European Commission introduces a legislative proposal for Regulation on digital operational resilience for the financial sector(DORA).
Copyright 2022 Christiana Aristidou LLC
On September 24th, 2020, the European Commission published the regulatory proposal titled “Regulation on digital operational resilience for the financial sector” also known as “DORA”, which addresses the issue of Information and Communication Technology (ICT) incidents that have arisen along with the digitalisation of the financial sector and mainly aims to improve the overall digital operational resilience of the sector. The proposed act is also known to be the first one within the digital financial package which was adopted by the European Commission and whose purpose is to ensure consumer protection and financial stability. In November 2021, the Council of the European Union came to an agreement and along with the European Parliament, they will now enter into negotiations regarding the proposals. This is a step that allows for the modernisation of the European financial sector and encourages its digitalisation with harmonised rules, making the European Union a leading body on the financial digital transformation of the world. The act is expected to be published after its finalisation during this year and will then be passed into law by the EU Member States within the imposed timeframe after its publication, which will then be followed by the regulation being applied to the public.
DORA will be addressed to numerous financial institutions such as:
- credit institutions
- payment institutions
- e-money institutions
- investment firms
- cryptoasset service providers
- central securities depositories
- UCITS management companies
- crowdfunding service providers
- and ICT third-party service providers.
This act will require financial legal entities within the EU to ensure that frameworks and internal governing bodies are in place that will be able to control ICT related risks. It will also be a requirement that a risk management framework is set up, that is well oriented, comprehensive as well as accurate. Included in the act, will also be that ICT systems and everything related to them should constantly be maintained and updated in order to establish that they are able to operate at the highest level possible and to be able to recognise and take into account any ICT risks that are likely to arise, and in particular this refers to configurations that are concerned with internal as well as external ICT systems. Additionally, the act will include obligations for financial entities to comply with the measures that will be in place by the act with another one of the requirements being that financial businesses will have to introduce an ICT Business Continuity Policy which will help ensure the detection, prevention and protection from ICT threats. This can also be done with standards that will be set in place to monitor the capability and effectiveness of what’s included in the digital financial package. Such threats will also have to be categorised and classified according to the criteria that will be imposed by a Joint Committee of the European Supervisory Authorities. Businesses will also have to report to the relevant authority, within the given timeframe, any large-scale incidents that are concerned with ICT. The regulation will also allow financial businesses to share between them intelligence and details about cyber threats such as strategies, procedures, techniques, as well as configuration tools and indicators of potential compromises.
The DORA also addresses in a separate assortment of rules the matter of ICT critical third-party service providers (CTPPs), these provisions will be determined by the European Supervisory Authorities (ESAs) Joint Committee in accordance with the proposed Act. An Oversight Framework of CTTPs, that will be accountable for various matters referring to CTPPs such as making sure that reasonable, effective and detailed regulations that aim in eliminating and managing any threats arising from CTPPs which may potentially be harmful, also has to be established by the financial entities and be applied accordingly. Moreover, a Lead Overseer who will be one of the ESAs, will have to be introduced as they will have the right to obtain any information that they may regard as necessary, and they will also have the authority to conduct investigations on ICT third-party service providers if he deems necessary. Therefore, the European Commission has demonstrated a great focus on ICT third-party service providers and will allow for more safeguarded procedures within the digital financial sector.
By implementing regulations on the digital financial sector, it allows consumers to be more confident in using digital finance, as the digital-friendly rules provide more safety to them in case of any occasions where digital finance issues or any associated risks may arise. The DORA also provides a clearer picture for EU financial regulators and executives who will be able to aim their attention at maintaining resilient operations through any potential operational disruption in the digital finance sector. With the implementation of the Digital Finance Package, the EU will try and provide a harmonised set of rules that will aid in the development of digital finance.
The proposal can be accessed here