As part of our continuing engagement with regulatory authorities on the finalization of DORA, including the European Supervisory Authorities (ESAs) and National Competent Authorities (NCAs), we submitted our response to the consultation on the second batch of technical standards in early March 2024. These responses will be available on the ESAs’ website. This blog summarizes our responses to key topics that will impact AWS and our customers.

DORA, which will require compliance by 17 January 2025, introduces new regulatory requirements on how EU financial services entities work with information and communication technology (ICT) providers (including, but not limited to cloud providers). It also introduces a direct oversight regime for ICT providers designated as Critical Third-Party Providers (CTPPs). As AWS continues with our implementation efforts, our team of dedicated financial services compliance experts is supporting customers as they make the necessary changes to comply with relevant requirements ahead of January 2025. AWS customers should reach out to their account team if they would like to discuss DORA in detail and how AWS can assist them with compliance.
Threat-Led Penetration Testing (TLPT)

The TLPT RTS set out implementing measures around DORA’s overarching requirement for certain financial services entities to conduct TLPT over ‘critical or important’ functions. At AWS, security is our top priority, so our responses have prioritised security concerns raised by the TLPT RTS and how TLPTs may impact security of financial services entities and ICT providers. TLPT can, if handled inappropriately, harm customer data, including customers not within the scope of a test.

In our response, we highlighted the following points:

AWS agrees with the cross-sectoral and entity-agnostic approach taken in the RTS towards the conduct of TLPT.
AWS can perform a critical role assisting customers with TLPT requirements that apply to them under DORA. AWS is well-positioned to know how a TLPT can best adopt realistic attack scenarios, whilst ensuring that such tests do not unnecessarily threaten the integrity of customer data. To best assist customers subject to TLPT requirements, AWS recommends further ICT provider involvement in the TLPT process.
TLPTs can produce extremely sensitive information, including attack scenarios and remediation plans; such information must be shared securely and proportionately. AWS suggests that vulnerability information from TLPTs should only be shared between regulatory authorities on a need-to-know basis, via secure electronic channels.
To cater for the needs of all customers, AWS favours the use of pooled testing for TLPTs involving CSPs. Pooled testing is an efficient use of IT resources, avoiding duplication of effort, mitigates risk for customers, and allows TLPTs to appropriately cater for the complex nature of IT resources.

Subcontracting

The RTSs on subcontracting address relevant considerations for financial services entities under the scope of DORA when using third-party IT services (including cloud services) in support of critical or important business functions.

Broadly, AWS made the following points in response to the subcontracting RTS:

AWS suggests further clarification on the definition of ‘ICT subcontractor’ to focus on subcontractors that provide significant or critical levels of assistance. Without this clarification, customers may be unduly penalized if they use numerous subcontractors, harming competition, whilst not benefiting operational resilience.
AWS also argues against language that suggests that financial services entities may object to subcontracting., Such requirement would be incompatible with one-to-many services, like cloud services, where subcontractor arrangements are not tailored for particular customers. At its worst, such a requirement could lead to one financial entity preventing a service rollout, change, or expansion which may benefit thousands of customers, including customers not subject to DORA.

ICT-incident reporting

The RTS and Implementing Technical Standards (ITS) on ICT-related incident reporting address reporting procedures, which financial services entities under the scope of DORA need to undertake with respect to the reporting of major incidents and the voluntary disclosure of cyber threats.

Our lack of visibility into data uploaded into a customer’s AWS account is a fundamental part of the governance model that operates in a cloud environment (the AWS Shared Responsibility Model). The AWS response to the public consultation seeks to prioritize the security of customer data in order to reflect the overall principles of the Shared Responsibility Model.

AWS proposes extending the timeline for initial major ICT-related incident reporting from four to twenty-four hours to align with other major cybersecurity regulations, such as the NIS Directive. This will prevent regulators from suffering from notification fatigue and customers from submitting unnecessary notifications.
AWS suggests stricter security measures around the inclusion of sensitive or critical customer information such as unremedied vulnerabilities within an incident report. AWS is committed to preventing our customers from increasing their vulnerability in all circumstances. As a result, AWS takes a proportionate approach towards the content of incident reports by limiting the disclosure of sensitive details.
AWS strongly believes in the use of secure communication channels for the communication of any incident report. In a world where attackers have the ability to intercept sensitive information via advanced technological means, vulnerability-related information must be communicated via secure channels, irrespective of whether those vulnerabilities relate to third-party services or not.

Oversight and Harmonization

Under DORA, ICT providers designated as CTPPs will be subject to ongoing oversight by a Lead Overseer (one of the three ESAs) regarding a number of aspects of the CTPP’s operations, as set out in annual oversight plans. AWS welcomes the concept of annual oversight plans for CTPPs and understands the importance of identifying relevant risks in a CTPP’s annual oversight plan so that risk-based oversight of CTPPs can be effectively carried out.

AWS raised the following points in its response to the public consultation:

We welcoming the reference to ‘secure electronic channels’ when describing the provision of information by a CTPP to its Lead Overseer. However, AWS also proposes that use of these secure channels be significantly expanded to also apply to storage and handling of such information.
For highly sensitive information, AWS proposes the introduction of appropriate safeguards to protect the security of CTPPs, financial entities, and the rights of those customers of the CTPP outside of the scope of DORA.
‘Secure electronic channels’ should be used where information is shared between the Lead Overseer and any relevant National Competent Authorities.
AWS highlights the need for a data classification framework to protect highly sensitive security data (e.g. vulnerability scans and TLPT results) at all times. This would significantly contribute to DORA’s overall objective of enhancing security and resiliency of the EU financial sector.

DORA Preparation

AWS is continuing to collaborate with ESAs and national regulators ahead of DORA’s finalization. During this time, AWS will continue to communicate with our customers to ensure that they benefit from the most up-to-date compliance position when using AWS. We are planning a series of customer events to ensure our customers have the information they need ahead of January 2025. AWS customers should reach out to their account team to discuss DORA in detail and how AWS can assist them.