As technology firmly embeds itself into every aspect of financial services, policy makers are increasingly looking at the sector’s exposure to the risks of this digitalisation. One response from the European Commission is to increase the EU’s rules on ICT risk via a Digital Operational Resilience Act (DORA). The European Commission published the DORA Proposal on 24th September 2020, which is part of the broader Digital Finance package.
Digital Operational Resilience Act addresses a number of important topics for financial entities using ICT services, with the objective of enhancing the digital resilience of the European financial system from incident reporting to operational resilience testing and third-party risk management. At the same time, the oversight framework for critical third-party providers under DORA could create a genuine opportunity to enhance understanding, transparency, and trust among ICT service providers, financial entities, and financial regulators, and ultimately stimulate innovation in the financial sector in Europe.
The key areas addressed by Digital Operational Resilience Act include:
- enhance and streamline the financial entities’ conduct of ICT risk management;
- establish a thorough testing of ICT systems;
- increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities;
- introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers (TPPs);
- create a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities and strengthen supervisory effectiveness.
Impact of Digital Operational Resilience Act on EU Financial Entities
Digital Operational Resilience Act applies to a very wide spectrum of EU financial entities, which includes banks, insurers, payment service providers, crypto-asset issuers and service providers, and crowdfunding service providers. The obligations which DORA would impose on financial entities include:
- ICT risk management: Financial entities would be required to create and maintain a sound, comprehensive and well-documented ICT risk management framework. This must include a dedicated and comprehensive business continuity policy, disaster recovery plans and a communications policy. Alongside this framework, financial entities would have to use and maintain ICT systems that meet certain requirements, identify all sources of ICT risk on a continuous basis, design and implement security and threat-prevention measures, and promptly detect anomalous activities.
- Incident reporting: DORA would require financial entities to establish and implement a robust ICT-related incident management process and to put in place early warning indicators. Financial entities would have to classify ICT-related incidents according to prescribed criteria to be developed by a Joint Committee of the European Supervisory Authorities (ESAs) and report “major” ICT-related incidents to their national regulator.
- Information sharing: DORA would allow financial entities to exchange cyber-threat information and intelligence, provided this exchange is, amongst other things, aimed at enhancing digital operational resilience.
- ICT third-party risk: Digital Operational Resilience Act would prescribe certain strict content requirements for contracts between financial entities and ICT third-party service providers, including the circumstances in which such contracts must be terminated
Impact of Digital Operational Resilience Act on ICT third-party service providers
Digital Operational Resilience Act will also impact businesses which provide ICT services to those financial entities. This is in part to respond to fears of concentration risk, that is, where many financial services firms rely on a handful of technology providers.
Digital Operational Resilience Act would allow the ESAs to designate certain service providers – including providers of cloud computing services, software, and data analytics – as being “critical” to the functioning of the financial sector. One of the ESAs would then be appointed as Lead Overseer for every critical third-party ICT service provider. That ESA would monitor whether the ICT service provider has in place comprehensive, sound and effective rules, procedures and mechanisms to manage the ICT risks which it may pose to financial entities.
The Lead Overseer would have an unrestricted right to access all information that is necessary to carry out its duties, including all relevant business and operational documents, contracts and policies. The Lead Overseer would also be granted powers to conduct on-site inspections of any premises of critical ICT third-party service providers.
All provisions addressing digital risk in finance would for the first time be brought together in a single legislative act, being the Digital Operational Resilience Act legislation. Moreover, this Regulation establishes an Oversight Framework which applies to all critical ICT TPPs. The proposal is now going through the EU’s ordinary legislative procedure. The aim is to have the three regulations in the Digital Finance Package in full effect by 2024. Legislative review of complex files can take between 18 and 24 months, followed by a transition period that will be prescribed in a final legal act. Stakeholders are therefore encouraged to engage in legislative review from the early stages thereof.
At Valsen Fiduciaries, we are committed to being a constructive voice as we engage in legislative review. Please get in touch if you need any further information and/or clarification about the Digital Operational Resilience Act legislation proposal.