EU proposal to tackle digital risks and build operational resilience in the financial sector

As technology firmly embeds itself into every aspect of financial services, policy makers are increasingly looking at the sector’s exposure to the risks of this digitalisation. One response from the European Commission is to beef up the EU’s rules on ICT risk via a Digital Operational Resilience Act. As well as imposing new rules on financial entities, DORA could see some technology providers subject to the scrutiny of the EU financial supervisors.

Introducing DORA

The draft Digital Operational Resilience Act is part of a suite of materials published under the European Commission’s new Digital Finance Strategy. The Strategy also includes a proposal to regulate the EU’s crypto industry and a pilot DLT sandbox.

As drafted, DORA has two distinct parts. The first applies to financial entities. The second is relevant to providers of technology services to those financial entities.

DORA explored: key points to note for financial entities

The first part of DORA applies to a very wide spectrum of EU “financial entities”, including banks, insurers, payment service providers, crypto-asset issuers and service providers, and crowdfunding service providers. Financial entities identified as “significant and cyber-mature” would be subject to the most onerous obligations.

The obligations which DORA would impose on “financial entities” include:

  • ICT risk management: Financial entities would be required to create and maintain a sound, comprehensive and well-documented ICT risk management framework. This must include a dedicated and comprehensive business continuity policy, disaster recovery plans and a communications policy. Alongside this framework, financial entities would have to use and maintain ICT systems that meet certain requirements, identify all sources of ICT risk on a continuous basis, design and implement security and threat-prevention measures, and promptly detect anomalous activities.
  • Incident reporting: DORA would require financial entities to establish and implement a robust ICT-related incident management process and to put in place early warning indicators. Financial entities would have to classify ICT-related incidents according to prescribed criteria to be developed by a Joint Committee of the European Supervisory Authorities (ESAs) and report “major” ICT-related incidents to their national regulator.
  • Information sharing: DORA would allow financial entities to exchange cyber-threat information and intelligence, provided this exchange is, amongst other things, aimed at enhancing digital operational resilience.
  • ICT third-party risk: DORA would prescribe certain strict content requirements for contracts between financial entities and ICT third-party service providers, including the circumstances in which such contracts must be terminated.

Many aspects of the draft rules are similar to the UK’s proposals for building operational resilience in financial services.

Impact on ICT third-party service providers

DORA is not limited to regulated firms in the financial sector. The second part of DORA would impact businesses which provide ICT services to those financial entities. This is in part to respond to fears of concentration risk i.e. where many financial services firms rely on a handful of technology providers.

As drafted, DORA would allow the ESAs to designate certain service providers – including providers of cloud computing services, software, and data analytics – as being “critical” to the functioning of the financial sector.

One of the ESAs would then be appointed as Lead Overseer for every critical third-party ICT service provider. That ESA would monitor whether the ICT service provider has in place comprehensive, sound and effective rules, procedures and mechanisms to manage the ICT risks which it may pose to financial entities.

The Lead Overseer would have an unrestricted right to access all information that is necessary to carry out its duties, including all relevant business and operational documents, contracts and policies. The Lead Overseer would also be granted powers to conduct on-site inspections of any premises of critical ICT third-party service providers.

Critical ICT third-party service providers would be expected to cooperate “in good faith” with the Lead Overseer. If they fail to comply, the Lead Overseer may impose daily fines for up to six months of 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year.

The ESAs would also charge oversight fees to critical ICT third-party service providers. The amount of a fees charged will cover all administrative costs of oversight and be “proportionate” to the turnover of the critical ICT third-party service provider.

What happens next?

The proposal is now going through the EU’s ordinary legislative procedure. The aim is to have the three regulations in the Digital Finance Package in full effect by 2024. Please get in touch if you have any questions.