The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that creates a binding, comprehensive Information and Communication Technology (ICT) risk management framework for the EU financial sector. DORA applies to all Financial Institutions and ICT service providers (collectively, FIs) in the EU. FIs have until January 17, 2025 to comply with DORA before enforcement starts.
F5’s Distributed Cloud (XC) Platform helps FIs comply with DORA. Services such as XC DDoS Mitigation, XC WAF, XC API Security, and XC Bot Defense help FIs detect, log, and mitigate cyber threats and anomalous activities on their web and mobile applications as well as their data and network infrastructure. The Distributed Cloud Platform also enables FIs to monitor, audit, and report on their ICT risk management activities and comply with DORA’s governance and oversight requirements. By leveraging F5 Distributed Cloud Platform, FIs can achieve operational resilience, protect their customers and reputation, and avoid regulatory sanctions in the face of increasing cyber threats and ICT disruptions.
F5 and its services prioritize the protection of personal data and uphold the highest standards of data privacy. The technical and organizational controls that protect personal data collected by F5 are listed in the specific service contracts (for example, the Service-Specific Terms applicable to services provided under our End User Services Agreement) and in F5's SOC2 Type II report. F5 Global Support is ISO 27001 certified and F5 Distributed Cloud Services are ISO 27001 certified with an extension of ISO 27017 and ISO 27018. F5 is also PCI-DSS Compliant as a Level 1 Service Provider for the F5 Distributed Cloud Services. Additional security certifications apply to specific F5 services and F5 hardware. Find more detailed information about data security practices at https://www.f5.com/company/policies/privacy-notice.
Customers whose primary place of business is in Europe, the Middle East, or Africa (collectively, EMEA) receive services through contracts with F5 Networks, Ltd. F5 Networks, which is headquartered in and incorporated under the laws of the United Kingdom, is the center of F5’s EMEA operations. EU and Swiss authorities have recognized that UK laws provide protection for personal data, fully satisfying the requirements of Chapter V GDPR and equivalent Swiss law.
Customers headquartered in the Asia–Pacific (APAC) region contract with F5 Networks Singapore Pte Ltd. in Singapore. All other customers (including those headquartered in North America) contract with F5, Inc. in the United States. For all F5 services, the Data Protection Addendum (DPA), as supplemented by the Service-Specific Terms, includes the Standard Contractual Clauses and provisions that apply to all legally applicable transfers to F5. These Standard Contractual Clauses are accompanied by the international data transfer addendum published by the UK government for UK transfers, as well as additional language published by the Swiss Federal Data Protection and Information Commissioner for Swiss transfers. For relevant services, F5 also maintains a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
Yes. For relevant services, F5 maintains a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
No. These two U.S. legal provisions, which were the focus of the Schrems II decision, do not affect F5. In any case, due to improvements in U.S. law following the Schrems II decision, the European Commission determined in its Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework that the earlier concerns about those provisions have been resolved. The European Data Protection Board (EDPB) analyzed the European Commission’s decision and noted (in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023) that “all the safeguards that have been put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used” (meaning, regardless of whether the data is transferred to the United States via the Data Privacy Framework, Standard Contractual Clauses, or another transfer tool).
F5 has never received a data access request or any other kind of directive under FISA 702. Many F5 services are not the type of service eligible to be targeted with a FISA 702 directive. Additionally, for almost all customers of F5 services, F5 does not process the type of data that is eligible to be targeted with a FISA 702 directive, which applies to data about the proliferation of weapons of mass destruction, foreign powers’ plans for attacks on the United States, intelligence about the clandestine activities of foreign spies, or other “foreign intelligence information” within the meaning of FISA.
F5 also cannot receive an order to produce customer data under EO 12333 because there is no such thing as an EO 12333 order. EO 12333 allocates certain responsibility within the United States Intelligence Community but does not impose any obligations on the private sector. F5 encrypts data in transit and uses additional security measures to protect against the theoretical interception activities that concerned the Schrems II court prior to the 2023 European Commission adequacy determination discussed above.
The CLOUD Act did not give the U.S. government new powers to demand data from companies that do business in the United States. The U.S. government does not issue “CLOUD Act orders” and F5 has never received one. The CLOUD Act provided clarification that when the U.S. government follows appropriate existing legal process (such as obtaining an order from a federal district court judge) to direct a company to provide specified data in its possession, custody, or control, the location of the data cannot be the basis for the company’s challenge to the order (though a conflict with the laws in force at such location still may be). The CLOUD Act has been in force since prior to the 2020 Schrems II decision. Subsequent to the Schrems II decision, the United States made various improvements to its rules and practices regarding government access to data. The European Commission then assessed these improvements and determined that U.S. law applicable to U.S. government demands for data now provides an adequate level of protection within the meaning of the GDPR. See Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework. The European Data Protection Board (EDPB) analyzed this decision and noted (in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023) that “all the safeguards that have been put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used” (meaning, regardless of whether the data is transferred to the United States via the Data Privacy Framework, Standard Contractual Clauses, or another transfer tool).
Every customer contract for F5’s services (the End User Services Agreement (EUSA)) includes Service-Specific Terms that incorporate and supplement F5’s Data Protection Addendum (DPA), which includes the Standard Contractual Clauses with relevant additional language for transfers subject to UK or Swiss law. In certain cases, the customer and F5 will have a different contract that incorporates these same protections, such as the contract for specific F5 support services. Customers can also refer to https://www.dataprivacyframework.gov/list, which shows that F5 has certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
For transfers to F5 entities in “third countries” including the UK, F5 and its customers rely on the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which is available on the UK Information Commissioner’s website and is incorporated by reference in F5's DPA for relevant transfers governed by UK law. In addition, for certain services, F5 is certified under the UK Extension to the EU-U.S. Data Privacy Framework.