Leaning in on regulating cloud as critical infrastructure: Regulatory changes in Europe, the UK, and elsewhere

View of skyscrapers in a financial district as seen from below

The financial services industry has pivoted at a rapid pace to modernize systems and move to use Microsoft Cloud for Finacial Services as the backbone for key functions from worker productivity, front and back-end business applications, and running underlying infrastructure at scale. External factors such as COVID-19, threat actors in cyberspace, and even geopolitical events present uncertain and dynamic changes where financial institutions will become more reliant on the distributed nature that the hyper-scale cloud provides to keep operations running—no matter where financial institutions conduct business around the world.

Businesswoman using a tablet

Microsoft Cloud for Financial Services

Accelerate innovation for sustainable growth.

With these dynamic changes and business needs, regulation adapting to meet these trends is a good thing. It provides financial institutions clarity and flexibility to be more agile in this dynamic environment and, at the same time, ensure that financial institutions continue to operate and use third-party technology providers in a safe and sound manner. Central to these regulatory changes is a flexible and principles-based approach that focuses on outcomes to drive safe and sound operations from a security, privacy, and resiliency perspective. Such an approach not only promotes innovation but accounts for the dynamic change in technology which is occurring at a dizzying pace.  

The increasing reliance upon third-party information and communication technology (ICT) service providers has garnered the attention of regulators across the world who seek to implement regulations aimed at improving digital operational resilience. It is within this context that the European Union has published the Digital Operational Resilience Act (DORA) to strengthen the digital operational resilience of the European Union financial sector in the face of ICT-related incidents. We see similar initiatives or reinforcement of existing requirements in the United Kingdom, the United States, and elsewhere.

Additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services.”—The Bank of England’s 2021 Financial Policy Committee (FPC).1

The Financial Services and Markets Bill (FSM Bill), which was tabled before the United Kingdom Parliament recently, includes a proposed statutory framework for managing systemic risks posed by critical third-parties (CTPs) who would be so designated by HM Treasury (HMT). The United Kingdom financial services regulators have jointly published a Discussion Paper 3/22 (DP) on Operational Resilience: Critical Third Parties to the UK Financial Sector, which articulates how the proposed powers in the FSM Bill can be exercised by the regulators to assess and strengthen the resilience of services provided by CTPs to the financial services industry (FSI).

Both measures—DORA and the United Kingdom Discussion Paper with follow-on legislation—present a positive and necessary step to provide for a legislative framework designed to have a unified and consistent approach in reviewing and assessing third-party operational risk. It is also the first time a sector-specific regulatory framework would include direct regulatory oversight of critical infrastructure technology providers. Within the European Union, DORA’s harmonized approach is particularly important given the cross-border operating model and group structure of many third-party ICT service providers and the need to avoid member-state regulatory fragmentation from a supervisory and regulatory perspective.

We support the initiative by the European Commission, the European Union Council, and the European Parliament to design a proportionate, effective, and harmonized regulation for Europe. Partnering with these key stakeholders and the industry is our focus so we can be best prepared to meet the needs of the industry and learn from these approaches to drive. In addition, the United Kingdom process under the DP3/22 Discussion Paper on Operational Resilience, and the United States addressing third-party risk management in its Proposed Interagency Guidance on Third-Party Relationships, will result in positive steps towards modernizing regulation to adapt to the sea of change of innovation occurring within the FSI.

The way forward: DORA sets a benchmark

DORA is expected to be published in the Official Journal of the European Union by the end of 2022 after final adoption by the European Parliament and other procedural steps are completed. Following the publication, there will be a 24-month implementation period before the rules enter into force, therefore, the rules under DORA will apply as of late 2024 at the earliest—thus allowing Microsoft and financial institutions to ensure compliance with the new rules ahead of that time. During the implementation period, the Regulatory Technical Standards (RTSs) will also be under development to facilitate DORA’s implementation. The RTSs are expected to be completed ahead of DORA application.

The key requirements under DORA cover the following: ICT risk management, ICT-related incident reporting, digital operational resilience testing, and oversight of critical ICT providers. The legislative framework will also require compliance by critical ICT third-party service providers.

At Microsoft, we support our financial services customers and will continue doing so under DORA implementation—specifically, but not limited to the following key areas:

  • ICT risk management: DORA establishes a comprehensive management mechanism of ICT risks with which financial entities would be required to comply—including the identification, protection and prevention, detection, response, and recovery of such risks in scope. Microsoft already provides a broad set of built-in ICT risk management capabilities in our services today. This includes, by way of example: Microsoft Defender for CloudMicrosoft 365 Service Health Dashboard, and Microsoft Secure Score.
  • ICT-related incident reporting: DORA will harmonize the classification of incidents while streamlining the reporting processes to develop a more systematic approach to monitor, control, and follow-up on such incidents. DORA foresees a coordinated approach to ICT incident reporting and tackling reporting overlaps such as the NIS2 Directive. Microsoft provides such capabilities, such as with Microsoft Defender
  • Digital operational resilience testing: DORA introduces digital operational tests that should be conducted on critical ICT systems and applications on an annual to triennial basis (regarding advanced threat-led penetration testing). This new testing approach will bolster the testing capabilities of financial entities—fostering timely recovery and business continuity. Microsoft already enables customers to do so through our penetration program. Learn more about the Microsoft Cloud Penetration Testing Rules of Engagement program.
  • Oversight of critical ICT providers: DORA foresees a communication mechanism between financial regulators and ICT critical service providers for the management of ICT third-party risks. Microsoft already partners closely with its customers and has ongoing and rich engagement with regulators—including audit and regulatory examinations. We think such processes should include inter-agency cooperation amongst other regulators not limited to Europe. For example, alignment and communication among the Bank of England and the United States Regulators (FDIC, OCC, Federal Reserve), would be helpful from a regulatory oversight perspective, drive synergies, avoid fragmentation, and maintain a level of clarity and communication that would benefit regulators and Microsoft alike.

Providing innovative solutions for the European Union financial sector and markets elsewhere

Our over-arching goal is to work with regulators globally to drive for a consistent set of regulatory frameworks that enable innovation, ensure banks operate in a safe and sound manner, and provide a resilient system that enables the financial ecosystem to thrive. For over a decade, we have worked with industry participants and maintained an ongoing dialogue with regulators so we can be better prepared to anticipate future challenges and account for such changes—including new regulations—well in advance. 

Going forward, Microsoft intends to continue working with all relevant authorities to help ensure it delivers on these regulatory objectives. This will also benefit Microsoft’s financial services customers, as we support them in the innovation and development of new products and services on the cloud. 

We stand prepared to support our customers throughout this long-term journey of transition and compliance while building on our commitment and trust toward governments and enterprises around the world.  

Learn more

Find out more about how Microsoft can help your organization manage compliance in the cloud and to learn more and stay informed, visit our Microsoft Cloud for Financial Services website

1 Financial Policy Summary and Record—October 2021