As this year’s end and 2022 come racing around, we find ourselves closer to a possible implementation of DORA day by day. This is, of course, the Digital Operational Resilience Act for Financial Services, a regulation which MEP Billy Kelleher (Ireland, Renew Europe), speaking at a recent AFME hosted conference, says he expects to be voted on by the EU’s Committee on Economic and Monetary Affairs in early December 2021, with an agreed outcome expected in early 2022.
During AFME’s 3rd Annual European Capital Markets Technology and Innovation conference held late September, we were treated to a variety of opinions, hopes, and fears in the panel session “Fostering a More Innovative and Digitally Resilient EU Financial Sector with DORA.”
The Time Is Now
Kelleher, a speaker on AFME’s panel and rapporteur for the DORA regulation, stated the case for why DORA is needed now. Arguing that we are “already deep inside the digital space and operating with the associated risks,” he said that there could be malicious state actors interested in disrupting European financial operations, pointing to recent disruptions to the Colonial Pipeline in May 2021 as an example. With governments starting to see cyberspace as more than just a risk to financial institutions but also with the EU’s reputation as a place to do business potentially on the line, there is a clear need for such regulation.
DORA at a Glance
Proposed in 2020 as a part of a larger digital finance package of measures to “make Europe fit for the digital age,” DORA’s stated aim is to support innovation and competition in digital finance, while mitigating the associated risks.
Another panellist, Nicola Yiannoulis of the European Banking Authority’s (EBA) Digital Finance Team, told the audience that DORA builds on existing information and communication technology risk management requirements previously developed by other EU institutions, tying together several recent initiatives into one regulation. This includes the EBA’s guidelines on:
DORA will apply to a wide range of firms within the financial services ecosystem, including credit/payment institutions, investment firms, depositories, ratings agencies, and benchmark administrators, and, importantly, will now bring critical third-party ICT providers under the supervisory scope of European supervisory authorities.
DORA’s Key Requirements
- ICT risk management rules across sectors
- Incident reporting frameworks
- Rules around resilience testing
- Inclusion of third-party providers (cloud service providers included) requires firms to have strategy on third-party risks
DORA holds harmonisation and resilience in prominence throughout the proposal’s language and prescriptions, but what might that look like in practice?
Panellist Matthew Field, head of cyber and tech policy and partnerships EMEA, JPMorgan Chase, sees the potential for increasing resiliency of the digital sector within finance and a corresponding increase in value gained from processes such as cyberthreat notification. Field noted that other regulators are proposing regulations around cyberthreat, hoping that DORA might add value beyond the reporting of significant incidents. He told the audience that this could be an opportunity to “change focus from the collection of information to its redistributions as intelligence,” that is, sharing of IP addresses or signs of malware.
Panellist Lorelien Hoet, government affairs director EU at Microsoft, stated that “cloud is now very well represented within the Financial Sector” but that there remain questions around security. She said that DORA stands to “help customers in getting the answers they seek,” thereby increasing trust.
While the potential payoffs of a regulation such as DORA are attractive, the journey is not without its dangers. “This regulation will not be adopted in a vacuum,” said Hoet, adding that one of her worst fears would be adoption of two or more parallel regulations with clashing technical specifications, that is, in an area like encryption, leaving multijurisdictional entities unable to comply with all the rules they are subject to.
This was echoed by Field, who agreed that a lack of consistency would be a challenge for managing systems. This could end up complicating rather than simplifying matters and ironically impacting resilience should we unintendedly arrive at a higher level of tech fragmentation.
Hoet said that several EU national member states were in the process of reviewing or adopting regulation on resilience and that it was not yet clear within DORA’s wording whether this new regulation has precedence over potentially diverging regulations. Coordination will be crucial within the EU, but ongoing dialogue will also be needed with bodies in other regions.
Key to Success?
With so much to gain, and the potential for further complications, the panellists collectively discussed concepts central to achieving the sought-after resilience and harmony.
Field pointed to future-proofing of the regulation as an important consideration, through avoidance of technical prescription and retention of decision power at the firm level. He also outlined that this project is very sensitive to public trust. This was in line with Kelleher’s concerns that the EU’s business reputation is on the line.
On this theme, Field also explored the idea of information control; in other words, looking to avoid the creation of information sources that might act as a road map for a malicious actor. This challenge is especially relevant when we consider that reassurance of resilience between participants is a goal of DORA.
Another recurrent theme discussed by the panel was that of proportionality, with Hoet asking whether it would be relevant to notify regulators of all risks, highlighting that Microsoft had “blocked 6 billion threats in 2020 alone” and considering that a risk-based approach might be better than a dogmatic one.
Lastly, the panellists agreed on the need for continued intra- and interregional dialogue for successful adoption and that other bodies around the world may be looking to DORA as an example.