Dora technical standards shoot for break in the clouds

The capital markets’ march to cloud has produced an uneasy reliance on Big Tech. With so many banks and marketplaces relying on so few cloud providers, potential failings and hackings could impact millions of customers’ personal and financial data stored at dozens of firms around the world. That scenario, arising from cloud concentration risk, is not lost on the European Supervisory Authorities, who delivered the first batch of technical standards under the Digital Operational Resilience Act (Dora) in January.

A hefty piece of legislation, Dora mandates cyber risk frameworks, incident response, system testing, and information sharing, but it’s fifth pillar has proved to be the most controversial and powerful: risk management of so-called critical third parties.

“The cloud service providers,” says one operational specialist, “are the number one target.” 

The EU, like regulators across the world, is paying close attention to the risks posed by cloud concentration, or the number of financial institutions relying on a tiny group of providers—Microsoft Azure, Google Cloud, and Amazon Web Services—for cloud services. But the same dynamics that make cloud concentration threatening also make it difficult to mitigate: the largest providers have the most resources, and therefore the best chance to keep up with the regulations, while smaller competitors may drown in them. Despite welcoming regulatory scrutiny on the cloud service providers (CSPs), some worry Dora will exacerbate, rather than fix, the threat of cloud concentration.

“A bank does not deliver a service on its own,” says Beate Zwijnenberg, global chief information security officer at ING. “We depend on our cloud providers, for example.” She commends Dora for broadening the scope of risk mitigation to the whole supply chain, but she, like many others, has concerns. 

Unintended consequences

Unlike other critical third parties—a designation regulators are assigning to vendors for whom a cyber attack or failure would spark a massive, industry-wide crisis—CSPs are “pan-sector,” says Nick Wilcock, managing principal at Delta Capita. If Dora’s requirements become too costly or onerous, some of the more insurgent cloud providers, such as Oracle or IBM, might exit the financial industry altogether, knowing they can rely on their business with airlines, social media, grocery stores, and others to fill in the profit gaps.

A third party like Refinitiv, on the other hand, would have a hard time selling market data to American Airlines. (Microsoft Azure boasts of both as cloud clients.)

“The cost and effort to adhere to the requirements may be a reason for some third parties to leave the market servicing financial institutions,” says ING’s Zwijnenberg, who believes Dora has the potential to increase, rather than mitigate, concentration risk for this reason.

Regardless of what the regulators do to address cloud concentration, Gabriele Columbro, executive director of the Fintech Open Source Foundation, says there’s also a commercial dynamic at play, too. Nimble providers who can adapt quickly will retain more customers and secure more market share. Finos itself heads up the Common Cloud Controls, a project started last year by Citi that aims to establish a framework for cybersecurity and resilience, and, by standardizing protocols between cloud providers, allow users to switch more freely between platforms.

The cost and effort to adhere to the requirements may be a reason for some third parties to leave the market servicing financial institutions

Beate Zwijnenberg, ING

As Marcus Corry, director of technology and operations at the Association for Financial Markets in Europe (Afme), notes, the providers that will be more adept at adapting to Dora’s requirements will likely be the Big Tech companies with the resources to do so. 

“One might ask whether that is not slightly counterintuitive to the original goal of trying to open the market and mitigate concentration,” Corry says.

Of course, there is also a benefit to working with a well-resourced third party. AWS’s head of financial services, public policy, and regulatory affairs in Europe, the Middle East and Africa, Maria Tsani, says AWS is already working on implementing the European Supervisory Authorities’ technical guidelines. 

“We have internal teams dedicated to implementation, and I can tell you, from our top leadership, they are very much aware, involved, and supportive of these efforts,” Tsani says.

Enforcement challenge

Some in the financial industry worry that the more concentrated the market is, the more leverage cloud providers have during contract negotiations. Indeed, a report published in 2023 by the US Department of the Treasury corroborated this concern, saying that smaller financial institutions in particular could receive disadvantageous terms for cloud services.

Although the Dora text has hinted at the assignment of a designated European financial authority to monitor the CSPs, much of the current text around third parties requires the financial institutions to audit and monitor contracted providers themselves.

“There is almost, as the proposal stands, a suggestion that financial entities should act as a quasi-supervisor themselves,” Afme’s Corry says. “It is not the purpose of a private sector entity to act as the regulatory enforcer.”

For critical third parties, the requirements also ask that financial institutions monitor the relationships their third parties have with the vendors’ own subcontracted third parties.

Since banks cannot easily switch their cloud provider overnight, both the commercial and technical realities of concentration risk have raised concerns about how financial institutions will implement Dora, particularly if compliance depends on renegotiating contracts with CSPs.

Indeed, an objective of the Common Cloud Project is to make it easier for financial entities to switch cloud providers by standardizing the security protocols across each cloud provider. Columbro says this is becoming increasingly important as banks look to adopt multi-cloud strategies—though those, too, come with their own risks, such as cost and security.

Expiring contracts and looming deadlines

The regulation, which will take effect in 2025, asks financial institutions to rework every contract they have with a third party. A typical bank may have upwards of 10,000 such contracts with companies that deliver coffee, outsource ATMs, provide data, provide software, and, of course, provide cloud services. And this is not an exhaustive list.

Many of the contractual changes firms may see are not so much new practices but the formalization of protocols that historically may have been done on an informal basis, Delta Capita’s Wilcock says. Such changes include the bank’s right to audit their third parties, or their ability to receive results from resiliency testing within an agreed-upon timeframe.

Tsani says that at present, AWS provides financial services-specific addenda, such as the user’s right to audit, to its contracts. “As Dora develops and is implemented, we will update those to reflect the new framework so that customers can continue to use our services,” she says.

When it comes to smaller providers, though, some are worried that with only a year to remediate around thousands of third-party contracts, those that are not renegotiated in time will have to be terminated to reach compliance, adding a layer of operational risk. 

“A lot of the European banks have the same challenge as we have,” ING’s Zwijnenberg says. “If the RTS batch two is only officially available in June, a bank only has a few months to implement the final policy. That is too short a timeframe.”

Afme has been forceful in its statement that the termination of contracts should only be as a measure of last resort and that the deadline for compliance is too soon. Many technology services beyond cloud computing that banks rely on for daily business—such as market data and order management systems—are very difficult, if not impossible, to replace with in-house solutions.

“The idea that the entire supply chain of third-party providers and subcontractors can be completely remediated by January 2025 without the risk of operational disruption is just not feasible,” Corry says. He adds that the contract issue is causing a “huge amount of concern” among industry participants.

For cloud providers and financial institutions, Dora is a first step toward what many think will be increased regulatory scrutiny on the relationship between Big Tech and finance.

As the consequences of concentration risk and attempts to address it take shape, the chummy relationship between financial entities and cloud providers may be tested, Wilcock says.

Both industries agree the legislation marks a step in the right direction, but questions remain over how requirements will be enforced and whether regulators will grant flexibility on the January 2025 deadline for compliance.

After all, AWS’s Tsani says that in 2023, the company’s engagement with financial customers intensified. 

“2024, I think, will see that trend continue,” she says, adding that AWS receives requests for meetings nearly every day to discuss Dora.