Building digital resilience through more collaboration

Systemic risk and the need for resilience in financial services do not begin and end at the geographical borders of the EU. Europe should remain open, strengthen partnerships with trusted players, and avoid overly prescriptive regulation. This way, Europe can marry the need for establishing harmonised regulatory guardrails with the flexibility financial players need to pursue their business and digital transformation journeys.

The past few years have been full of unprecedented global challenges: the climate emergency, a pandemic, and the war in Ukraine. Change has been the only constant. The reality is that disruption is inevitable, and success is a choice. That’s why business leaders and policy makers are carefully looking at how the speed of digitisation can be catalysed to build a foundation of digital trust across services. Trust that is critical to the well-being of our societies.

“The best way to improve digital and operational resilience, increase innovation, and comply with ever-changing regulation, is to foster even greater levels of cross-border collaboration.”

Great policies strike the delicate balance of proportionate regulation that offers legal certainty and guardrails, and also allows enough flexibility for co-creation and information sharing.

For example, the European Commission’s upcoming Digital Operational Resilience Act (DORA), is a great step in the right direction as it recognises the evolving nature of risk and resilience in the increasingly digitalized landscape of EU financial services.

The EU’s regulatory efforts to reinforce the resilience of its critical digital infrastructure and services are signaling the need to move beyond the sole lens of cyber security to a more encompassing approach that also considers the needs of consumers and wider ecosystem effects. This overarching objective is best served by remaining open to the capabilities of the best technologies available and by strengthening partnerships with globally trusted players.

To build even stronger digital resilience, specific regulations should advance the following principles:

• As digital resilience is a global issue, regulation should be principle-based, rather than overly specific and prescriptive. If different authorities were to implement their own flavor of bespoke prescriptive rules, the result would be more confusion and complexity without improving security and resilience. Using international standards, schemes and protocols as a shared language to further a shared objective will enable public and private sector organisations to build confidence and advance the global cyber security and digital resilience agenda.

• Achieving digital resilience requires that we look beyond considering only the technological layer of the issue. Fundamentally, digital resilience is a human-centered consideration focused on well-being; it is about stimulating trust and preventing high-risk situations that cause intolerable harm. Rather than implementing a blanket-ban on particular technologies or partnerships, the foundation for resilience should be a risk-based approach with open and measurable criteria that are outcome-oriented.

• Our economy’s critical infrastructure, across the public and private sector, is made up of complex systems and processes. To secure them, we need a bespoke combination of public and private actions. With a variety of high-level industry-led initiatives, such as the Charter Of Trust, policy makers can build on concrete and operational recommendations to establish cyber security and digital resilience regulation that is ready for a global world characterized by interconnectivity and interdependency.

When we look at the need for digital trust in the financial sector, the objectives of NIS2 and DORA are clear: achieving higher resilience in the interest of economic and financial stability and consumer well-being. We must not lose sight of that outcome.

“Harmonising the rules for ICT risk management, incident reporting, and testing is a positive move forward. Acknowledging that there can be more than one route to achieving resilience should be next.” 

Regulators and businesses cannot control the future, but they can choose to allow for optionality when implementing decisions today to ensure that they are future-proof for tomorrow. DORA is a case in point. IBM strongly supports DORA’s overall objective of providing more certainty for the financial sector. Agnieszka Bruyère, Vice President IBM Cloud for EMEA, has outlined our long history of helping clients adapt to changing regulations, including our preparedness in supporting our clients on their journey to upcoming DORA Compliance.

While it can be tempting to fold back on one’s own to avoid risks, in a world of uncertainty Europe should not limit dependencies by going it alone. Recent events have made the importance of the Transatlantic collaboration abundantly clear. There is more that unites us than divides us.

The same applies for regulation: Europe should not be cut off from best-of-breed cyber technologies. Doing so will impede access to providers and will not result in higher resilience. Quite the opposite. For instance, it may end up exacerbating concentration risk. Systemic risk and the need for resilience in financial services do not begin nor end at the geographical borders of the EU.

Acknowledging that financial services firms are interconnected across borders, guaranteeing proportionality and flexibility, and ensuring that regulations stand the test of time are key to creating a secure and innovative framework for the future success of Europe’s financial sector.

By enabling financial institutions to assess different categories of risk affecting their business, they can take measures that best serve their customers and fulfil their role in the financial system. Greater resilience should not correlate to unmanageable levels of operational complexity.

Legislation should name risks and help institutions manage these risks adequately while keeping in mind the objective of supervisory efficiency. This is why we believe that the alignment between the NIS2 Directive and DORA will be key to achieving a balanced and proportionate approach that considers all stakeholders’ interests.

Within the guard-rails of proportionate regulation, we believe in the need to allow the market enough latitude to be creative, collaborate and knowledge-share in a way that allows us to emerge collectively stronger from periods of struggle and disorder. With DORA and NIS II, the EU is setting a clear direction of travel. Nonetheless, we still need to go further, positioning resilience as a means to an end, and not the end in itself.

Authored by Liam Benham, Vice President Government & Regulatory Affairs, IBM Europe