Increased utility and reliance on information and communication technology has resulted in increased cyber threats to companies and organisations. As the risk of cyber-attacks increases, the European Union’s proposed Digital Operational Resilience Act is set to prevent and mitigate this risk by strengthening digital operational resilience in the financial services sector. But how does the EU intend to accomplish this?
The Digital Operational Resilience Act (‘DORA’) is a new regulation likely to be implemented towards the end of 2022 by the European Union (‘EU’) and will be incorporated into the law of each EU member state.
Provisional agreement was reached on DORA by the EU Council and European Parliament in May 2022. DORA will provide a common framework, for financial services firms in the EU, including critical third parties which provide information and communication technology (‘ICT’) related services to these firms, to strengthen digital operational resilience.
Increased digitalisation and interconnectedness have contributed to the financial sector’s ever-increasing use of ICT. The critical relevance of, and reliance on, ICT brings with it increased technological and cyber risk which “continue to pose a challenge to the operational resilience, performance and stability of the EU financial system”.1
In April 2019, European Supervisory Authorities (ESAs)2 collectively issued technical advice “calling for a coherent approach to ICT risk in finance and recommending to strengthen, in a proportionate way, the digital operational resilience of the financial services industry through a Union sector-specific initiative”.3
The result was the publication, by the European Commission, of the first draft of DORA in September 2020 with its principal aim being to prevent and mitigate cyber risks. As well as strengthening the financial sector’s resilience to ICT related incidents, DORA intends to reduce diverging approaches to digital operational resilience, increase the level of harmonisation in the EU by removing uncoordinated national initiatives and introduce a single set of rules on operational resilience across the EU financial system.
ICT third party providers, including cloud service providers, which supply services to financial services firms, could be designated as critical pursuant to DORA based on several factors, including the number of financial services firms reliant on the provision of the service provided. Should they be designated a critical third party provider, they are likely to fall within the regulatory perimeter of the ESAs.
DORA will introduce prescriptive requirements and criteria across the EU on how the financial sector manages ICT and cyber risk. This harmonised approach to digital and operational resilience should ensure that ICT systems in the financial sector are sufficiently robust to fend off security threats, maintain resilient operations through, and recover from, a severe operational disruption4 and monitor critical third-party ICT providers.
Disparities between applicable rules in digital operational resilience in EU member states have been obstacles to the single market in the EU financial services sector because firms which engage in cross-border activities encounter varying regulatory requirements and/or supervisory expectations.5 Firms which operate in both the EU and the UK should be aware of the varying approaches to operational resilience.
The UK has seen an increased focus on operational resilience. On 31 March 2022, the Financial Conduct Authority implemented new rules and guidance on operational resilience for the UK financial services sector.6 Where DORA provides a detailed legislative framework, the UK regime is less prescriptive, has a broader focus and is set out in both guidance (which is not binding) and rules (which create binding obligations).
However, these asymmetries are set to diminish with HM Treasury confirming its intention to legislate to enable UK financial regulators7 to directly oversee services that critical third parties provide to firms.8 Like DORA, this will enable UK financial regulators “to ensure that services critical third parties provide to firms in the finance sector are resilient, thereby reducing the risk of systemic disruption”.9 Under the proposed regime UK financial regulators are likely to be able to exercise a range of powers over unregulated entities including: making rules pertaining to the services of critical third parties; gathering information from critical third parties; and taking enforcement against them.
The introduction of DORA should result in a more consistent supervisory approach to regulating the EU financial sector and help to strengthen supervisory effectiveness10 with the UK financial sector set to follow suit.
Prior to the implementation of DORA, firms and organisations in the EU financial sector, including their ICT service providers, may want to begin assessing how the introduction of DORA will impact them and what steps may need to be taken to meet the requirements of this new regulation.
Firms may also want to ensure that they have adequate cybersecurity insurance cover to manage cyber risk if it is the subject of a cyber-attack. WTW can discuss your insurance coverage and cyber risk requirements to assist you in making informed decisions around your cyber risk management programme.
1 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&rid=10 – page 0
2 Comprised of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)
3 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&rid=10 – page 14
4 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/
5 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&rid=10 – page 2
6 https://www.handbook.fca.org.uk/handbook/SYSC/15A/2.html
7 HMT has consulted with the Bank of England, Prudential Regulation Authority and the Financial Conduct Authority. Policy Paper “Critical third parties finance sector: policy statement” para 1.4 https://www.gov.uk/government/publications/critical-third-parties-to-the-finance-sector-policy-statement/critical-third-parties-to-the-finance-sector-policy-statement
8 Policy Paper “Critical third parties finance sector: policy statement” https://www.gov.uk/government/publications/critical-third-parties-to-the-finance-sector-policy-statement/critical-third-parties-to-the-finance-sector-policy-statement.
9 Policy Paper “Critical third parties finance sector: policy statement” para 1.11 https://www.gov.uk/government/publications/critical-third-parties-to-the-finance-sector-policy-statement/critical-third-parties-to-the-finance-sector-policy-statement
10 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&rid=10 – page 0
