The pandemic has shown that the future will be digital and the pace of this evolution is accelerating. Innovation and new technology adoption promises to deliver efficiency gains to the economy, enabling businesses and clients to interact more quickly and at lower costs, all of which will support the economic recovery.
With the publication of the EU Digital Finance Strategy in September 2020[1], a 5 year plan by the European Commission to transform EU financial services into a truly integrated digital single market, the EU has set an ambitious roadmap to become a major player in the digital economy. This is underpinned by several initiatives and regulatory reforms such as the DORA (Digital Operational Resilience Act)[2]. DORA will lay the foundation for a harmonised, secure and resilient EU digital financial sector.
However, while the EU’s ambitions and the rapid progress of the digital transformation of financial services is positive, it is important to ensure that the quality and implementation of regulatory reform, remain a central component of the EU’s work program. Crucially, new regulatory frameworks should strike the appropriate balance between promoting security and resilience whilst fostering innovation.
The importance of digital operational resilience
Digital operational resilience is the ability to build, test and continuously improve the technological and operational integrity of an organisation[3]. It aims to ensure that an organisation can guarantee the continuity and quality of its services in the face of operational disruptions impacting its information and communication technologies (ICT).
As identified in the DORA proposal, the existing EU regulatory framework for the management of ICT risks has been fragmented thus far. For instance, when financial entities have to report cyber incidents to regulatory authorities, they are subject to various frameworks which all have their own terminology and template (e.g., NISd, PSD2, GDPR). This fragmentation dramatically increases pressure on financial entities as, in parallel, they are in a race against time to safely recover and protect their business from a potentially major cyber-threat. DORA, aims to harmonise these requirements and ensure that all stakeholders in the financial sector have the necessary security measures to prevent or mitigate ICT risks.
With the adoption of this new proposal, we see strong benefits for financial entities to have a harmonised and comprehensive framework for ICT risk management. Not only will DORA bring synergies at EU level, but it will also have the merit to contribute to the creation of a robust digital single market for financial services.
Striking a balance between resilience and innovation
DORA’s scope is significant and covers many aspects of how financial entities should manage ICT risks. While DORA is principally focused on requirements for the EU financial sector, the direct oversight of ICT critical third parties (ICT CTPPs) has far reaching consequences for technology companies like Cloud Service Providers (CSPs). Indeed, the oversight framework introduced in DORA will determine which third-parties are ‘critical’ for the EU financial sector and establish a number of provisions to subject ICT CTPPs to EU financial supervisors. Supervisors could impose specific requirements on how ICT CTPPs service EU financial entities and in worst case scenarios (when a risk from an ICT CTPP is deemed too great), requiring outright termination of contractual relationships with a financial entity.
So far, the European Parliament and Council of the EU are progressing discussions on DORA at a rapid pace. While this gives hope for a final text in Q1 2022, the financial services industry is yet to see amendments that account for the holistic nature of such an ambitious proposal. Requirements in DORA could have significant impacts on the EU financial sector. For instance, the risk of immediate termination of contracts could make it more difficult for EU financial entities to use ICT CTPPs, which offer innovation and efficiency benefits. It may even deter some technology providers from servicing the EU due to the increased regulatory uncertainty.
An opportunity for global leadership
It is crucial that EU policymakers continue to appreciate that the speed of regulatory development is not the only priority, the outcome must be a long-term fit-for-purpose framework that will reduce fragmentation in the EU single market, support innovation and technology adoption, whilst promoting robust standards for managing ICT risks. Achieving this goal will support EU competitiveness in a fast growing digital market.
The EU also has an opportunity to set the tone globally on how ICT risks stemming from third party technology providers should be managed and regulated. So far, despite progressive discussions, many of these providers have not fallen under the purview of a significant regulatory framework.
Crucially, in an increasingly interconnected global financial system, the EU must work in close cooperation with other jurisdictions and international bodies, setting an example on achieving economic recovery without compromising financial stability risks over the long run.
[1] https://ec.europa.eu/info/publications/200924-digital-finance-proposals_en
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
[3] Operational resilience is the ability to continue servicing critical functions despite disruption