The EU zeros in on disparate data security and digital resilience standards for banks

The aim of Dora     |     Data security heightens     |     Gen Next data infrastructure     |     Data sovereignty guaranteed?

Fragmented regulatory requirements. Growing reliance on multinational technology giants. Data-security concerns. Evolving cyber threats. COVID-19’s economic impact.

Europe’s financial services sector is enduring an extraordinary array of challenges, prompting regulators to respond with bold new initiatives aimed at unifying a disjointed regulatory landscape, heightening data security and enhancing operational resilience.

While global technology giants from the US, China and beyond are delivering game-changing cloud, data analytics and customer-experience capabilities to EU businesses, there is growing concern that today’s popular outsourced services do not always meet Europe’s data protection and security requirements.

The European Commission (EC) believes that the EU’s existing legal framework governing information and communication technologies (ICT) risk and operational resilience is fragmented and inconsistent, citing “uncoordinated national initiatives” that have allowed a range of diverse approaches to emerge among innovating financial firms.

Now, with its Digital Operational Resilience Act (DORA), the European Union aims to establish a comprehensive and unified digital framework for financial institutions. DORA aims to align today’s limited rules on ICT governance, better manage ICT risk and incident reporting, and eliminate gaps in information sharing, risk management and digital testing. Its goal is to create collaborative frameworks for firms to share information on cyber-threats and raise awareness on ICT risks in order to continually improve the sector’s collective resilience.

DORA is expected to significantly enhance oversight of data security and resilience measures employed by third-party ICT providers, including global technology giants serving the EU market. EU financial organizations will only be allowed to engage with ICT third parties that comply with the latest applied risk and security standards. DORA goes beyond the more narrowly defined Network Information Systems Directive to enforce minimum standards of the EU’s General Data Protection Regulation.

DORA is part of a broad package of measures that the European Commission has issued concerning digital finance. The EC measures are intended to enable and support innovation while appropriately mitigating risks. The EC has stated that “the future of finance is digital” and that Europe must implement digital capabilities that will both drive its post-pandemic recovery and protect consumers against emerging risks. The EC’s renewed strategy maps out a path that encourages EU financial businesses to:

1. Embrace the digital revolution’s trends and opportunities;
2. Drive digital finance with strong European market players in the lead;
3. Make the benefits of digital finance available to European consumers and businesses;
4. Promote digital finance based on European values and the sound regulation of risks.

There is a strong sense of looking forward and seeking to do things differently and better and the EC has made clear its intention to focus more closely on protecting consumers wherever appropriate – including due compliance with Europe’s relatively stringent data-protection rules.

DORA essentially defines clear roles and responsibilities for all ICT-related functions, requiring financial businesses to ensure effective implementation of internal governance and risk-control frameworks. Each EU financial firm will be required to define, approve, oversee and be accountable for the implementation of all arrangements related to DORA’s risk-management framework. It applies to:

• Banks and credit institutions;
• Digital payment services;
• Investment firms;
• Trading venues;
• Insurance and reinsurance firms;
• Credit rating agencies;
• Crowdfunding service providers;
• ICT third-party service providers such as cloud services.

These changes are emerging as European regulators – and consumers – voice concerns about the need to ensure appropriate gathering, use, sharing and protection of consumer data as financial services firms pursuing transformational digital technologies increase their dependence on global tech giants. Hardware and infrastructure services can continue among the big ‘hyper scalers.’ But the way they deliver services and manage data use, security and cyber resilience will be subject as never before to European regulators and rules.

While DORA aims to level the data and risk management playing field as EU financial services firms reach out to technology providers, France, Germany and other European partners have also created GAIA-X, a recent proposal for the “next generation” of data infrastructure for Europe – a secure, federated system that meets the highest standards of digital sovereignty while promoting innovation.¹

GAIA-X calls for “an open and interoperable European digital ecosystem, where data and services can be shared in a context of trust.” It aims to develop common standards for Europe’s data infrastructure and ensure openness, transparency and collaboration among EU nations. Seven European countries and more than 150 European organizations and businesses are currently involved in the project, which is designed to “give birth to the new generation of data ecosystems.”

Initial GAIA-X Hubs have been established all over Europe to date and more will likely follow as Europe pursues greater independence from global tech giants and hyper scalers. GAIA-X intends that when Microsoft, Google and other leading players want to do business in Europe, they will need to meet Europe’s stringent regulations regarding cloud security and data protection. They will no longer be allowed to dictate how business is done with their Euro clients regarding data use and policies. A key potential benefit will be “the guarantee of data sovereignty” and the ability of every organization to decide for itself where its data is stored and how it is used or shared.

To ensure common standards that provide transparency and interoperability, GAIA-X aims to align network and interconnection providers, cloud-solution providers and high-performance computing. New mechanisms being developed will identify, combine and connect services from participating providers in order to enable a user-friendly infrastructure ecosystem featuring the highest security requirements and privacy protection.

Also noteworthy is the Financial Big Data Cluster (FBDC), the finance-sector use case within the GAIA-X initiative. It aims to develop a secure, legally compliant, user-friendly financial data platform that will advance automation and machine-learning solutions across Europe’s financial ecosystem. This new cloud-based platform is designed to provide access to sovereign financial data infrastructure and allow Europe’s financial institutions, fintechs, public stakeholders and research institutions to share information and drive innovation. The platform will connect and integrate the financial data of companies, authorities and science in a common data pool, and will be optimized for the rapid development of AI applications and data-driven business models throughout Europe’s finance sector.²

As the playing field evolves and businesses pursue rapid digital innovation post-pandemic, it will be crucial for finance-sector firms to take a strategic approach to digital transformation, precisely addressing evolving requirements related to data protection and risk management.

As the KPMG/HFS Research global report Enterprise Reboot notes, nearly 60 percent of executives we surveyed in 2020 agreed that the pandemic has created a new impetus to accelerate digital transformation. More than half (56 percent) also cited cloud migration as an absolute necessity to ensure competitiveness and survival today. The global transformation trend is gaining momentum among EU financial firms, which to date have been slow off the mark in shifting critical data to the cloud. 

But as businesses are discovering – and as the EC is warning – organizations cannot simply ‘plug into the cloud’ without ensuring appropriate data security, cyber-resilience and regulatory compliance. Initiatives such as DORA and GAIA-X will provide critical new ‘guardrails’ concerning the effective implementation and oversight of digital capabilities and data management as EU financial companies increasingly embrace digital transformation that is inevitable.