LONDON – Financial firms in the European Union will have to show how quickly they could recover from a cyber attack as they rely more for key services on ‘cloud computing’ giants such as Amazon, Microsoft, Google and IBM, the EU said on Monday.
Regulators worry about the speed and scale at which banks, insurers and investment firms are moving critical functions and market operations onto a handful of cloud platforms.
A glitch at one cloud company could potentially bring down services across many financial firms, regulators have said.
The EU Council, which represents the 27 member states, said it has completed the bloc’s final approval stage for the new Digital Operational Resilience Act, known as DORA.
Banks and other financial firms already have plans for IT security but more was needed so they stay resilient through a severe disruption, said Zbynek Stanjura, finance minister for the Czech Republic, which holds the EU presidency.
“Thanks to the harmonized legal requirements which we adopted today, our financial sector will be better able to continue to function at all times,” Stanjura said.
The requirements will apply to financial firms and “critical” third parties supplying cloud based services.
“If a large-scale attack on the European financial sector is launched, we will be prepared for it,” Stanjura said.
The bloc’s securities, insurance and banking watchdogs will write technical rules to implement the new law.
The European Parliament, which had joint say, has already given the green light and the law will come into force around the end of 2024.
Britain, no longer in the EU, said in June its regulators will be given powers to designate which outsourced services can come under direct supervision of the Bank of England and Financial Conduct Authority.