How will the EU’s Digital Operational Resiliency Act (DORA) introduce a comprehensive framework to improve the operational resilience of financial institutions in Europe? Vincenzo Dimase, Sales Readiness Director for Trading, explains.
- In September 2020, the EU published a draft regulation on digital operational resilience for the EU financial sector that would introduce a harmonised framework on digital operational resilience in Europe.
- The purpose of the EU’s Digital Operational Resiliency Act (DORA) is to work towards consistency in tackling digital operational risks and to align with the wider concept of increased robustness and the confidence of financial markets.
- DORA has two distinct sections. The first deals with financial entities, while the second focuses on the providers of technology services to those entities.
For more data-driven insights in your Inbox, subscribe to the Refinitiv Perspectives weekly newsletter.
Digitalisation and operational resilience in the financial sector are two sides of the same challenge.
The current COVID-19 crisis has accelerated the digital agendas of many players in the financial industry ecosystem, and has resulted in increased attention on and investments in achieving better levels of operational resiliency.
This has translated into greater pressure on budgets and technology infrastructure reviews but has also provided opportunities to differentiate from competitors. In a new race for operational excellence, information and communication technologies (ICT) are now under the spotlight.
Why is digital operational resilience needed?
It can be argued that such a new accelerated trend may require a legislative set up in order to make sure there is a pattern and shared rules for defining the correct frameworks, create a level playing field and improve robustness of our markets. And this legislation may also be needed from a purely operational resiliency angle.
Digital operational resilience is the capacity of firms to build, assure and review their operational integrity to make sure they can withstand any disruption or threat in relation to information and communication technologies.
ICT risk management solutions are still fragmented, and some degree of inconsistency can be observed both at a global level and within EU member states themselves. This can become a source of unnecessary risk considering the level of interconnectedness between the operations of financial players and the cross-border infrastructure of their presence and operations.
A new set of rules for ICT
In September 2020, the European Commission published a draft regulation on digital operational resilience for the EU financial sector (DORA). The proposal’s aim is to introduce a harmonised and comprehensive framework on digital operational resilience for European financial institutions.
DORA is a key component of the wider Digital Finance package, which also offers proposals to regulate the EU’s crypto industry (Markets in Crypto-assets regulation – MiCA) and a pilot regime for market infrastructures based on distributed ledger technology.
Besides a set of specific rules and requirements, DORA will not only cover financial entities but also a wider list of players, including trading venues, data reporting service providers, critical benchmarks’ providers, ICT service providers and more. At the same time, it may bring critical third-party service providers – e.g. cloud computing services – within a direct oversight of the European supervisory authorities (ESAs).
The objective of DORA is to mitigate ICT risks. It is designed to “consolidate and upgrade ICT risk requirements” across financial entities to guarantee that all firms are “subject to a common set of standards”.
In the current global, highly interconnected communities of financial ecosystems, a single incident or failure could lead to a systemic crisis scenario and consequently threaten the stability of financial networks across EU and beyond.
Having a full set of regulated measures and requirements addresses the need to achieve consistency in tackling digital operational risks and concurs with the wider concept of increased robustness and the confidence of financial markets.
But such initiatives can put severe stress on the budgets and ICT resources of smaller players, to the point where it risks actually impacting their core strategies and innovation paths. To address this “size” issue, while the proposed set of rules will apply to all financial sector players, requirements are planned to be enforced proportionally, and to be tailored to a firm’s size and business profile.
Such an approach, not unknown in the EU regulatory framework, is designed to take into account scope and intensity, leveraging both qualitative and quantitative criteria.
In the light of the current Brexit transition, it is worth noticing the similarities between DORA and the proposals set out in consultation papers issued by the UK’s Financial Conduct Authority and Prudential Regulation Authority in November 2019 on “building operational resilience” in the financial sector.
In an initial analysis, DORA defines several aspects of operational resilience in greater detail, for example. with respect to reporting or governance arrangements. Consequently, financial entities with operations and networks in both the UK and the EU should consider carefully the requirements of both regulatory regimes.
DORA: the key pillars
In its current structure, DORA is built on two distinct sections: it addresses financial entities and providers of technology services to those entities. This shows clearly that this new regulation is not limited to regulated firms in the financial sector.
The first section of DORA applies to a very wide spectrum of EU ‘financial entities’, including banks, insurers, payment service providers, trading venues, crypto-asset issuers, and crowdfunding service providers, among others. DORA’s obligations for financial entities include:
- ICT risk management
- Operational resilience testing
- Incidents classification and reporting
- ICT third-party risk management and critical ICT service providers
- Information sharing
ICT risk management: financial entities are required to create and maintain a solid, comprehensive and fully documented ICT risk management framework. This must cover a dedicated and comprehensive business continuity policy, disaster recovery plans and a related communications policy. Similarly, they will have to maintain ICT systems that they use, continuously identify sources of ICT risk, design and implement security and threat-prevention measures, and promptly detect anomalous activities.
Operational resilience testing: financial entities need to test their ICT risk management frameworks on a regular basis so that they can prove their readiness to handle any potential disruption, but also indicate they are in a position to identify and solve any particular failure. Testing requirements will be proportionate to a financial entity’s size, business and risk profile.
Incidents classification and reporting: financial entities need to establish and implement a robust ICT-related incident management process and to put in place early warning indicators of risk. Similarly, there is a need to classify ICT-related incidents according to prescribed criteria and report all major ICT-related incidents to national regulators. This appears to be a preferable scenario when compared with the existing fragmented incident-reporting landscape, and is further evidence of an attempt to harmonise the current set of rules.
ICT third-party risk management and critical ICT service providers: financial entities need to monitor risks in connection with their use of ICT services provided by third parties to assess any concentration risk and also to introduce standard terms in outsourcing contracts. The proposal sets a specific focus on outsourcing contractual rules and on those third-party ICT service providers deemed as critical for the digital operational resilience of financial entities, which triggers ESA surveillance on critical providers.
Information sharing: concerning interconnected ecosystems, DORA aims to facilitate procedures between financial entities in order to exchange information and intelligence on ICT risks and cyber threats. Similarly, the proposal for an EU hub for incident reporting can be welcomed as an interesting development and opportunity to collect intelligence on the most relevant incidents, therefore creating the basis for an improved ability to enhance detection of potential incidents and attacks.
Business providing ICT services
The second section of DORA is dedicated to those businesses that provide ICT services to financial entities. The objective of this pillar is to look at scenarios of risk concentration, with several financial services firms relying on a limited group of technology providers.
In line with this objective, DORA can allow the ESAs to designate some service providers as ‘critical’ to the functioning of the financial sector, e.g. providers of cloud computing services, software and data analytics. And consistency with EBA outsourcing guidelines is required.
One of the ESAs would then be defined as Lead Overseer for every critical third-party ICT service provider and would be granted unrestricted access to all the information – including all relevant business and operational documents, contracts and policies – it needs to perform its duties. At the same time, the Lead Overseer:
- would be granted permission to perform on-site inspections of any premises of any ICT third-party service providers qualified as critical.
- can impose daily fines for up to six months of 1 percent of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year.
Overall, competent authorities will have all the supervisory, investigatory and sanctioning powers necessary to fulfil their duties under this regulation. EU member states should lay down rules establishing appropriate administrative penalties and remedial actions for breaches.
Increasing trust in the financial industry
While we can all agree on the positive ambition of the new proposed regulation and the need to move digital operational resilience under a dedicated and harmonised set of rules across the EU, it is similarly important to make sure it does not create additional compliance costs for companies in the already heavily regulated financial industry.
The underlying equation is that enhanced operational resilience translates into increased trust in the financial sector, which contributes to greater stability in our industry.
In a very interconnected financial ecosystem, ICT risk management is not a single country practice: risks are transnational and the objective of risk mitigation can only be achieved if all market players adopt similar standards.
Indeed, the list of counter-parties covered by DORA is quite long and offers very few exceptions. Trading venues, credit rating agencies and administrators of critical benchmarks, data reporting, service providers (ARMs, APAs and CTPs) and issuers of crypto-assets are also included.
The next steps in the legislative path are crucial to make sure some of the rules and criteria are fine-tuned and adjusted to reflect industry expectations and avoid overlaps with existing regulations or create any undesired effect. Examples include: rules to qualify an ICT third-party provider as critical, proportionality criteria, a multi-vendor approach and new outsourcing contracts standards.
The draft legislation will be provided to EU Parliament and Council of Ministers for review and adoption. We can expect the new regulation to become effective between 2023 and 2025, with certain articles becoming effective with deferral.
Overall, DORA represents a pivotal point for achieving a harmonised EU set of rules on operational resilience for the financial industry, which has always been more dependent on digital technologies.