According to the Cloud Security Alliance’s recent research on the State of Financial Services in Cloud, financial institutions have doubled their use of the cloud for critical workloads and increased their reliance on third-party information communication technology (ICT). For many financial institutions, this reliance on ICTs means having to evaluate their cloud providers’ data resilience.
In the European Union (EU), financial market regulators and policymakers have long mandated that financial institutions conduct risk-based evaluations of ICT outsourcing, with extra considerations for critical workloads and their resilience. Implementing a more comprehensive set of data resilience requirements and supporting existing European Banking Authority guidelines on outsourcing, the EU passed the Digital Operational Resilience Act (DORA).
Financial institution workloads are inherently sensitive and process information that can be critical to regional economic stability and security. DORA aims to establish a uniform ICT regulatory framework and provide financial institutions’ customers with needed assurance of operational resilience and cybersecurity. Designed specifically for financial institutions operating in the EU, the regulation will step in with stricter rules for financial institutions, including their evaluation of and reliance on ICT third-party service providers. One example is ensuring that data availability, security, and resilience aren’t compromised.
DORA will become enforceable in January 2025 and apply to various financial institutions, including credit institutions, investment firms, insurance organizations, payment institutions, and crypto-asset service providers. ICT third-party providers, including cloud computing service providers like Oracle Cloud Infrastructure (OCI), offering services to financial institutions must be risk-assessed by financial institutions through their own due diligence. Financial institutions must assess whether a service arrangement supports a critical or important function.
Oracle has a long-standing relationship with financial institutions in the EU and offers a growing number of EU-based public cloud data regions. These regions include the newly-launched EU Sovereign Cloud regions in Frankfurt and Madrid, which offer enhanced data sovereignty features. Paired with robust security and resiliency practices, OCI capabilities can support financial institutions looking to meet their own DORA regulatory requirements.
When EU financial institutions are preparing to adhere to DORA requirements in 2024, they may consider the following capabilities and practices when assessing the suitability of OCI.
Data availability and resilience can be crucial, which is why DORA requires that financial institutions implement backup and recovery procedures that are appropriate to the criticality or sensitivity of the relevant data. ICT systems should be physically and logically separated, and depending on the type of data, the secondary processing site should be geographically distanced from the primary processing site.
Oracle deploys its cloud services on computing infrastructure designed to maintain service availability and continuity in case an adverse event affects the services. OCI also offers backup and disaster recovery solutions to protect the availability of your data and applications in the cloud. Also, customers always choose which region to locate their OCI tenancy. With several EU data centers to choose from, including the new EU Sovereign Cloud regions, there are multiple options for disaster recovery solutions.
DORA specifies that the rights and obligations of both the financial institution and ICT third-party service provider must be clearly stated in writing and include key contractual provisions, including those related to audit rights and exit strategies.
Oracle is transparent about its contracting practices and understands that financial institutions require the ability to move workloads into or out of OCI to meet their business and regulatory objectives. Oracle Cloud service contracts include provisions regarding service availability during periods of transition.
Oracle customers and their regulators might require the right to audit Oracle’s compliance with their regulatory and contractual obligations. The Financial Services Addendum to our cloud service agreement describes Oracle's commitment to this process.
DORA emphasizes the need for financial institutions to conduct appropriate due diligence and select ICT third-party service providers that can meet the financial institutions’ business continuity and resilience objectives. This due diligence includes evaluating whether ICT providers have implemented appropriate information security standards.
Oracle has architected OCI based on security-first design principles, which are built into all aspects of our cloud solutions and development. You can read the Oracle Cloud Infrastructure Security Architecture paper to learn more.
Oracle also provides the following resources to assist financial institutions in their evaluation of OCI:
These resources can provide financial institutions with insight into Oracle’s practices, policies, architecture and infrastructure resilience, security services and features, and documentation that they might need for their DORA compliance evaluations.
DORA recognizes that ICT third-party service providers, including cloud computing providers, might support crucial financial institution functions that keep the economy running in a digital age. Oracle practices and controls are developed so that customers operating in the financial service market can use OCI to deliver an environment designed to be secure, flexible, and highly available to run their most critical applications and workloads.
For more details on how OCI can support European financial services customers with their compliance requirements, contact an Oracle representative.