Navigating the Digital Operational Resilience Act
Regulations often get a bad rap. You may have heard the old idiom “cut the red tape” which means to circumvent obstacles like regulations or bureaucracy. But in many – if not most )– cases the underlying need for regulations outweighs the burden of compliance. In the financial sector, regulations are essential for financial institutions to maintain stability by preventing excessive risk-taking, ensuring adequate capitalization and reducing the likelihood of failures or financial crises. Regulations require the implementation of robust risk management practices, prevention of financial crimes and promotion of competition. Moreover, they help maintain confidence in the financial system, encouraging consumers, enterprises and investors to trust institutions with their money.
With that said, consider the impact digital technology has made on the industry with the adoption of hybrid and multi-cloud strategies. While these enablers have streamlined operations, inspired innovation and accelerated cost optimization, governing bodies would be negligent if they didn’t address the cyber-risk associated with digital, internet-based, and third-party technology solution providers that present a broadened threat landscape.
In Europe, the EU is taking key steps to bring uniformity and an increased focus on risk mitigation within the financial sector. The introduction of the Digital Operational Resilience Act (DORA) will affect both the institutions (financial entities) and technology service providers, like Cloudera, that serve the financial sector across member states.
What is DORA?
DORA is a regulation by the European Commission, made effective in January of 2023, with compliance required by January 2025. As the financial sector is increasingly dependent on information and communication technology (ICT) and ICT service providers (ICTSPs) – as defined by the act – to deliver financial services, DORA is intended to enhance the operational resilience of the EU’s financial sector against cyber threats and incidents. DORA focuses on ensuring the continuous functioning of digital services provided by financial entities (FEs), such as banks, investment firms, and market infrastructures.
Here are some of the key objectives and requirements of DORA:
- Addresses ICT risk management comprehensively in the financial sector and harmonizes rules across the EU
- Requires FEs to identify, assess and manage ICT risks, establish policies to safeguard systems and data, and develop business continuity plans
- Mandates incident reporting, resilience testing, and third-party risk management for FEs
- Establishes an oversight framework for critical ICTSPs like cloud platforms and data analytics services
- Allows FEs to exchange cyber threat information with arrangements that comply with GDPR and other data laws
The consequences of non-compliance can be severe as FEs may face administrative fines up to 10 million euros or 5% of their total annual turnover, whichever is higher, for serious infringements.
The consequences reach critical ICTSPs as well. “Critical” ICTSPs are those whose disruption or failure could have a significant impact on society, the economy, or national security. These ICTSPs may face fines of up to 1% of average daily worldwide turnover.
The Impact on Data Platform ICTSPs
Data platform ICTSPs, such as Cloudera, may fall under DORA’s scope and if so, will need to adhere to strict data security standards, implement robust encryption and access controls, and demonstrate operational resilience in the face of cyber threats.
Here are the key ways DORA may affect data platforms:
- Critical ICTSPs will be subject to a new oversight framework and directly supervised by EU authorities such as EBA, ESMA, and EIOPA
- There are requirements for sound monitoring of ICT third-party risks and the inclusion of necessary details in contracts with FEs
- Non-EU companies that qualify as FEs or ICTSPs to FEs may be impacted by extraterritorial enforcement
- Contracts between FEs and ICTSPs must include specific details on monitoring and compliance with DORA rules
- ICTSPs will need to provide evidence to FE clients on their ICT risk management practices and resilience
- ICTSPs must have mechanisms to report major ICT-related incidents to their FE clients.
- There is an allowance for threat information sharing between FEs and ICTSPs, if done in compliance with GDPR
- ICTSPs may need to enhance incident response and share cyber threat intelligence with FE clients
- Resilience testing of ICT systems and tools is required
- ICTSPs could be subject to audits and on-site inspections by EU supervisory authorities
- Non-EU companies providing critical ICT services to FEs in the EU may fall under DORA’s scope
- Data platforms headquartered outside the EU but serving EU FEs will need to comply with DORA
How Cloudera Helps FEs Comply with DORA Requirements
Cloudera helps FEs comply with the EU’s Digital Operational Resilience Act (DORA) in several key ways.
Security and Governance
Cloudera provides a Shared Data Experience (SDX) that delivers consistent data security, governance, and control across the entire data lifecycle and across all environments – public cloud, private cloud and on-premises. With SDX, FEs can set data access controls and policies once, and they are automatically enforced across data and analytics in hybrid and multi-cloud deployments, even as data and workloads move between them. This helps FEs meet DORA’s requirements around sound ICT risk management practices and safeguarding of systems and data
Portability
Cloudera’s container architecture enables flexibility to move data and applications between different environments – public cloud, private cloud and on-premises. This portability helps address DORA’s concerns around cloud vendor lock-in and enables operational resilience for FEs. FEs can also move workloads as needed while maintaining consistent security and compliance
Comprehensive Data Lifecycle Management
Cloudera enables FEs to manage the end-to-end data lifecycle by integrating streaming, analytics, and machine learning on a single platform. This helps develop critical applications to address current and future needs, supporting DORA’s ICT risk management objectives.
Open Source and Interoperability
Cloudera’s platform is based on open source which accelerates innovation and eases concerns about vendor lock-in, a key DORA concern. It enables interoperability with a broad range of analytic and business applications that FEs rely on.
Hybrid and Multi-Cloud Deployment Options
Cloudera can be deployed on any public cloud, private cloud or on-premises, providing FEs the flexibility and control to manage data in adherence with DORA rules. The hybrid, multi-cloud capabilities enable FEs to maintain strict enterprise data security and governance across all their ICT environments.
As FE’s move toward DORA compliance, Cloudera provides a unified, secure and portable hybrid data platform that can help FEs meet several key requirements of the EU’s DORA regulation around ICT risk management, data security, governance, resilience and multi-cloud flexibility. Cloudera’s core capabilities align well with DORA’s objectives to enhance the digital operational resilience of the financial sector.
For more on how Cloudera helps FEs, click here.