Clifford Chance

The European Commission unveils wide-ranging proposals to regulate digital operational resilience in financial services.

On 24 September 2020, the European Commission unveiled its legislative proposals on digital operational resilience, comprising a draft regulation ("DORA") alongside a proposed directive. These proposals are part of a broader Digital Finance Strategy package which also includes proposals for regulating the market in crypto-assets, a pilot regime on distributed ledger technology market infrastructure, and a directive to clarify or amend certain related EU financial services rules.

What is digital operational resilience?

Digital operational resilience is the capacity of firms to build, assure and review their operational integrity to ensure that they can withstand all types of disruptions and threats relating to Information and Communication Technologies ("ICT").

What does the current regulatory landscape look like and why is harmonisation needed?

The Commission acknowledged that at state level, policymakers and supervisors have increasingly focused on risks stemming from reliance on ICT. They have sought to enhance firms' resilience by setting standards and coordinating regulatory supervision frameworks. However, financial and digital requirements on firms to address ICT risk are still fragmented and inconsistent between member states. This is particularly problematic as financial firms operate in a highly interconnected manner often with extensive cross-border infrastructure.

What does DORA aim to achieve and who does it impact?

DORA aims to put in place a detailed and comprehensive framework on digital operational resilience for EU financial entities. DORA will, for the first time, bring rules addressing ICT risk in finance together into one single piece of legislation. The rules are intended to cover a very broad range of financial service entities with the requirements being applied proportionally depending on a firm's size and business profile. 

In addition, DORA will for the first time create an EU-level oversight framework to identify and oversee ICT third party service providers deemed "critical" for financial entities. This identification is based on specific criteria such as the systemic impact of an operational failure at the provider on the provision of financial services, and could effectively result in major non-financial technology companies which provide, for example, cloud computing, data analytics or software, being brought within EU oversight. 

What are the key proposals under DORA?

DORA identifies five key aspects of digital operational resilience which financial entities need to address.

A.    Management of ICT risks

DORA sets out key principles around internal controls and governance structures. A financial entity's senior management will be expected to be responsible for defining, approving, overseeing and being continuously accountable for a firm's ICT risk management framework. The financial entity will also be expected to:

• set-up and maintain resilient ICT systems and tools that identify and minimise ICT risk;
• put in place dedicated and comprehensive business continuity policies, disaster and recovery plans and back-up policies for ICT disruptions;
• have qualified staff suited to its size, business and risk profile; and
• put in place adequate incident reviews following significant incidents to ensure lessons are learnt and continuous improvements made.

B.     Classification and reporting of incidents

DORA proposes to harmonise incident reporting processes and documentation. This includes requiring financial entities to:

• establish procedures to identify, track and classify ICT-related incidents; and
• report major ICT-related incidents to national authorities using harmonised reporting templates, who in turn will provide these details to a single European point of contact.

C.     Digital operational resilience testing

DORA will require financial entities to periodically test their ICT risk management frameworks. This testing is intended to confirm that firms are prepared for a disruption and are able to identify and address weaknesses, deficiencies or gaps. Testing requirements will be proportionate to a financial entity's size, business and risk profile.

D.    Managing third-party risk and regulating critical ICT service providers

DORA will require financial entities to monitor risks in connection with their use of ICT services provided by third parties. This will be achieved by:

• requiring financial entities to assess any concentration risk resulting from the engagement of the third-party service provider and any sub-outsourcing arrangements; and
• harmonising aspects of financial entities' relationships with third-party service providers. In particular, outsourcing contracts will be required to contain specific provisions and information with the intention of standardising terms where possible.

As set out above, DORA also contemplates the creation of an EU-level oversight framework to identify and oversee ICT third party service providers deemed "critical" for financial entities. Each critical ICT third party service provider will be assigned a lead overseer, to be one of either the EBA, ESMA or EIOPA, who will assess whether the service provider has in place comprehensive arrangements to manage the ICT risks which it may pose to financial entities and will have the power to impose penalties for non-cooperation.

E.     Information sharing

DORA will facilitate arrangements between financial entities to exchange cyber threat information and intelligence amongst themselves.

Who will provide regulatory oversight?

DORA anticipates that oversight for compliance with the regulations will sit with the financial entity's existing competent authority. DORA proposes minimum standards for administrative penalties to be imposed by these authorities, without prejudice to a member state's right to impose criminal penalties under national law.

How does DORA compare with the current operational resilience proposals in the UK?

There are many parallels between DORA and the proposals set out in consultation papers issued last November by the UK's Financial Conduct Authority and Prudential Regulation Authority, for example with respect to risk management, testing and lessons learnt. However, DORA codifies several aspects of operational resilience in greater detail, for example with respect to reporting or governance arrangements, as well as considering certain areas not materially addressed by the UK proposals, such as the treatment of critical third-party service providers. Accordingly, financial entities with networks in both the UK and the EU will need to take care to ensure that the requirements of both regulatory regimes are met.

What are the next steps?

The proposal remains subject to the agreement of the European Parliament and the European Council.