New EU Law Expands Digital Resilience to Third-Party Dependencies: What is the Impact on Businesses

Financial transactions are powered by an interconnected web of owned infrastructure, within the IT perimeter, and unowned, including cloud and SaaS. As such, the digital experiences that banks and other financial services (FS) institutions provide rely on every link in this digital supply chain functioning seamlessly to provide the essential banking services their customers need, across a range of channels. With credibility at stake, it is essential that financial institutions maintain trust, visibility, and remain compliant.

In the financial services sector, many customers now primarily interface with banks, insurance firms, and trading platforms digitally. In the case of banks, digital services today have effectively become the new ‘bank branch’ for customers and it’s more important than ever to assure the quality of their delivery. It is here that financial institutions’ reputations can be made and lost, with both customers and regulators.

FS institutions have the advantage of starting from a position of trust that has been built up over decades. But in an increasingly digitalised world, retaining and maintaining that trust in the face of today’s increased digital transition is creating new considerations, challenges, and opportunities.

In our digital-first world, Internet outages are unavoidable and we read about them in the news all the time. While they’re always a hassle and highly disruptive to any organisation, outages in the financial services industry hit differently. Consumers rely on apps and online services to make payments, transfer funds, manage a mortgage, trade, invest, and more. These are time-sensitive activities and any disruption, be it 30 seconds, 30 minutes, or four hours, can have a significant impact and many have follow-on consequences. And there is no good time for this inaccessibility to take place. When it comes to access to money in a 24×7 world, every increment of time represents a “critical time” for someone that is trying to transact. When transactions fail, trust is put on the line.

This is not theoretical or hypothetical. The reverberations of inaccessibility to money are being felt today. For example last year, a data centre outage in Singapore, as well as an interbank data communications system outage in Japan, left multiple banks in both countries reeling. The prior year, an erroneous update to infrastructure underpinning an Australian bank payments system left US$620 million of transactions in limbo.

But governments and regulators are no longer content to leave resilience or the functioning of incident response mechanisms in these circumstances to chance, or to the FS institutions to unilaterally address. They are bringing in a new category of legislation in Europe in the form of the European Union’s Digital Operational Resilience Act (“DORA”). The Act, set to take effect in January 2025, will act as both a catalyst and a model for FS institutions and their service providers to rethink resilience in relation to system architectures, contractual arrangements, and minimum standards. In addition to addressing the IT security of financial entities, it also lays out guidelines for firms to follow in the event of IT disruptions or outages.

A step-change in accountability

Banks and other FS institutions have had to rely on third-party payment applications, cloud platforms, and connectivity to execute effectively for some time now and it is an operational necessity. And while they have also had to follow a multitude of existing guidelines and standards for years, DORA does introduce new and enhanced requirements that represent a step-change in accountability and requires financial institutions to become even more proactive.

Digital resilience and third-party service providers

At its core, DORA can be broken into five main topics:

ICT Risk Management: Essentially that organisations maintain a resilient Information Communication Technologies (ICT) framework, with monitoring, identification, and documentation in place to establish rapid isolation of anomalies, alongside comprehensive business continuity and disaster recovery plans.

ICT-related Incident Management, Classification & Reporting: Processes to identify and log ICT issues; determine major issues; and produce initial, intermediate, and final reports on those issues through standard templates.

Digital Operational Resilience Testing: Perform annual testing of ICT tools and systems, leading to identification, mitigation, and prompt elimination of any weaknesses, deficiencies, or gaps.

ICT Third-party Risk Management: Register all outsourced activities, with particular focus on critical ICT third-party service providers via a Union Oversight Framework; ensure contracts with these suppliers reflect these new requirements; and, put in place a “complete” monitoring approach, covering these suppliers.

Information Sharing Arrangements: Allowing financial organisations to exchange information between themselves, particularly with regard to cybersecurity, e.g. threat information and intelligence.

Much of the above relates to monitoring, testing, identifying, documenting, and reporting ICT issues, with a view to mitigation, continuity, recovery, and improvement. Taking responsibility for the resilience of all ICT-related components, dependencies, and suppliers as they pertain to their service means that FS institutions need ways to quickly pinpoint where an issue is impacting the execution of a transaction and identify the root cause, both to pursue remediation and to meet enhanced disclosure and reporting requirements.

Banks and other FS institutions that lack effective visibility, monitoring, and clarity over their entire end-to-end digitally supported transactional environment could find it challenging to achieve these goals. Now responsible for the resilience posture of all ICT service providers, it’s particularly important for FS institutions to have visibility over outsourced portions of their service delivery operations. These third-party ICT service providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them map these dependencies vis-à-vis ICT service providers.

Visibility across domains and providers

FS companies and regulatory overseers can benefit from mechanisms that aid in monitoring, testing, identification, documentation, and reporting of ICT issues as the continuity, recovery, and improvement of digital financial services comes into sharper focus.

Not just financial transactions but all digital experiences today are powered by a digital supply chain that spans across owned and unowned networks. From application to user – be it videoconferencing, online shopping, or a manufacturing plant – the delivery of the digital experience is dependent on the performance of environments that sit outside of company control, including cloud and the Internet itself. In many ways, for the Financial Services industry, DORA is a regulatory recognition of this new reality and the shared objective to ultimately safeguard end users’ ability to access critical services.

Just as DORA is a catalyst for financial services organisations to adapt to the new reality of digital service delivery across a distributed architecture to distributed users, it also broadens the scope of financial resilience measures to include digital services. In such a distributed environment, where modern applications rely on networks and services outside of FS companies’ domain of control, visibility is key. Not only for meeting regulatory requirements, but for optimising the ultimate delivery of digital experiences by enhancing the overall operational resilience against the evolving landscape of ICT threats and challenges.

Ian Waters, Senior Director, EMEA, Cisco ThousandEyes.