Commenting on the announcement from the French Presidency of the Council of the European Union and the European Parliament, outlining a provisional interinstitutional agreement on the Digital Operational Resilience Act (DORA) has been reached, James Kemp, Managing Director at the Association for Financial Markets in Europe (AFME), said:
“This is an ambitious legislative proposal to streamline and harmonise the way financial entities and technology providers manage and mitigate technology risks.
“In particular, AFME welcomes the emphasis on ensuring a risk-based approach to how financial entities manage ICT risks. This is a positive development that will enable financial entities to implement ICT controls in a manner that is increasingly cost-effective and proportionate to risks, while maintaining alignment with existing European standards and guidelines.
“Amid significant technological change and the rapid pace of innovation, the rationale for DORA has become more important than ever for the EU. Despite the fact a provisional agreement has been reached, the completion of DORA will still take a number of years, due to the several Regulatory Technical Standards underpinning the legislation.
“For the project to succeed, it will be crucial that DORA takes into account the broad global context of digitisation, ensuring that the EU remains open to global sources of innovation, standards and markets.”
- welcomes the fact that the provisions under DORA, on how financial entities manage Information and Communication Technologies (ICT) risks, have become more proportionate and risk-based. This is a positive development as it will enable financial entities to implement ICT controls in a manner that is increasingly cost-effective and proportionate to risks (e.g., risk-based). In addition, this approach maintains alignment with existing European regulatory guidelines on ICT risks (e.g., EBA Guidelines on ICT and Security Risk Management and Guidelines on Outsourcing Arrangements), thus increasing regulatory harmonisation in the EU, a key objective of the DORA proposal.
- stresses that financial entities intragroup providers should be defined and exempted from key DORA provisions, such as the Oversight framework. Financial entities ICT intragroup providers have been differentiated from external providers within the proposal through separate definitions. This will enable financial entities to differentiate ICT risks stemming from intragroup providers versus those stemming from external providers, with controls suited to the risk profile of each.
- very much welcomes that the initial limitations on the ability of EU financial entities to use thirdcountry based ICT third party providers and sub-outsourcing arrangements, have been reduced under article 28.9. This now allows for providers to establish a ‘subsidiary’ in the Union to ensure enforcement of the Oversight framework under DORA, whilst maintaining EU competitiveness by avoiding the costly localisation of operations and technology.
- welcomes the limitation to the automatic termination of contracts between financial entities and ICT critical third party service providers. Due to the complexity and risks associated with contract termination, additional text has been incorporated into the proposal to guarantee the safe and secure transition to alternative providers if required.
- acknowledges that additional time has been provided to financial entities and ICT critical third parties to comply with DORA by extending the implementation window from 12 months to 24 months.
- ENDS -
Notes to Editors:
Background: Following the European Commission’s (EC) legislative proposal for a Digital Operational Resilience Act for the Financial Sector (DORA) on September 24th, 2020, the European Parliament (EP) and the Council have been negotiating their respective amendments in support of the finalisation of the proposal and its forthcoming implementation. Interinstitutional negotiations (known as ‘trialogues’) have been taking place since the beginning of the year with the aim to finalise the legislation before the summer.
Overall several key areas of the legislative proposal, throughout the negotiation period, have incorporated amendments that increase alignment with industry considerations in ensuring DORA is fit for purpose and proportionate.