Key Points

1. Financial institutions must rigorously evaluate their third-party providers, especially cloud services, for compliance with DORA’s operational resilience standards.
2. Organisations must integrate robust security measures for their cloud environments, including encryption, access controls, and resilience testing.
3. To maintain DORA compliance, financial institutions should implement ongoing compliance monitoring systems.
4. Metomic helps financial organisations stay compliant with DORA by providing real-time data monitoring, and automated classification.

A crucial aspect of achieving DORA compliance is effectively managing ICT third-party risk, as outlined in Article 28. Financial institutions must ensure that all third-party providers they engage with, including cloud service providers, meet DORA requirements. Non-compliance by these third parties can directly jeopardise the institution’s regulatory standing and operational integrity.

With nearly all organisations (98%) now leveraging cloud services, it’s vital that financial institutions verify their third-party cloud providers adhere to DORA standards. Failure to do so can expose organisations to significant risks, including data breaches and substantial financial penalties.

This article outlines the essential steps financial institutions must take to ensure compliance with DORA when working with third-party cloud providers. 

What is DORA? 

DORA, or the Digital Operational Resilience Act, is a cybersecurity regulation designed to help financial organisations operating in the EU. Its aim is to strengthen financial institutions’ cyber defences and ensure that disruptions are kept to a minimum. 

It means that even if an organisation comes under attack from a malicious cyber entity, or is the victim of a system outage, they’ll still be able to operate effectively. DORA requires financial firms to adopt and demonstrate comprehensive risk management practices, particularly in relation to technology, cybersecurity, and third-party service providers.

How does DORA impact cloud environments?

Organisations abiding by DORA must ensure that their cloud environments are secure, particularly if they’re using third-party providers, as laid out in Article 28. There are strict requirements financial companies must adhere to when it comes to these partner relationships, to minimise the risk to sensitive data. 

Here’s how DORA impacts cloud environments:

1. Third-party risk 

Financial institutions need to conduct due diligence on any cloud providers they work with, ensuring they comply with operational resilience standards. In particular, organisations must assess the security strategy of cloud providers, and measure their ability to withstand operational disruptions, so that they can be confident that risks are mitigated. 

2. Service Level Agreements (SLAs) 

Having a SLA in place with a cloud provider gives the organisation a reassurance that the cloud provider will be fully compliant with DORA. Items to focus on in the SLA include having effective incident management processes in place, as well as disaster recovery policies. Cloud providers should also regularly test the resilience of their infrastructure to ensure they can withstand malicious attacks. 

3. Incident reporting 

Financial institutions must integrate their cloud provider’s cybersecurity protocols with their own risk management strategies to ensure continuous service delivery. DORA requires financial institutions to report significant cyber incidents within tight timeframes, depending on the size and type of the organisation. If a cloud service provider experiences a disruption that affects the financial institution's operations, the institution must assess the severity of the incident and report it, requiring clear communication between the financial institution and the cloud provider. 

4. Testing and Monitoring Cloud System

Another key aspect of DORA is the need for regular testing and continuous monitoring of the financial institution’s IT systems, including those hosted in the cloud. Financial institutions must test their cloud infrastructure to assess its resilience against potential disruptions, such as cyberattacks or system failures. This may involve penetration testing, vulnerability assessments, and stress testing to ensure that the cloud provider’s environment can withstand various operational scenarios.

5. Impact on Cloud Providers’ Business Continuity Plans

Cloud providers will also need to adapt to DORA requirements, ensuring that their business continuity and recovery plans meet the standards set by DORA for critical third-party service providers. Cloud providers must demonstrate they have measures in place to avoid, mitigate, and recover from significant disruptions, including natural disasters, cyberattacks, and other systemic risks. They must also ensure they comply with regular audits and assessments to prove they meet DORA's resilience criteria.

What are the risks?

Any organisation working with a third-party cloud provider faces significant risks, due to the lack of control they have over their environment. 

For instance, if that cloud provider is affected by an outage or data breach, the organisation will also be affected, potentially losing sensitive data or suffering operational downtime. If the financial institution can’t access or process critical data, they could suffer reputational damage, as well as contributing to industry disruption. 

Another risk to consider is the impact of non-compliance with DORA regulations, such as financial penalties, or regulatory investigations. It’s the responsibility of the organisation to ensure the cloud provider is able to meet DORA’s cybersecurity and incident response requirements, and they are therefore liable if any issues arise. 

Ultimately, DORA is in place to protect sensitive customer data, as well as ensuring stability in the financial market. If a third-party cloud provider faces a cyberattack, this can put the financial organisation working with them in reputational jeopardy. This could lead to customer attrition and a damaged reputation in the market.

What do organisations need to do to ensure cloud security and be DORA compliant? 

Ensuring DORA compliance is vital for financial institutions operating in the EU, and there are a number of critical steps they need to take to meet regulatory requirements, including:  

1. Managing third-party risk 

Financial institutions must ensure that their cloud providers are resilient and comply with DORA's cybersecurity and operational resilience standards. They can do this through comprehensive due diligence procedures that assess the security and resilience of cloud providers, and negotiating contracts that define clear security expectations. 

Regular audits can help to assess whether cloud providers are maintaining security standards and there should also be a solid exit strategy in place for the financial organisation, should the cloud provider be found to be non-compliant. 

2. Operational resilience testing 

Financial institutions should regularly conduct resilience testing of their systems and infrastructure, including cloud environments. This ensures the organisation can quickly recover from disruptions such as cyberattacks or service outages. 

Stress testing and scenario-based testing evaluate the durability of cloud systems, while simulated cyber incidents can determine response times, to ensure they align with DORA requirements. 

3. Incident reporting 

DORA requires organisations to report material incidents to regulators within 72 hours. In cloud environments, this means establishing effective incident detection and response procedures. 

Continuous monitoring should be implemented across cloud environments to ensure cybersecurity threats are handled as quickly as possible, while a formal incident response plan can define roles and reporting timelines so that everyone understands what needs to happen if the cloud environment were violated. 

4. Data security 

Ensuring data security within the cloud environment is critical. Financial institutions must protect sensitive data in accordance with DORA's guidelines, which include encryption and access controls.

Encrypting data at rest and in transit prevents unauthorised access during storage and transmission, and implementing granular access control policies ensures only authorised personnel have access to sensitive data, reducing the risk of data breaches or misuse.

5. Compliance monitoring 

To remain compliant with DORA, organisations must have a system in place for monitoring compliance continuously. Establish a compliance management framework that monitors cloud service providers’ activities and assesses their alignment with DORA requirements. 

It’s also a good idea to keep comprehensive documentation that can be reviewed by regulators in case of an audit. This documentation should include details about risk assessments, resilience testing, and incident reports.

6. Human firewall 

Cybersecurity and operational resilience in the cloud aren’t just about technology; they also require well-trained staff. DORA emphasises the need for a knowledgeable workforce to support compliance. 

Financial institutions should conduct regular training sessions on cybersecurity best practices and DORA-specific compliance for employees responsible for managing cloud environments, as well as raising awareness about risks associated with third-party cloud providers, so employees are better equipped to mitigate potential security threats.

How can Metomic help organisations become DORA compliant?

Metomic can help organisations become DORA compliant in several ways:

1. Real-time data monitoring: Metomic provides real-time data visibility across cloud environments, helping organisations identify potential vulnerabilities and quickly address these issues before they affect business operations or result in compliance violations.
2. Automated data classification: Metomic's platform enables automated data classification, helping businesses identify and protect critical assets in line with DORA’s data protection mandates.
3. Risk Monitoring: Metomic provides risk monitoring and proactive alerts related to data security, helping organisations stay ahead of potential threats and aligning with DORA's incident response protocols.
4. Granular access control: Metomic offers granular access control features, allowing organisations to restrict and manage access based on roles and permissions, which helps minimise unauthorised exposure and enhances overall operational resilience.
5. Enhanced compliance reporting: For compliance audits and reporting purposes, Metomic provides comprehensive compliance reporting features that streamline the process of demonstrating DORA compliance. 

To discover how Metomic could help your financial organisation comply with DORA, download our guide or get in touch with one of our data security experts.