![\"Businesswoman](\"https:\/\/new-cm-edgedigital.pages.dev\/en-us\/industry\/blog\/wp-content\/uploads\/2021\/04\/iStock-1168598831-1024x683.webp\")
\t\t\t\t<\/div>\n\t\t\t\n\t\t\tMicrosoft Cloud for Financial Services<\/h2>\n\n\t\t\t\t\t\n\t\t\t\t\t\tAccelerate innovation for sustainable growth.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tLearn more<\/span>\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\nWith these dynamic changes and business needs, regulation adapting to meet these trends is a good thing. It provides financial institutions clarity and flexibility to be more agile in this dynamic environment and, at the same time, ensure that financial institutions continue to operate and use third-party technology providers in a safe and sound manner. Central to these regulatory changes is a flexible and principles-based approach that focuses on outcomes to drive safe and sound operations from a security, privacy, and resiliency perspective. Such an approach not only promotes innovation but accounts for the dynamic change in technology which is occurring at a dizzying pace. <\/p>\n\n\n\n
The increasing reliance upon third-party information and communication technology (ICT) service providers has garnered the attention of regulators across the world who seek to implement regulations aimed at improving digital operational resilience. It is within this context that the European Union has published the Digital Operational Resilience Act (DORA)<\/a> to strengthen the digital operational resilience of the European Union financial sector in the face of ICT-related incidents. We see similar initiatives or reinforcement of existing requirements in the United Kingdom, the United States, and elsewhere.<\/p>\n\n\n\n\n \u201cAdditional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services<\/em>.”\u2014The Bank of England\u2019s 2021 Financial Policy Committee (FPC).1<\/sup><\/p>\n<\/blockquote>\n\n\n\nThe Financial Services and Markets Bill (FSM Bill), which was tabled before the United Kingdom Parliament recently, includes a proposed statutory framework for managing systemic risks posed by critical third-parties (CTPs) who would be so designated by HM Treasury (HMT). The United Kingdom financial services regulators have jointly published a Discussion Paper 3\/22 (DP) on Operational Resilience: Critical Third Parties to the UK Financial Sector<\/a>, which articulates how the proposed powers in the FSM Bill can be exercised by the regulators to assess and strengthen the resilience of services provided by CTPs to the financial services industry (FSI).<\/p>\n\n\n\nBoth measures\u2014DORA and the United Kingdom Discussion Paper with follow-on legislation\u2014present a positive and necessary step to provide for a legislative framework designed to have a unified and consistent approach in reviewing and assessing third-party operational risk. It is also the first time a sector-specific regulatory framework would include direct regulatory oversight of critical infrastructure technology providers. Within the European Union, DORA\u2019s harmonized approach is particularly important given the cross-border operating model and group structure of many third-party ICT service providers and the need to avoid member-state regulatory fragmentation from a supervisory and regulatory perspective.<\/p>\n\n\n\n
We support the initiative by the European Commission, the European Union Council, and the European Parliament to design a proportionate, effective, and harmonized regulation for Europe. Partnering with these key stakeholders and the industry is our focus so we can be best prepared to meet the needs of the industry and learn from these approaches to drive. In addition, the United Kingdom process under the DP3\/22 Discussion Paper on Operational Resilience, and the United States addressing third-party risk management in its Proposed Interagency Guidance on Third-Party Relationships<\/a>, will result in positive steps towards modernizing regulation to adapt to the sea of change of innovation occurring within the FSI.<\/p>\n\n\n\nThe way forward: Digital Operational Resilience Act (DORA) sets a benchmark<\/h2>\n\n\n\n
DORA is expected to be published in the Official Journal of the European Union by the end of 2022 after final adoption by the European Parliament and other procedural steps are completed. Following the publication, there will be a 24-month implementation period before the rules enter into force, therefore, the rules under DORA will apply as of late 2024 at the earliest\u2014thus allowing Microsoft and financial institutions to ensure compliance with the new rules ahead of that time. During the implementation period, the Regulatory Technical Standards (RTSs) will also be under development to facilitate DORA\u2019s implementation. The RTSs are expected to be completed ahead of DORA application.<\/p>\n\n\n\n
The key requirements under DORA cover the following: ICT risk management<\/strong>, ICT-related incident reporting<\/strong>, digital operational resilience testing<\/strong>, and oversight of critical ICT providers<\/strong>. The legislative framework will also require compliance by critical ICT third-party service providers.<\/p>\n\n\n\nMicrosoft commitments under DORA<\/h2>\n\n\n\n
At Microsoft, we support our financial services customers under DORA implementation\u2014specifically, but not limited to the following key areas:<\/p>\n\n\n\n
ICT risk management<\/h3>\n\n\n\n
DORA establishes a comprehensive management mechanism of ICT risks with which financial entities would be required to comply\u2014including the identification, protection and prevention, detection, response, and recovery of such risks in scope. Microsoft already provides a broad set of built-in ICT risk management capabilities in our services today. This includes, by way of example: Microsoft Defender for Cloud<\/a>,\u00a0Microsoft 365 Service Health Dashboard<\/a>, and\u00a0Microsoft Secure Score<\/a>.<\/p>\n\n\n\nICT-related incident reporting<\/h3>\n\n\n\n
DORA harmonizes the classification of incidents while streamlining the reporting processes to develop a more systematic approach to monitor, control, and follow-up on such incidents. DORA foresees a coordinated approach to ICT incident reporting and tackling reporting overlaps such as the NIS2 Directive. Microsoft provides such capabilities, such as with Microsoft Defender<\/a>.\u00a0<\/p>\n\n\n\nDigital operational resilience testing<\/h3>\n\n\n\n
DORA introduces digital operational tests that should be conducted on critical ICT systems and applications on an annual to triennial basis (regarding advanced threat-led penetration testing). This new testing approach will bolster the testing capabilities of financial entities\u2014fostering timely recovery and business continuity. Microsoft already enables customers to do so through our penetration program.\u00a0Learn more about the Microsoft Cloud Penetration Testing Rules of Engagement<\/a> program.<\/p>\n\n\n\nOversight of critical ICT providers<\/h3>\n\n\n\n
DORA foresees a communication mechanism between financial regulators and ICT critical service providers for the management of ICT third-party risks. Microsoft already partners closely with its customers and has ongoing and rich engagement with regulators\u2014including audit and regulatory examinations. We think such processes should include inter-agency cooperation amongst other regulators not limited to Europe. For example, alignment and communication among the Bank of England and the United States Regulators (FDIC, OCC, Federal Reserve), would be helpful from a regulatory oversight perspective, drive synergies, avoid fragmentation, and maintain a level of clarity and communication that would benefit regulators and Microsoft alike.<\/p>\n\n\n\n
Providing innovative solutions for the European Union financial sector and markets elsewhere<\/h2>\n\n\n\n
Our over-arching goal is to work with regulators globally to drive for a consistent set of regulatory frameworks that enable innovation, ensure banks operate in a safe and sound manner, and provide a resilient system that enables the financial ecosystem to thrive. For over a decade, we have worked with industry participants and maintained an ongoing dialogue with regulators so we can be better prepared to anticipate future challenges and account for such changes\u2014including new regulations\u2014well in advance. <\/p>\n\n\n\n
Going forward, Microsoft intends to continue working with all relevant authorities to help ensure it delivers on these regulatory objectives. This will also benefit Microsoft\u2019s financial services customers, as we support them in the innovation and development of new products and services on the cloud. <\/p>\n\n\n\n
We stand prepared to support our customers throughout this long-term journey of transition and compliance while building on our commitment and trust toward governments and enterprises around the world. <\/p>\n\n\n\n
Learn more about compliance and cloud solutions<\/h2>\n\n\n\n
Find out more about how Microsoft can help your organization manage compliance in the cloud<\/a>. To discover capabilities and customer success stories, visit our\u00a0Microsoft Cloud for Financial Services<\/a>\u00a0website.<\/p>\n\n\n\n
\n\n\n\n
Accelerate innovation for sustainable growth.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t
With these dynamic changes and business needs, regulation adapting to meet these trends is a good thing. It provides financial institutions clarity and flexibility to be more agile in this dynamic environment and, at the same time, ensure that financial institutions continue to operate and use third-party technology providers in a safe and sound manner. Central to these regulatory changes is a flexible and principles-based approach that focuses on outcomes to drive safe and sound operations from a security, privacy, and resiliency perspective. Such an approach not only promotes innovation but accounts for the dynamic change in technology which is occurring at a dizzying pace. <\/p>\n\n\n\n
The increasing reliance upon third-party information and communication technology (ICT) service providers has garnered the attention of regulators across the world who seek to implement regulations aimed at improving digital operational resilience. It is within this context that the European Union has published the Digital Operational Resilience Act (DORA)<\/a> to strengthen the digital operational resilience of the European Union financial sector in the face of ICT-related incidents. We see similar initiatives or reinforcement of existing requirements in the United Kingdom, the United States, and elsewhere.<\/p>\n\n\n\n \u201cAdditional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services<\/em>.”\u2014The Bank of England\u2019s 2021 Financial Policy Committee (FPC).1<\/sup><\/p>\n<\/blockquote>\n\n\n\n The Financial Services and Markets Bill (FSM Bill), which was tabled before the United Kingdom Parliament recently, includes a proposed statutory framework for managing systemic risks posed by critical third-parties (CTPs) who would be so designated by HM Treasury (HMT). The United Kingdom financial services regulators have jointly published a Discussion Paper 3\/22 (DP) on Operational Resilience: Critical Third Parties to the UK Financial Sector<\/a>, which articulates how the proposed powers in the FSM Bill can be exercised by the regulators to assess and strengthen the resilience of services provided by CTPs to the financial services industry (FSI).<\/p>\n\n\n\n Both measures\u2014DORA and the United Kingdom Discussion Paper with follow-on legislation\u2014present a positive and necessary step to provide for a legislative framework designed to have a unified and consistent approach in reviewing and assessing third-party operational risk. It is also the first time a sector-specific regulatory framework would include direct regulatory oversight of critical infrastructure technology providers. Within the European Union, DORA\u2019s harmonized approach is particularly important given the cross-border operating model and group structure of many third-party ICT service providers and the need to avoid member-state regulatory fragmentation from a supervisory and regulatory perspective.<\/p>\n\n\n\n We support the initiative by the European Commission, the European Union Council, and the European Parliament to design a proportionate, effective, and harmonized regulation for Europe. Partnering with these key stakeholders and the industry is our focus so we can be best prepared to meet the needs of the industry and learn from these approaches to drive. In addition, the United Kingdom process under the DP3\/22 Discussion Paper on Operational Resilience, and the United States addressing third-party risk management in its Proposed Interagency Guidance on Third-Party Relationships<\/a>, will result in positive steps towards modernizing regulation to adapt to the sea of change of innovation occurring within the FSI.<\/p>\n\n\n\n DORA is expected to be published in the Official Journal of the European Union by the end of 2022 after final adoption by the European Parliament and other procedural steps are completed. Following the publication, there will be a 24-month implementation period before the rules enter into force, therefore, the rules under DORA will apply as of late 2024 at the earliest\u2014thus allowing Microsoft and financial institutions to ensure compliance with the new rules ahead of that time. During the implementation period, the Regulatory Technical Standards (RTSs) will also be under development to facilitate DORA\u2019s implementation. The RTSs are expected to be completed ahead of DORA application.<\/p>\n\n\n\n The key requirements under DORA cover the following: ICT risk management<\/strong>, ICT-related incident reporting<\/strong>, digital operational resilience testing<\/strong>, and oversight of critical ICT providers<\/strong>. The legislative framework will also require compliance by critical ICT third-party service providers.<\/p>\n\n\n\n At Microsoft, we support our financial services customers under DORA implementation\u2014specifically, but not limited to the following key areas:<\/p>\n\n\n\n DORA establishes a comprehensive management mechanism of ICT risks with which financial entities would be required to comply\u2014including the identification, protection and prevention, detection, response, and recovery of such risks in scope. Microsoft already provides a broad set of built-in ICT risk management capabilities in our services today. This includes, by way of example: Microsoft Defender for Cloud<\/a>,\u00a0Microsoft 365 Service Health Dashboard<\/a>, and\u00a0Microsoft Secure Score<\/a>.<\/p>\n\n\n\n DORA harmonizes the classification of incidents while streamlining the reporting processes to develop a more systematic approach to monitor, control, and follow-up on such incidents. DORA foresees a coordinated approach to ICT incident reporting and tackling reporting overlaps such as the NIS2 Directive. Microsoft provides such capabilities, such as with Microsoft Defender<\/a>.\u00a0<\/p>\n\n\n\n DORA introduces digital operational tests that should be conducted on critical ICT systems and applications on an annual to triennial basis (regarding advanced threat-led penetration testing). This new testing approach will bolster the testing capabilities of financial entities\u2014fostering timely recovery and business continuity. Microsoft already enables customers to do so through our penetration program.\u00a0Learn more about the Microsoft Cloud Penetration Testing Rules of Engagement<\/a> program.<\/p>\n\n\n\n DORA foresees a communication mechanism between financial regulators and ICT critical service providers for the management of ICT third-party risks. Microsoft already partners closely with its customers and has ongoing and rich engagement with regulators\u2014including audit and regulatory examinations. We think such processes should include inter-agency cooperation amongst other regulators not limited to Europe. For example, alignment and communication among the Bank of England and the United States Regulators (FDIC, OCC, Federal Reserve), would be helpful from a regulatory oversight perspective, drive synergies, avoid fragmentation, and maintain a level of clarity and communication that would benefit regulators and Microsoft alike.<\/p>\n\n\n\n Our over-arching goal is to work with regulators globally to drive for a consistent set of regulatory frameworks that enable innovation, ensure banks operate in a safe and sound manner, and provide a resilient system that enables the financial ecosystem to thrive. For over a decade, we have worked with industry participants and maintained an ongoing dialogue with regulators so we can be better prepared to anticipate future challenges and account for such changes\u2014including new regulations\u2014well in advance. <\/p>\n\n\n\n Going forward, Microsoft intends to continue working with all relevant authorities to help ensure it delivers on these regulatory objectives. This will also benefit Microsoft\u2019s financial services customers, as we support them in the innovation and development of new products and services on the cloud. <\/p>\n\n\n\n We stand prepared to support our customers throughout this long-term journey of transition and compliance while building on our commitment and trust toward governments and enterprises around the world. <\/p>\n\n\n\n Find out more about how Microsoft can help your organization manage compliance in the cloud<\/a>. To discover capabilities and customer success stories, visit our\u00a0Microsoft Cloud for Financial Services<\/a>\u00a0website.<\/p>\n\n\n\n\n
The way forward: Digital Operational Resilience Act (DORA) sets a benchmark<\/h2>\n\n\n\n
Microsoft commitments under DORA<\/h2>\n\n\n\n
ICT risk management<\/h3>\n\n\n\n
ICT-related incident reporting<\/h3>\n\n\n\n
Digital operational resilience testing<\/h3>\n\n\n\n
Oversight of critical ICT providers<\/h3>\n\n\n\n
Providing innovative solutions for the European Union financial sector and markets elsewhere<\/h2>\n\n\n\n
Learn more about compliance and cloud solutions<\/h2>\n\n\n\n
\n\n\n\n