The European Commission has published a proposed Regulation on digital operational resilience within the financial services sector in the EU. This will replace and harmonise existing guidance in relation to ICT and security risk management and will bring major ICT service providers directly within the scope of supervision by the European Supervisory Authorities. Here, we review the key takeaways from the proposal.
On 24 September 2020, the European Commission published the draft Regulation, which the Commission refers to as the Digital Operational Resilience Act (DORA), as part of a wider Digital Finance Strategy package to boost the development of digital finance while mitigating the associated risks.
Current EU requirements relating to ICT risk management in the financial services sector are scattered among various financial services legislation (such as the CRD IV, PSD2, Solvency II, EMIR and MIFID), and guidelines issued separately by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Market Authority (ESMA). As such, the applicable requirements differ between financial sub-sectors. Entities within banking services and (re)insurance are already facing requirements specifically in relation to external service providers and ICT risk management, while entities such as audit firms and trade repositories are currently subject only to broader risk management requirements that partially capture digital operational risks.
In contrast, the Commission's proposal amends existing legislation and lays out a single set of overriding mandatory rules in order to set a high common standard across the EU financial system. These rules cover a number of aspects relating to digital operational resilience including system maintenance, resilience testing, business continuity and disaster recovery, reporting of incidents and third party risks. It also encapsulates existing EBA and EIOPA Guidelines and builds on them, for example, by extending the application of contractual requirements with third parties beyond "outsourcing" arrangements or arrangements involving cloud service providers to all arrangements involving ICT services. Although the proposal does allow for a proportionate application of the new requirements by exempting microenterprises (ie. enterprises employing fewer than 10 persons and whose annual turnover does not exceed EUR 2 million) from certain requirements, the application of DORA is deliberately wide and kept uniform across different financial entities such as banks, insurance undertakings and investment firms alike.
This means that financial entities who are already within the scope of recently published EBA and EIOPA Guidelines will likely have fulfilled some elements of the new requirements by the time the Regulation comes into force, though such entities will still need to implement further changes in order to meet the higher standards introduced by DORA. Other financial entities will likely implement far more dramatic changes to their ICT risk management operations.
Importantly, the Regulation further proposes to bring major technology service providers which are considered "critical" to the EU financial system within the scope of the EBA, EIOPA and ESMA's oversight and supervision, in order to ensure that such service providers have effective procedures in place to manage the ICT risks they pose to financial entities. Under DORA, the authorities will be given a range of investigation powers, and failure on the part of the service provider to comply with the authorities' requests may result in the imposition of heavy penalties.
John Salmon, Technology Partner and Global Head of Blockchain at Hogan Lovells, says:
"The proposed digital operational resilience legislation is significant for raising the digital operational resilience bar for virtually the entire financial services sector within the EU. It is also significant by virtue of subjecting major technology providers to direct and continuous monitoring by financial services regulators for the first time, especially when taking into account the onerous daily penalty payment for non-compliance at the rate of 1% of the average daily worldwide in the preceding business year. Moreover, the draft DORA—introduced while financial entities are still getting to grips with the latest EBA and EIOPA Guidelines on outsourcings and ICT risk management—highlights the increasing level of focus which EU policymakers are placing on the risks stemming from the growing reliance of the financial system on ICT facilities, in terms of both internal ICT arrangements and third party service providers."
Key Takeaways from the proposal
Scope and Definitions
- The draft DORA will apply to a broad range of financial entities, including credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, issuers of asset referenced tokens and issuers of significant asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and ICT service providers.
- Notably, microenterprises are explicitly exempt from a number of requirements in the Regulation, such as the need to establish complex governance arrangements, in recognition of the differences between financial entities in terms of size, business profiles and exposure to digital risk. The Regulation also does not capture system operators on settlement finality in payment and securities settlement systems, due to the need for a further review of legal and policy matters regarding payment systems operated by central banks.
- Crucially, the Regulation will also bring major ICT service providers directly within the scope of supervision by the European Supervisory Authorities.
- The Commission proposes a number of definitions, most significantly:
- 'digital operational resilience' means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
- 'ICT' risk' means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects.
- 'ICT third-party service provider' means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres.
ICT risk management requirements
- The proposal sets out the basic requirement on financial entities to maintain a sound, comprehensive and well-documented ICT risk management framework.
- Financial entities will need to comply with numerous obligations in relation to ICT policies, protocols and tools, detection of anomalous mechanisms, response and recovery measures, backup policies, capabilities for reviewing ICT-related incidents and implementing lessons learned, and communication plans to enable responsible disclosure of ICT-related incidents.
- Further requirements are prescribed regarding the reporting of major ICT-related incidents, digital operational resilience testing, and information and intelligence sharing in relation to cyber threats and vulnerabilities.
ICT-related third-party risk
- The proposal prescribes measures for the sound management of risks arising from using ICT third-party service providers, such as the requirement to have in place contractual arrangements with the third party, to regularly review a strategy on ICT third-party risk, and maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by third parties.
- Specific contractual provisions must be included in all contractual arrangements relating to the use of ICT services. This is notably more prescriptive than previously issued EBA and EIOPA Guidelines on outsourcing and use of cloud service providers, where most requirements for the inclusion of contractual provisions only applied in relation to the outsourcing of "critical or important" functions.
- Other derogations from the EBA Outsourcing Guidelines in relation to required contractual provisions include the obligation on the ICT third-party service provider to provide assistance in case of an ICT incident at no additional cost or at a cost that is determined in advance, and the requirement for the financial entity to have the right to "take copies" of relevant documentation for the purposes of monitoring the service provider's performance.
- The proposed Regulation also explicitly requires financial entities to carry out threat led penetration testing at least once every three years, including testing of the ICT third party service provider's systems. This goes further than the current EBA Outsourcing Guidelines which merely requires that credit institutions and investment firms subject to the CRD framework ensure that they are able to carry out security penetration where relevant.
Supervision of critical ICT third-party service providers
- The draft Regulation outlines an Oversight Framework at EU level, whereby the European Supervisory Authorities (ie. the EBA, EIOPA and ESMA) will act as Lead Overseers of critical ICT third-party service providers.
- The proposal sets out a mechanism and a set of quantitative and qualitative criteria for designating those ICT service providers that are "critical" due to the nature of the financial sector's reliance on such entities. Factors involved in making this assessment include, for example:
- the systemic impact on the continued provision of financial services in case the relevant ICT service provider suffers a large scale operational failure;
- the degree of substitutability of the ICT third-party service provider;
- the reliance of financial entities on the service provider in relation to critical or important functions; and
- the number of Member States in which the service provider provides its services.
- There will also be an option for ICT service providers to submit an application to be included in the Oversight Framework.
- Under the Oversight Framework, a designated service provider will be supervised by one of the Lead Overseers, who will be responsible for ensuring that the service provider effective arrangements in place to manage the ICT risks which it may pose to financial entities.
- The Lead Overseers will have wide powers to require access to documents, carry out on-site inspections, issue recommendations and instructions, and to require remedial actions.
- Steep penalty rates can be imposed on ICT service providers for non-compliance. A daily penalty payment of 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year can apply for up to six months as a consequence of non-compliance with information requests, requests to conduct inspections and requests for reports specifying remedial actions taken to in light of recommendations made by the Lead Overseer. Prior to imposing the penalty, however, the Lead Overseer must consult the Oversight Forum (composed of the Chairpersons of the ESAs, and one high-level representative from the relevant competent authority of each Member State), and must give the regulated service provider the opportunity to defend itself.
Sharing of cyber threat intelligence
- The proposal also includes provisions which encourage the development of "information sharing arrangements" among financial entities on cyber threat information and intelligence.
- The aim of this is to enhance the digital operational resilience of the financial services sector by raising awareness of ICT-related vulnerabilities, threat detection techniques, mitigation strategies, defensive capabilities and response or recovery stages.
- Financial entities will need to notify competent authorities of their participation of cessation of membership in such information-sharing arrangements.
The draft legislation will now be considered by the European Parliament and the Council of the EU—it is likely that the final version of the text will differ to some extent from the current proposal by the end of the legislative process.
It is worth noting that the draft DORA obliges the ESAs, in consultation with the European Union Agency on Cybersecurity (ENISA), to develop a number of regulatory technical standards, for the purposes of ICT risk management, including specifying appropriate security policies or protocols, and components of ICT business continuity/disaster recovery plans.