Amazon recently released the AWS User Guide to the Digital Operational Resilience Act (DORA). The document details how AWS services support financial entities in complying with DORA's requirements for operational resilience, including ICT risk management, incident reporting, testing, and third-party risk management.
Released over a year after submitting a response to the consultation on the second batch of DORA technical standards, the new guide offers a series of considerations for financial entities (FEs) seeking to meet the regulatory expectations set by DORA. It explains how FEs can utilize AWS services and documentation to help demonstrate their compliance with DORA requirements.
As the financial sector becomes increasingly dependent on technology and a few cloud companies to deliver financial services, DORA introduces new regulatory requirements to achieve a high common level of digital operational resilience. It entered into force on January 16, 2023, and will require compliance by January 17, 2025.
Stephen Martin, head of security and compliance for financial services industries at AWS, Akshay Dalal, EMEA regulatory risk and compliance at AWS, and Eduardo Vilela, head FSI reg. enablement EMEA at AWS, explain:
This guide describes the roles that AWS and its customers play in managing operational resilience in and on AWS, describes the AWS Shared Responsibility Model, compliance frameworks, AWS services, and features, and measures that customers use to evaluate their compliance with sample DORA requirements when adopting AWS.
The new European regulation covers ICT risk management requirements, reporting major ICT-related incidents and cyber threats, digital operational resilience testing, and information sharing on cyber threats and vulnerabilities. It includes measures for managing ICT third-party risk across 20 different types of financial entities and ICT third-party service providers, including major cloud providers. Maria E. Tsani, head of financial services public policy EMEA at AWS, previously wrote:
Our lack of visibility into data uploaded into a customer’s AWS account is a fundamental part of the governance model that operates in a cloud environment (the AWS Shared Responsibility Model).
While the regulation does not set any restrictions on the adoption and use of cloud services, Martin, Dalal, and Vilela add:
The regulation promotes a principles-based approach to ICT risk management, giving FEs the flexibility to use different management models as long as they address key functions such as identification, protection, detection, response, recovery, and communications.
One of the debated topics is the reliance on a single cloud provider. András Gerlits, founder at omniledger.io, comments:
Confusingly, DORA says you are legally allowed to use your exclusive cloud provider, but disallows this technically. It does this by expecting banks to have a monitoring, a mitigation and a recovery strategy in place in case of a disruption event. So sure, use your AWS/Azure/GCP for everything, but you must also be able to shift immediately with no data loss.
AWS is not the only cloud provider recently outlining its steps towards DORA compliance. Google has simplified the process with Google Cloud's updated contracts and Microsoft has explained how to strengthen operational resilience and reduce concentration risk in financial services. IBM and Oracle OCI also provide dedicated resources.