ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
• third-party digital infrastructure providers essential for financial services (eg, cross- border payment networks, digital identity verification systems). These critical ICT providers are subject to direct regulatory oversight from the European Super - visory Authorities (ESAs), including: • the European Banking Authority (EBA); • the European Insurance and Occupational Pensions Authority (EIOPA); and • the European Securities and Markets Author - ity (ESMA). Will Every Cloud Service Provider Be Classified as Critical? A cloud service provider will not necessarily be classified as critical. DORA applies additional scrutiny only to cloud providers whose services are fundamental to financial stability: • large cloud service providers (AWS, Micro - soft Azure, Google Cloud) that host banking operations will likely be classified as critical; • small cloud vendors or niche SaaS providers that do not support essential financial opera - tions may not fall under direct regulatory oversight; and • ICT providers servicing multiple financial institutions are more likely to be designated as critical by the ESAs. However, even non-critical cloud providers must comply with DORA’s contractual obligations, ensuring cybersecurity, resilience and transpar - ency in financial ICT supply chains. Conclusion DORA imposes strict contractual requirements on ICT service providers, ensuring cybersecu - rity resilience, incident reporting and regulatory
compliance for financial sector digital infrastruc - ture: • ICT service providers are broadly defined, covering cloud services, cybersecurity, fin - tech and digital infrastructure providers; • critical ICT providers (eg, cloud computing firms supporting financial transactions) face enhanced regulatory oversight; and • not all cloud service providers are automati - cally classified as critical, but those support - ing essential financial functions will be directly supervised by EU regulators. 3.3 Key Operational Resilience Obligations DORA establishes a uniform legal framework for digital operational resilience in the EU financial sector, applying directly to Italy. The Regulation ensures that financial institutions and their ICT service providers can withstand, respond to and recover from cyberthreats and ICT disruptions. Objectives of DORA The primary goals of DORA are to: • strengthen ICT risk management across the financial sector, ensuring business continuity and financial stability; • standardise incident response and reporting, allowing for timely detection, containment and notification of cyberthreats; • ensure regulatory oversight of critical ICT service providers, reducing third-party risks in financial operations; • enhance resilience testing by mandating cyber stress tests and penetration testing for financial firms; and • promote threat intelligence-sharing, improv - ing sector-wide cyberthreat detection and mitigation.
143 CHAMBERS.COM
Powered by FlippingBook