Digital operational resilience in the EU

The financial market is increasingly reliant on information and communication technologies (ICT). Covid-19 acts in this respect as catalyst as financial firms rely even more on their digital systems starting with remote access from the home office to payment services and all sorts of complex financial services. Meanwhile, the ESRB has identified cyber risk as one of the sources of systemic risk to the financial system which could have serious negative consequences for the global economy.

Several national supervisory authorities have taken measures on national level already, like the German Federal Financial Supervisory Authority ("BaFin") with their Circular on Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT - BAIT). However, financial and digital requirements on firms to address ICT risk are still fragmented and inconsistent at an EU level. This is particularly problematic as financial operations are usually highly interconnected and digital infrastructures are cross-jurisdictional.

In September 2020, the European Commission published its legislative proposals on digital operational resilience, comprising a draft regulation ("DORA") alongside a proposed directive. These proposals are part of a broader Digital Finance Strategy package which also includes proposals for a regulation on markets in crypto-assets ("MiCA"), a pilot regime on distributed ledger technology market infrastructure, and a directive to clarify or amend certain related EU financial services rules. DORA largely builds upon the ECB's rules. However, even for large institutions that are already subject to ECB supervision regarding cyber-risk and resilience, DORA may introduce new compliance obligations, which is why those affected should prepare for the new requirements.

Scope

Digital operational resilience is the capacity of firms to build, assure and review their operational integrity to ensure that they can withstand all types of disruptions and threats relating to ICT. DORA, as an EU Regulation, aims to establish a comprehensive and cross-sectoral digital operational resilience framework with rules for all regulated financial institutions.

DORA has a very broad scope. It covers credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, CCPs, trading venues, trade repositories, AIFMs, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory audit and audit firms, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories and ICT third-party service providers.

However, DORA allows for a proportionate application of requirements for financial entities acknowledging the significant differences in terms of their size, their business profiles or in relation to their exposure to digital risk.

A new set of requirements

DORA regulates six key aspects of digital operational resilience:

1. Governance related requirements

   In order to align the financial entities' business strategies and the conduct of the ICT risk management, the management body will be required to have internal controls and governance structures for ICT risks in place. This will include - amongst others - ICT-related functions, monitoring of the ICT risk management,  approval and control processes, ICT investments and trainings.

2. ICT risk management requirements

   DORA also requires financial entities are required to set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk and continuously identify sources of ICT risk. In addition, they will be required to set-up protection and prevention measures as well as put in place business continuity policies and disaster and recovery plans..

3. ICT-related incident reporting

   DORA aims at harmonising and streamlining the reporting of ICT-related incidents. Therefore, it will  oblige financial entities to establish a management process to monitor and log ICT-related incidents, followed by an obligation to classify them. The entities will be required to submit initial, intermediate and final reports on major ICT-related incidents to the competent authorities using harmonised reporting templates. Their users and clients will need to be informed. where the incident has or may have an impact on their financial interests.

4. Digital operational resilience testing

   The ICT risk management framework will need to be periodically tested for preparedness and identification of weaknesses, deficiencies or gaps and ensure the prompt implementation of corrective measures. DORA allows for a proportionate application of digital operational resilience testing requirements depending on the size, business and risk profiles of financial entities: only significant and cyber mature entities will be required to conduct advanced testing based on threat-led penetration testing.

5. Third-party risk

   DORA proposes a principle-based approach for financial entities' monitoring of risks in connection with their use of ICT services provided by third parties and harmonises key elements of the service and relationship with ICT third-party providers. Most notably, DORA will define a number of contractual elements in the relationship between financial institutions and the ICT third-party services provider.

   When formally adopted, DORA will also bring critical third-party service providers - such as cloud computing services -  within a direct oversight of the ESA by setting out a separate set of regulations for critical third-party service providers. The consideration as "critical "is based on specific criteria such as the systemic impact of an operational failure by the provider for the financial services. This might even bring non-financial technology companies (eg cloud computing, data analytics or software companies) within the supervision of the ESA.

   In this course, DORA proposes an "oversight framework" designated by the ESAs Joint Committee. In particular, it will stipulate the requirement to have in place sound, comprehensive and effective rules, procedures and arrangements that are appropriate to manage risks that CTPPs may pose to financial entities and to the overall financial stability. In addition, the ESA designated as lead overseer will have far-reaching powers, including the unrestricted right to access information and to conduct general investigations of ICT third-party service providers. Similar far reaching rules are by the way just the subject of discussion under a new act resulting from the Wirecard scandal. Finally, CTPPs will be charged oversight fees designed to cover all necessary expenditure in relation to conduct of oversight tasks.

6. Information sharing

   The proposed legislation will allow financial entities to set-up arrangements to exchange cyber threat information and intelligence amongst themselves, In order to raise awareness on ICT risk, minimise its spread, support financial entities' defensive capabilities and threat detection techniques.

Supervising authority

The supervision for compliance with the regulations will sit with the financial entity's existing competent authority.  DORA proposes minimum standards for administrative penalties to be imposed by the authorities, without prejudice to a member state's right to impose criminal penalties under national law.

Conclusions

DORA is an important step in creating a harmonised regulatory framework for financial services operational resilience in EU law. It will, for the first time, bring rules addressing ICT risk in finance together into one single piece of legislation. The rules are intended to cover a very broad range of financial service entities with the requirements being applied proportionally depending on a firm's size and business profile.

DORA provides for a very detailed framework which goes much further than many of the currently existing national rules. Critics argue already that it constitutes another complex costly and limiting rule book.

It would also be possible to argue that for larger institutions it might reduce regulatory complexity-which is currently spread over several regulations such as CRD IV, PSD2, Solvency II, EMIR and MIFID. For start-ups and other new EU market participants it is likely to constitute a significant challenge as it imposes severe and very detailed obligations on market participants and contains several mandates for EBA and ESMA to draft further RTSs. In other words, the market entry in particular will become substantially more costly. DORA may in particular create a real challenge for the just developing crypto-asset market - contrary to the initial initiative to support the growth of this new sector.

In addition, DORA will for the first time create on EU-level a supervisory framework for ICT third party service providers deemed "critical" for financial entities. This is supposed to ensure that technology services providers fulfilling a critical role to the functioning of the financial sector are adequately monitored on a harmonised, pan-European scale. However, the broad definition on CCTPs might even put non-financial companies under supervision of the regulatory authorities - with far reaching consequences for them in sight.

With its strict regulations on ICT third-party service providers, DORA also limits the potential contract partners for financial entities, as the ICT third-party service providers will be required to comply with high, appropriate and the latest information standards. The same applies in relation to verifying sub-contracting arrangements. In particular in consideration of the usually difficult negotiations with third party service providers DORA may help to rebalance the powers between delegating institution and third-party service provider.

The proposal remains subject to the negotiations of the European Parliament and the European Council where it can be expected to be discussed over the next 12 to 18 months. Further secondary legislation will be developed thereafter. -