Primary areas for customer consideration under DORA
The Digital Operational Resilience Act (DORA) establishes a comprehensive management mechanism of ICT risks with which financial entities will be required to comply—including the identification, protection and prevention, detection, response, and recovery of such risks in scope. Financial entities must establish an internal governance and control framework for ICT risk management and engage in ongoing monitoring of ICT risks. These ICT risk management and monitoring requirements extend to the use of ICT services provided by third party providers.
The elements of this ICT risk management framework broadly encompass:
- Internal governance and control framework for ICT risk management: Financial entities must have an internal governance and control framework that ensures effective and prudent management of ICT risk.
- ICT risk management framework components and requirements: The ICT risk management framework must include strategies, policies, procedures, ICT protocols and tools that are necessary to protect and ensure the resilience, continuity and availability of ICT systems, information assets and data.
- ICT systems, protocols, and tools specifications: Financial entities must use and maintain updated ICT systems, protocols and tools that are appropriate, reliable, resilient, and capable of processing the data necessary for their activities and services. They must also implement ICT security policies, procedures, protocols, and tools that aim to ensure the security of networks and data and prevent ICT-related incidents.
- Identification of ICT risk sources and dependencies: Financial entities must identify, classify, and document all ICT supported business functions, information assets and ICT assets, and their roles and dependencies in relation to ICT risk. They must also identify all sources of ICT risk, cyber threats, and ICT vulnerabilities, and assess the potential impact of ICT disruptions.
- Detection of ICT-related incidents and anomalies: Financial entities must have mechanisms to promptly detect anomalous activities, ICT network performance issues and ICT-related incidents, and to identify potential single points of failure. They must also define alert thresholds and criteria to trigger and initiate ICT-related incident response processes.
- Response and recovery from ICT-related incidents: Financial entities must have a comprehensive ICT business continuity policy and associated ICT response and recovery plans that aim to ensure the continuity of critical or important functions, quickly and effectively resolve ICT-related incidents, and minimize damage and losses. They must also test, review, and update their plans and measures regularly, and report to the competent authorities as required.
Microsoft already provides a broad set of built-in ICT risk management capabilities in our services today. This includes, by way of example: Microsoft Defender for Cloud, Microsoft 365 Service Health Dashboard, Microsoft Secure Score, Azure Service Health, and Microsoft Purview.
A range of requirements are mandated for EU financial entities on ICT incident management, classification, and reporting, including the following:
- ICT-related incident management process: Financial entities must have a process to detect, manage, and notify ICT-related incidents and record them according to their priority and severity.
- Classification of ICT-related incidents and cyber threats: Financial entities must classify ICT-related incidents and cyber threats based on criteria such as the number of clients affected, the duration, the geographical spread, the data losses, the criticality of the services and the economic impact.
- Reporting of major ICT-related incidents and voluntary notification of significant cyber threats: Financial entities must report major ICT-related incidents to the relevant competent authority using standard forms and templates and inform their clients about the incident and the mitigation measures. Financial entities may also notify significant cyber threats to the relevant competent authority on a voluntary basis.
- Harmonization of reporting content and templates: The ESAs, through the Joint Committee, and in consultation with ENISA and the ECB, shall develop common draft regulatory and implementing technical standards to specify the content, the time limits, and the format of the reports and notifications for ICT-related incidents and cyber threats.
- Centralization of reporting of major ICT-related incidents: The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralizing incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities.
DORA introduces digital operational tests that should be conducted on critical ICT systems and applications on an annual to triennial basis through threat-led penetration testing (TLPT). This new testing approach bolsters the testing capabilities of financial entities—fostering timely recovery and business continuity. Microsoft already enables customers to do so through our penetration testing program. Learn more about the Microsoft Cloud Penetration Testing Rules of Engagement and our Bug Bounty programs. Microsoft will further work through and support testing requirements to meet the requirements under this testing regime as required under DORA, consistent with principles of ensuring the safety, integrity, security, and operational resilience of the Microsoft Cloud.
Financial entities are expected to manage ICT third-party risk as part of their ICT risk management framework, adopt a strategy and a policy on the use of ICT services supporting critical or important functions, and maintain a register of information on all contractual arrangements with ICT third-party service providers.
- Preliminary assessment before entering into contracts: Financial entities should assess the risks of contracting with key ICT third-party service providers.
- Key contractual provisions: Financial entities should ensure that the contractual arrangements include, among other things, a description of the functions and services, the locations of data processing and storage, management and supervision of key subcontractors that underpin the provision of critical services, the data protection and security measures, the service level descriptions and performance targets, the termination rights and exit strategies, and the access, inspection, and audit rights of the financial entity and the competent authorities.
Microsoft already provides substantial contractual commitments that are in alignment with the guidance from the respective ESAs and consistent with the provisions under Article 30 of DORA. Microsoft Data Protection Addendum, Product and Service Terms and Financial Services Amendment cover these key elements. We'll work with customers to continue addressing further customer needs going forward.
Microsoft is preparing to meet the requirements under DORA, as applicable to it, and the key services it provides to financial entities that use its cloud services for critical or important functions. Microsoft has for over a decade invested significantly into helping financial institutions meet their regulatory obligations when using Microsoft cloud services – from the commercial contracts we make available consistent with ESAs guidelines on outsourcing, to transparency and assurance of our cloud services through the Service Trust Portal and other resources, to the myriad of built-in security features in our cloud services. Coupled with the breadth of capabilities we offer to help customers manage risk and oversee use of our cloud services on a continuous basis, the elements of DORA are a natural step forward to maintain operational resilience and use Microsoft cloud services with confidence. We're also working with other regulators in jurisdictions such as the UK that are implementing similar measures as DORA and are preparing to meet those requirements as well.