entities”, and has requested a feasibility report on deploying this. It is also set to mandate threat-led penetration testing on every three years that, crucially, “shall be performed on live production systems.”

The Commission also has cloud services providers firmly in the spotlight: “Despite some efforts to tackle the specific area of outsourcing… the issue of systemic risk which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers is barely addressed in Union legislation,” the DORA package notes, in a nod to the FS sector’s growing use of cloud hyperscaler SaaS and IaaS.

Cloud Service Providers Face “Continuous Monitoring”

Saying risk is compounded by a lack of “tools allowing national supervisors to acquire a good understanding of ICT third-party dependencies and adequately monitor risks arising from concentration of such ICT third-party dependencies” the EC claims the need for an “oversight framework allowing for a continuous monitoring of the activities of ICT third-party service providers that are critical providers to financial entities.”

The regulation also includes stringent rules “designed to ensure a sound monitoring of ICT third-party risk”, along with “full service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recover and return in the case of failures of the ICT third-party service.”

It comes six months after Europe’s systemic risk watchdog warned that a single cyber incident could escalate from operational disruption into a major liquidity crisis.

Only “Union Harmonised Rules” Will Work 

“For matters such as ICT-related incident reporting, only Union harmonised
rules could reduce the level of administrative burdens and financial costs associated with the reporting of the same ICT-related incident to different Union and national authorities,” the Commission claimed on Thursday September 24, pointing to “uncoordinated national initiatives” that it claims have led to “overlaps, inconsistencies, duplicative requirements, and high administrative and compliance costs.”

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

Financial entities will be required to “set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk, to identify on a continuous basis all sources of ICT risk, to set-up protection and prevention measures, promptly detect anomalous activities, put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.” While most no doubt already feel they are doing this, “DORA” will mandate  harmonised demonstrability/reporting across Europe’s member states.

Digital Operational Resilience Act: Who’s Affected?

Who’s set to be affected? The list is expansive.

The EC cites “credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers” in the Digital Finance Package.

“No Union financial services legislation has until now focussed on operational resilience and none has comprehensively tackled risks emerging from digitalisation, not even those whose rules address more generally the operational risk dimension with ICT risk as a subcomponent,” the 102-page DORA proposal [pdf] claimed this week.

(Graciously, the regulation “allows” financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.”)

Yet while the proposals sound sweeping, under closer inspection many proposals are less ferocious than some had feared. DORA allows financial entities to “determine recovery time objectives in a flexible manner” for example and the Act is designed, in part, to reduce the reporting burden on multi-nationals working with disparate requirements from member state supervisory authorities.

True to European form, the current Regulation foresees an “enhanced role” for European regulators “by means of powers granted upon them”.

Just how ferocious supervision will be remains unclear. The Act proposes just six new staff each for the European Banking Authority (EBA), the  European Securities and Markets Authority (ESMA) and EIOPA (European Insurance and Occupational Pensions Authority) and additional budget of €30 million for the period 2022 – 2027.

See also: Financial Services IT Failures – Regulators Must Have Sharper Teeth


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.