What are the Azure policies i can implement to be compliant for European DORA act

Question

As per the new Digital operational resiliency act, any financial services operating in europe need to be compliant by Jan 2025. For more reading please see the https://www.pwc.be/en/industry-sector/financial-services/digital-operational-resilience-act.html?gclid=Cj0KCQjwsp6pBhCfARIsAD3GZuZRhN_d2uCMkDHJ8UUoJ0FHVl1RYUSQ94oHls_4g1z6wUn5pSXhjOMaAq_WEALw_wcB If i am deploying my financial solution in Azure which would be consumed as a SaaS solution by other customers within europe. How i would plan for being complaint for the DORA act. Are there any policies which i can enable in Azure ? to be shared later with the european regulators ?

Answer 1

Hello @Ratish Kumar

Welcome to the Microsoft Q&A and thank you for posting your questions here.

You would like to know Azure policies and procedures that you can enable or implement to meet up or be complaint with European union DORA act.

There are many of them, and I will list some of them right here and also provide you with relevant references for more reading.

Firstly, what you need to know and prepare for your proposal documentations:

1. Azure adheres to the EU Cloud Code of Conduct (CoC), which serves as the basis for implementing the GDPR Article 28 requirements for cloud providers acting as business-to-business processors under the GDPR. The EU Cloud CoC also aligns with the DORA principles and requirements on ICT risk management and ICT third-party risk management.
2. Azure offers various tools and services for digital operational resilience testing, such as Azure Security Center, Azure Sentinel, Azure Monitor, Azure Backup, Azure Site Recovery, and Azure DevOps. These tools and services can help you perform basic and advanced testing of your ICT systems and processes, such as vulnerability assessments, threat detection, incident response, backup and recovery, and continuous integration and delivery.
3. Azure enables you to report major ICT-related incidents to competent authorities through the Service Trust Portal (STP), where you can access incident reports, root cause analyses, and remediation actions. You can also use the STP to access compliance reports, audit reports, and attestations that demonstrate Azure's adherence to various standards and regulations.
4. Azure supports information sharing and exchange of intelligence on cyber threats through the Microsoft Intelligent Security Association (MISA), which is a group of independent software vendors and managed security service providers that integrate their solutions with Azure to provide better protection for customers. You can also use Azure Security Center to access threat intelligence from Microsoft and other sources.
5. Azure is subject to oversight by various regulators and authorities around the world, including the European Supervisory Authorities (ESAs), which are responsible for overseeing critical ICT third-party providers under DORA. Azure undergoes regular audits and assessments by independent third parties to verify its compliance with various standards and regulations.

Now, let me enlist policies and procedures you can implement:

• Data Encryption.
• Data Classification and Labeling.
• Access Control.
• Data Auditing.
• Data Residency.
• Data Deletion and Retention.
• Data Transfer.
• Incident Response and Breach Notification.
• Data Protection Impact Assessment (DPIA).
• Data Protection Officer (DPO).

Meanwhile, few notes from here were AI assisted generated answers. Please check for any updates to Azure's compliance offerings and capabilities, as Microsoft regularly updates its services to align with evolving data protection regulations.

To read more about the above policies, procedures and European union DORA act, kindly use the following references:

References:

1. Regulating cloud as a critical infrastructure.
2. Digital Operational Resilience Act (DORA).
3. EU Cloud Code of Conduct with Azure Compliance.
4. 19 June 2023 Digital Operational Resilience Act (DORA).
5. Microsoft Azure adheres to the EU Cloud Code of Conduct.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam

Answer 2

Dear @Sina Salam ,

also I've another questions related with External Key Management for PostgreSQL Flexible server,

We have requirements regarding to D.O.R.A Act. it mentioned  about external key management.

“Advanced Encryption with Comprehensive Azure Key Management

Effective, secure use of cloud services involves an increasing number of decisive moments, such as when you consider using sensitive data in any cloud. You can rely on Thales to secure your digital transformation. Thales advanced encryption and centralized key management solutions give you protection and control of data stored on your premises, Microsoft Azure, and other cloud providers. Thales technology enables you to:

 

Avoid cloud vendor encryption lock-in and ensure the data mobility you need while you efficiently and securely spread workloads and data across multiple cloud vendors, including Microsoft Azure, with centralized, independent encryption management”

 

So If We need to compile D.O.R.A regulation we need to provide our Key from Allianz central team that the Key managed by us to Azure Flexible server (CMK) Feature.

 

But I can see only Key vault and HSM option available only.

 

Could you please help to check and update on this topic D.O.R.A ? (as of MARCH 2024)

Best Regards,