The European Parliament voted on 10 November 2022, to adopt a new EU regulation on digital operational resilience for financial services (FS) firms ('DORA').
DORA still needs to be formally approved by the Council of the EU before being published in the Official Journal, which is expected in December 2022 or January 2023.
Digital resilience form FS firms will be introduced via the requirements on ICT risk management and ICT-related incident reporting. DORA will seek to harmonise digital resilience in the EU.
DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions. Actively managing threats by having the adequate systems in place.
The EU's Digital Financial Package ('DFP')
DORA forms part of the DFP, aiming to harmonise and develop the EU's approach to digital finance, which aids technological development, ensures financial stability and (the most important one) consumer protection.
Markets in cryptoassets (MiCA), distributed ledger technology (DLT) and a digital finance strategy, also form part of the DFP.
What are the key obligations?
In order for Financial Entities to withstand, respond to, and recover from ICT incidents. DORA's introduction prescribes specific rules on ICT management capability, reporting and testing.
The proposals include requirements in relation to the following:
- ICT Risk Management
- Reporting of ICT-related incidents
- Information sharing
DORA is expected to apply to in-scope entities until late 2024, firms should now begin to consider the steps that need to be taken to ensure compliance and avoid sanctions.
What is the UK's position since leaving the EU?
The UK has introduced a Financial Services and Markets Bill. The Bill includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures.
The proposed Bill provides HM treasury with powers to designate service suppliers as 'critical'. The UK regulators would have new powers to directly supervise designated suppliers, which would be subject to new minimum resilience standards.
Whilst the UK's bill has been proposed with the same ambitions as the EU - due to the similar requirements under DORA.
The key differences include:
Critical ICT Third-Party Providers
- The ESAs will be designated as 'lead overseers' - with powers to only make 'recommendations'.
- Non-compliance by a Critical ICT-Third Party Provider with recommendations gives the 'Lead Overseer' the power to notify and publicise non-compliance as 'last resort'.
- The option to require Financial Entities to temporarily suspend services provided by the provider until the relevant risks identified in the recommendations have been addressed.
Financial Services and Markets Bill - UK
- UK regulators are prescribed powers to make rules applying to, or to give directors to, critical third parties.
- The ability to issue sanctions for non-compliance.
Who will fall within scope of DORA?
DORA will apply to financial services entities, including: credit institutions, payment institutions, e-money institutions, investment firms, cryptoasset service providers (authorised under MiCA) and issuers of asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, manages of alternative investment funds and management companies, data repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary, insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories (Financial Entities).
The list continues..
DORA will also apply to ICT third-party service providers which the European Supervisory Authorities (the European Banking Authority (EBA), the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority, acting through their Joint Committee) (ESAs) designate as "critical" for Financial Entities (Critical ICT Third-Party Providers).
If you require any further information or assistance, please do not hesitate to get in touch: email@example.com