Commenting on the latest set of Digital Operational Resilience Act (DORA) publications, published today by the European Supervisory Authorities and outlining the ambitious timeframe for implementation, James Kemp, Managing Director at the Association for Financial Markets in Europe (AFME), said:
“There is now only a year until the application of DORA – the EU’s milestone Digital Operational Resilience Act, which has unprecedented and far-reaching requirements. DORA is intended to harmonise risk management frameworks for ICT services and banks have until January next year to ensure they and their suppliers are compliant.
“This ambitious 12-month window until implementation is a particular concern because many of the incoming risk management practices are having to be set up manually from scratch, due to authorities’ failure to leverage existing policies and frameworks (for example the ICT Risk Management Guidelines and EBA Outsourcing Guidelines). The pace and scale of the challenge associated with implementation should not be underestimated. This latest set of technical standards will regretfully exacerbate the challenge facing banks and financial entities in taking forward those preparations.
“In particular, AFME is concerned that without a proportionate and phased approach to enforcement, the obligations on supplier contracts will cause major disruption. The idea that banks can renegotiate all their third-party contracts within 12 months is unrealistic, especially when many of these contracts are group-wide global arrangements with providers who are themselves not based within the EU. Between now and January 2025, AFME strongly encourages the EU authorities to engage with industry on how firms should be rationalising these requirements. We recommend this be done on a forward-looking basis upon contract renewal.
“Proportionality is similarly required on the establishment of the incoming Registers of Information. It is positive that the ESAs have made changes in their final advice to certain problematic earlier proposals, for example dropping the requirement that firms update registers on an ongoing basis and limiting certain reporting requirements to critical or important functions only. Nevertheless, the use of new data fields and formats will impede firms in efficiently pulling data from those registers already in existence.
“Ultimately, the Digital Operational Resilience Act was designed to bolster the resilience of the financial system with a special focus on the growing importance of third-party providers in the digital age. It would be self-defeating if the implementation of this milestone regulation, which has the support of industry in principle, caused disruption.”
Specifically AFME suggests:
- Applying the policy for ICT Suppliers on a forward-looking basis: the incoming policy, and related contractual requirements, should be applied only on a forward-looking basis with financial entities permitted to implement the new requirements upon contract renewal, rather than necessitating off-cycle remediation. At the very least, banks should be permitted to prioritise their material contractors, rather than seeking to capture the whole supply chain in a single year.
- Removing the overlap with existing EBA Outsourcing Guidelines: AFME calls on the ESA’s to address the overlap between the two sets of guidelines as a priority and to allow firms to demonstrate their DORA compliance through the existing practices and structures where possible.
- Embedding the proportionate approach to the Register of Information: AFME urges the supervisors to build on the amendments within the final report, by focusing their information requests on material outsourcing arrangements, at least in the first year of the Register. We also welcome the decision to remove certain new concepts such as an ICT service identifier.
- Safeguarding the harmonised Incident Reporting framework: AFME flags the harmonisation objectives of DORA are being fragmented before they even come into practice, thanks to the plethora of horizontal regulatory proposals being taken forward by other parts of the Commission. DG-FISMA must take a more proactive stance in safeguarding the DORA framework from overlapping and inconsistent proposals, particularly the incoming Cyber Resilience Act, which is causing growing alarm amongst industry through its duplicative approach.
- ENDS -