Record temperatures are not the only challenge to global infrastructure this summer. New, onerous regulatory infrastructure obligations are warming the landscape for financial institutions and their technology providers.
Europe has moved first to establish new operational resilience and cyber rules that will demand new controls from and portability between providers. Europe is moving fast with implementation deadlines to be set next year as other regulators follow suit.
This article puts the latest developments in context for IT and Compliance as senior managers will need to establish plans in 2H22.
The EU’s French Presidency has changed the rules of the infrastructure services game. As shown in Exhibit 1, three pieces of legislation moved into formal adoption procedures in Q2 2022.
This is just the edge of the new wave of infrastructure rules which prescribe:
- New, prescriptive obligations for how firms manage technology
- Direct oversight of critical third-party providers
- Large percentage of revenue penalty regimes
- Digital sovereignty over service provision
- Fast approaching deadlines.
Technology and Compliance teams will need to move rapidly to put in place the necessary controls to prevent breaching these new rules and incurring costly fines.
Exhibit 1: EU digital infrastructure rules as of July 2023
Source: JWG analysis of EU digital rules 2020-2025 as of July 2022
Dawn of a new era – DORA and NIS2
In 2023, we can expect to see the implementation of the EU Digital Operational Resilience Act (DORA) which looks at a firm’s ability to weather turbulence across its supply chain.
Its holistic approach goes a step further than other jurisdictions as it looks at both digital and ICT risk. DORA will cause millions of pages of contracts to be revised as it stipulates standard clauses which detail the services, protection during the delivery and the exit strategy of any agreement.
Exhibit 2: Key obligations of the EU’s DORA and the UK’s PS6/21
Source: JWG analysis of UK and EU operational resilience obligations, June 2022
As shown in Exhibit 2, DORA’s EU mandate extends beyond the UK to include both digital and ICT risks, with a clearer emphasis on cyber threats with the inclusion of cyber threat information sharing and an ICT incident management process.
In a global first, ICT third-party service providers designated as critical (CTPPs) will be subject to a common oversight framework and direct oversight from EU regulators.
This month, the Bank of England and Financial Conduct Authority have released a consultation on a critical third party (CTP) regime that is likely to follow a similar, but slightly different approach.
Working alongside and in tandem with DORA is the new The Network and Information Security (NIS) Directive 2. Its purpose is to ensure a high level of cybersecurity within the EU.
Implementation is expected in 2023, after a political agreement was reached between the Commission, the Council, and the Parliament on May 13th, 2022. It will impose a new list of risk management requirements that include incident handling procedures and crisis management preparation as well as vulnerability disclosures which will be stored in a database kept by the European Union Agency for Cyber Security (ENISA).
Digitally sovereign storm clouds ahead
The current texts are not the end of the EU regulatory journey. As part of the EU’s Cybersecurity Strategy, published in December of 2020, two new acts were introduced.
The first, is the Cyber Resilience Act which aims to establish common security standards for cybersecurity products. The consultation ended in May 2022, with an expected proposal due in Q3 2022.
The second, named the Cybersecurity Act strengthens the authority of the EU Agency for cybersecurity (ENISA) and calls on them to implement a certification framework for products and services.
Shortly after the strategy was published, ENISA published a cloud certification scheme to enhance trust for cloud services.
As a result of Europe’s push towards digital sovereignty, we expect to see these standards extended in 2022, primarily for cloud services residing outside of the EU.
Those who are not keeping their eye on the EU’s movements, could find themselves in hot water.
These rules will have significant global repercussions for both financial institutions and their supply chains.
Regulators are demanding end-to-end controls which will require a holistic approach to managing risk which firms are not currently equipped to handle.
Firms will need to be able to see across the entirety of their supply chain and vendors will be under pressure to provide detailed information regarding their services.
These new rules will create enormous administrative burdens as well as increased costs and the risk of stifling innovation.
The time to start looking at infrastructure risk is now and it needs to start from the top.
New board-level risk dashboards and interdisciplinary cooperation across risk silos is required to define “what good looks like” for this new environment.
JWG will create a task force to solicit comments on this paper from regulators, regulated financial institutions, and suppliers to shape future plans. Please contact firstname.lastname@example.org if you would like to be involved.
The paper, along with a companion IT guide to Operational Resilience is available free of charge to JWG registrants.
If you do not have a JWG account register here.
Want to learn more? Please register for 2 November dinner in London or this panel at our virtual annual conference on 10 November.
Please contact Corrina Stokes if you would like more information.