DORA impact on public cloud: What you need to know

The Digital Operational Resilience Act (DORA) represents a significant milestone in the EU’s regulatory landscape, aimed squarely at improving the digital operational resilience of the financial sector by enhancing financial institutions’ (FIs) information communication technology (ICT) and third-party risk management frameworks. FIs need to comply with the DORA regulations by January 17, 2025; less than 9 months away.

DORA aims to address the risks associated with an industry that has largely become digital throughout the whole sector, and increasingly has a reliance, and a deepening dependency on third-party infrastructure and service providers, e.g., the cloud service providers (CSPs).

It also introduces new regulatory requirements on these ICT service providers, and direct supervision for those that are designated as a “critical third-party provider” (CTPP).

On April 18, the European Supervisory Authorities (ESAs) published their latest consultation on draft Regulatory Technical Standard (RTS) focused on the conduct of supervision in the daily oversight activities of the CTPPs. Stakeholders had until 18 May 2024 to submit their comments and expect all the CSPs to continue their engagement and collaboration with the ESAs, as they work towards a finalization of DORA requirements.

Google Cloud’s blog on February, 7 2024 outlines the steps they’re taking to help their customers with DORA readiness. This includes updated contract terms, addressing the key contractual provisions in Article 30, commitment to align with incident reporting requirements (including time frames), and participation in Threat-Led Penetration Testing (TLPT) by facilitating pooled testing by an external tester. Google Cloud advocates pooled testing as the most effective way to test while managing inherent risks to other customers in a multi-tenant environment. Amazon Web Services (AWS) agrees. Their response on key topics for the second consultation of RTS in March 2024 also outlined a preference for the use of pooled testing for TLPT as a means to minimize risk and enhance IT resource efficiency. AWS also proposed an extension to the timeline for initial major ICT-related incident reporting from four to twenty-four hours to align with other major cybersecurity regulations, such as the NIS Directive. And finally, this article from Microsoft provides guidance on the approach they have taken to strengthen operational resilience and manage concentration risk, incorporating multiple existing and upcoming regulations including DORA.

DORA marks a new era of digital consistency – but it also presents challenges.

A key area for FIs and the management of ICT third-party risk, is the aspect of concentration risk that requires the identification and thorough assessment of supply chain dependencies, extending to all subcontractors until the last, in the ICT service supply chain. A register of information in relation to this and all contractual arrangements on the use of ICT services provided by third-party service providers must be updated, maintained and available to the competent authority upon request.

From a cloud adoption perspective, the implications could be significant. FIs will be required to have well-defined exit strategies in place and adopt a multi-cloud approach to mitigate risks associated with reliance on a single cloud provider. FIs will also need to ensure their cloud workloads are portable and not constrained by proprietary cloud services. This is potentially at odds with many cloud strategies which rely on the fast time-to-market and reduced management overheads these services often offer.

FIs in pursuit of compliance will likely favor cloud providers that can demonstrate a robust track record in resilience, security, and collaboration, as well as those that embrace open standards which offer greater portability. In preparing for DORA, FIs and cloud providers alike must position themselves for compliance and establish themselves in a market where operational resilience becomes a key differentiator.

In conclusion, DORA will change the dynamics between FIs and public cloud providers.

Although most of DORA is not new per say, its heightened regulatory requirements present challenges that demand a proactive response. Yet, within these challenges firms can find opportunities for adaptation, innovation, and growth, built on a foundation of resilience and operational efficiency.

FIs and ICT service providers that embrace this shift, viewing DORA as a catalyst for strengthening their operational efficiency, will be able to handle these changes with confidence and take steps towards a strategic advantage over their peers.

Synechron cloud and regulatory change and compliance practice experts continue to support clients with their preparations for DORA ahead of the January 17, 2025 compliance date.