Views: 30
The three European supervisory authorities: the European Banking Authority, EBA; the European Insurance and Occupational Pensions Authority, EIOPA, and the European Securities and Markets Authority, ESMA are preparing a set of policy actions facing a final regulation’s application date in January 2025. Besides, the DORA regulation empowers the Commission to adopt delegated and implementing acts to specify how competent authorities and market participants shall comply with the obligations laid down in the regulation.
Introduction
In the digital age, information and communication technology, ICT supports complex systems used for everyday activities; it keeps states’ economies running in key sectors, including the financial one, and enhances the functioning of the internal market. Increased digitalisation and interconnectedness also amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are today core features of the activities of the EU and the state’s financial entities, their digital resilience has yet to be better addressed and integrated into their broader operational frameworks.
The use of ICT has in the past decades gained a pivotal role in the provision of financial services; it has already acquired a critical importance in the operation of typical daily functions of all financial entities. Digitalisation now covers, for instance, payments, which have increasingly moved from cash and paper-based methods to the use of digital solutions, as well as securities clearing and settlement, electronic and algorithmic trading, lending and funding operations, peer-to-peer finance, credit rating, claim management and back-office operations. The insurance sector has also been transformed by the use of ICT: i.e. from the emergence of insurance intermediaries offering their services online operating with insurance technology (Ins-Tech), to digital insurance underwriting. Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554
Background
Digital Operational Resilience Act, DORA is aimed at strengthening the IT security of numerous financial entities such as banks, insurance companies and investment firms while making sure that the financial sector in the EU and in the member states is able to stay resilient in the event of a severe operational disruption.
DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. Already in April 2019, the three EU authorities jointly issued technical advice calling for a coherent approach to ICT risk in finance and recommending to strengthen (in a proportionate way) the digital operational resilience of the financial services industry through a sector-specific initiative of the whole Union.
During June-September 2023, the EU were holding public consultation on the “first batch” of policy products [according to DORA art. 15, 16(3), 18(3), 28(9) and 28(10)]. The discussions included four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). The ITSs were aimed at ensuring a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management (see below).
Source: https://www.eiopa.europa.eu/consultations/joint-consultation-first-batch-dora-policy-products_en
During December 2023 – March 2024, the three European supervisory authorities: the EBA, the EIOPA and the ESMA conducted the “second batch” of policy’s consultations followed by a wide public consultation on 13 policy instruments, presented in two batches. The second batch included the following issues: – RTS and ITS on content, timelines and templates on incident reporting; – GL on aggregated costs and losses from major incidents; – RTS on subcontracting of critical or important functions; – RTS on oversight harmonisation; – GL on oversight cooperation between ESAs and competent authorities; and – RTS on threat-led penetration testing (TLPT).
Finally, DORA Regulation aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various EU legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle all components of operational resilience. The operational risk rules in those legal acts, often followed traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risk) rather than targeted qualitative rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities. Those acts were primarily meant to cover and update essential rules on prudential supervision, market integrity or conduct.
By consolidating and upgrading the different rules on ICT risk, all provisions addressing digital risk in the financial sector should for the first time be brought together in a consistent manner in one single legislative act. Therefore, DORA fills in the gaps or remedies inconsistencies in some of the prior legal acts, including in relation to the terminology used therein, and explicitly refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring. Thus, DORA should also raise awareness of ICT risk and acknowledge that ICT incidents and a lack of operational resilience do not jeopardize the soundness of financial entities.
More in the DORA Regulation at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554
Covering spheres
– ICT risk management: principles and requirements on ICT risk management framework
– ICT third-party risk management: monitoring third-party risk providers and key contractual provisions
– Digital operational resilience testing: basic and advanced testing
– ICT-related incidents: general requirements and reporting of major ICT-related incidents to competent authorities
– Information sharing: exchange of information and intelligence on cyber threats, and
– Oversight of critical third-party providers: oversight framework for critical ICT third-party providers.
Source: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
Voluntary collection of contractual information
The European Supervisory Authorities, the ESA which includes the EBA, EIOPA and ESMA, announced in mid-April 2024 that the launch in May the voluntary exercise for the collection of the registers of information of contractual arrangements on the use of ICT third-party service providers by the financial entities. As soon as DORA enters into force in 2025, the financial entities will have to maintain registers of information regarding their use of ICT third-party providers. This information will be collected from financial entities through their competent authorities and will serve as preparation for the implementation and reporting of registers of information under DORA.
The ESAs and the competent authorities have introduced this voluntary exercise to help financial entities prepare for establishing their register of information, gathering the relevant information specified in the ESAs’ final draft implementing standards on the registers of information and reporting their registers of information to their respective competent authorities, who will, in turn, provide those to the ESAs.
Financial entities participating in the exercise will receive support from the ESAs to: a) build their register of information in the format as close as possible to the steady-state reporting from 2025, b) test the reporting process, c) address data quality issues, and d) improve internal processes and quality of their registers of information.
As part of the exercise, the ESAs will provide feedback on data quality to financial entities participating, return cleaned files with their register of information, organise workshops and respond to frequently asked questions.
As was mentioned above, although the regulation entered into force in mid-January 2023, it is to be applied in the member states from 17 January 2025.
Reference to: https://www.eiopa.europa.eu/esas-run-voluntary-dry-run-exercise-prepare-industry-next-stage-dora-implementation-2024-04-11_en
Additional information on the EU-wide financial services and supervision in:
https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/overview-financial-services-legislation_en