Article VII – EU Digital Resilience Regulation
DORA: operational resilience in a time of an evolving risk landscape
The European Commission’s proposal for draft regulation on digital operational resilience for the EU financial services sector (hereinafter ‘DORA’) is reflective of the changing risk landscape and the pressing need to ensure that financial service providers in the EU remain financially resilient even when severe operational disruptions occur.
This legislative proposal is part of the European Commission’s Digital Finance Strategy Package that is focused on creating a stable and harmonised framework on digital operational resilience for European financial institutions. To this end, the Commission has proposed the introduction of the DORA in order to address the fragmented EU landscape regarding digital operational resilience testing and the oversight of critical ICT third-party service providers.
Scope of the DORA
The DORA sets outs obligations that will apply to two broad categories of entities:
- Category 1: fiscal entities, including payment institutions, credit institutions, alternative investment funds managers, management companies, insurance and reinsurance undertakings and intermediaries, crowdfunding service providers, central securities and depositories, trading venues and repositories, data reporting service providers, electronic money institutions, investment institutions, crypto-asset service providers, credit rating agencies, statutory companies, securities and trade institutions for occupational retirement pensions and administration of critical benchmark; and
- Category 2: ICT third-party service providers, including cloud computing services, software, data analytics, and data centres.
What are the main obligations under the DORA?
The obligations to be introduced by the DORA may be listed under five main pillars, the salient aspects of which are discussed hereunder:
- ICT risk management: Financial entities will be obliged to put in place comprehensive internal governance and control ICT risk management framework in order to guarantee effective and prudent management of all potential risks. They must also maintain updated ICT systems, protocols, and tools which are reliable and appropriate for exercising their activities. In addition, financial entities will be required to take a pro-active approach to the prevention, detection, response, and recovery from ICT risks. All this means that they need to implement such measures so as to effectively monitor the effectiveness and implementation of their digital resilience strategy.
- ICT incidents: Financial entities shall establish and implement an ICT-related incident management process to detect, manage, track, log, categorise and classify incidents falling under the scope of the ICT. Moreover, they shall also report such incidents within prescribed periods, using the harmonised reporting templates so as to allow financial supervisors to better determine the frequency, nature, significance, and impact on all major ICT-related disturbances.
- Digital operational resilience testing: Financial entities will be subject to the ongoing duty to conduct digital operational resilience testing on a regular basis.
- Managing ICT third-party risk: Financial entities shall also manage ICT third-party risk as an integral component of its ICT risk management framework. A written contract must be concluded with ICT third-party service providers, detailing all their respective rights and obligations. Furthermore, financial entities will be required to perform a preliminary assessment of concentration risk and other sub-outsourcing arrangements.
- Critical ICT third-party service providers: A particular sub-set of requirements will apply to those entities falling with the definition of critical third-party service providers (‘CTTPs’). CTTPs will be regulated by the EU Oversight Framework whose main purpose is to verify that CTPPs implemented sound, comprehensive and effective rules, procedures, mechanisms, and arrangements aimed at mitigating the ICT risks which may be posed to financial entities making use of their services. Furthermore, CTTPs have the obligation to give information to the Lead Overseer and allow them to conduct investigations and on-site inspections. CTTPs will be required to pay oversight fees to cover all the expenses incurred by the Lead Overseer while carrying out their tasks.
A breach of the obligations under the DORA may result in the imposition of penalties on the ICT service provider by the Lead Overseer. The Lead Overseer will be empowered to impose a periodic penalty payment of 1% of the average daily worldwide turnover. However, the draft legislation also envisages that Member States will be given the leeway to determine whether or not to impose harsher sanctions under their national legislation.
At this stage, the draft proposed EU Regulation on digital operational resilience for the EU financial services sector remains subject to the ordinary legislative procedure at the level of the European Parliament and European Council and which, therefore, may be subjected to further amendments and refinements before its official entry into force.
It is pertinent to note that the DORA is largely seen as a legislative instrument that sets the tone for the expected operational, ICT and risk management capacities of entities active within the financial services industry. Accordingly, it is important for those who fall under the scope of the proposal to familiarise themselves, from now, of the significant changes expected to be brought about by the regulatory requirements set out in the DORA and determine the necessary courses of action essential for the implementation of the new requirements.
For further information on the proposed Regulation on digital operational resilience for the EU financial services sector (DORA) and how it may impact your business and operations, please do not hesitate to contact us at [email protected].
Author: Stephanie Marinova