What AWS customers need to know about DORA and the UK financial regulators’ approach to outsourcing: the plan to optimize resiliency and innovation for the financial services sector
The emerging regulatory landscape in Europe and the UK
The European Commission’s proposal for a Digital Operational Resilience Act (DORA) will introduce new regulatory requirements that will impact how financial services institutions in the EU work with cloud providers and other third parties. In parallel, the Bank of England (BoE), the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) have recently published new policies that set out requirements for regulated entities in relation to outsourcing and operational resilience. In the following blog I describe what DORA and the new UK’s policies are and how AWS is working with policy-makers and financial regulators to optimize the emerging regulatory framework for our financial services customers.
The European Commission is determined to boost Europe’s competitiveness and innovation in financial services, and to be a global standard-setter through its Digital Finance Package. This new approach aims to provide consumers with more choice in financial services, while ensuring greater security, protections, and resiliency across the financial services industry.
The Commission is encouraging digital innovation across the sector and many financial organizations are responding by using cloud technology to transform how they do business. One aspect of the Commission’s drive for digital innovation in financial services is The Digital Operational Resilience Act (DORA).
In the UK, following a period of consultation with industry and technology providers, the BoE, PRA and FCA published their new policy approach to operational resilience and outsourcing. While there are substantive differences between the UK and EU’s approaches, both aim at ensuring the systems and controls of financial entities deliver enhanced operational resilience in order to contribute to the stability of the financial system.
What is DORA?
DORA is the proposal for a pan-European framework on operational and cyber-resilience. The Act outlines improvements in information and communications technology (ICT) and security risk-management requirements, a harmonization regime for ICT incident reporting, development of a digital operational resilience testing framework, and an oversight framework for critical ICT third-party providers.
The European Parliament and Council are currently engaging in negotiations to amend the Commission’s proposal, and the final legislation is expected not earlier than before the end of 2021, with implementation in 2023, at the earliest.
Complying with DORA – and maximizing related opportunities
It’s exciting to watch the financial services industry continue to transform and innovate on AWS in unique ways, across all geographies and user cases. As regulations continue to evolve, we’re committed to help customers respond to new rules and guidelines. In many cases, AWS Services can help make it easier for our customers to comply with different regulations and frameworks around the world.
DORA is a significant development and our customers can rely on us to help them transition to the new regulatory framework. Above all, we want to ensure that DORA fully supports the ongoing digital transformation efforts of the European financial services sector.
We believe DORA can contribute to the digitalization of the EU financial sector by:
- Accelerating innovation through implementing technologies under a secure and harmonized pan-European framework
- Enhancing European financial firms’ global competitiveness through accessing the same technologies as global competitors
- Ensuring the EU framework is future proofed to innovative developments emerging by including all relevant third-party providers in scope
- Focusing on introducing the highest resilience and security standards
We are actively advocating to maximize the opportunities from DORA for our customers and indeed are already providing support in many of the areas addressed in DORA:
- Incident response: Security is the highest priority at AWS. AWS customers benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. The AWS Cloud has a shared responsibility model whereby AWS manages the security of the cloud while customers are responsible for security in the cloud. This means that customers retain control of the security they choose to implement, with access to hundreds of tools and services to help meet their security objectives. The AWS Security Incident Response whitepaper discusses the fundamentals of responding to security incidents within an organization’s cloud environment.
- Governance and monitoring: While customers are ultimately responsible for establishing a governance framework and monitoring their own environments, AWS provides many tools to help customers efficiently achieve compliance with applicable regulatory requirements, including the current Guidelines issued by the European Supervisory Authorities (ESAs). For example, AWS Config allows customers to continuously monitor and record their AWS resource configurations, and automatically evaluate the recorded configurations against the desired configurations. Amazon CloudWatch allows customers to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in their AWS resources. Customers can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. AWS provides up-to-the-minute information on the health of AWS services on its publicly available Service Health Dashboard.
- Operational resilience: Continuity of service, especially for critical economic functions, is a key prerequisite for financial stability. AWS recognizes that financial institutions need to comply with sector-specific regulatory obligations and requirements regarding operational resilience. AWS has published a whitepaper on Amazon Web Services’ Approach to Operational Resilience in the Financial Sector and Beyond in which we discuss how AWS and customers build for resiliency on the AWS cloud.
The UK’s approach to operational resilience and outsourcing
On March 29th the UK regulators published their final policy statements, supervisory statements, Final Rules and a Joint Statement on operational resilience. The policy and supervisory statements take a principle and outcome-based approach and regulators expect in-scope firms to implement the requirements by the end of March 2022. The PRA also released a Policy Statement and Supervisory Statement on Outsourcing and third-party risk management and commented that they consider them “broadly equivalent” to the EBA’s Guidelines on outsourcing and “take into account” the EIOPA Guidelines on Outsourcing to Cloud Service Providers.
Seeking the best outcomes for the financial services industry
AWS will continue to engage with policy-makers and financial regulators globally, to ensure our customers can innovate, remain competitive and grow. We will enable business models under both DORA and the UK policy approach that deliver agility, risk mitigation, seamless interactions and personalization. AWS will also support customers as they look for new ways to experiment and develop new products and services on the cloud that will fully comply with the emerging regulatory framework.
Both DORA and the UK’s policy are a significant step-change for the industry and our financial services customers and we will continue to support innovation, resilience and security in the industry under both regulatory frameworks. As DORA and the UK’s policy develop and are implemented, we’ll update this blog with the latest details, and discuss how we will continue to help our customers remain compliant.
If you have any questions about compliance with DORA and/or the UK policy frameowrk, and the application to your use of AWS, please reach out to your account representative or request to be contacted. We have a team of policy, regulatory and technology experts with Financial Services background ready to support you.