Impact of DORA on Financial Services Technology Integration in EU.

Question

I'm a software engineer in a financial services company and we're integrating new technologies. I've been told that DORA might affect our work. How does DORA fit with other EU laws that we already comply with, like MiFID II or PSD2?

Executive Summary

In integrating new technologies in the financial sector, understanding the Digital Operational Resilience Act (DORA) is crucial for compliance alongside existing EU regulations such as MiFID II and PSD2. Here’s a concise overview addressing DORA’s impact:

  • Interaction with Existing Regulations: DORA introduces specific requirements for digital operational resilience that complement and add to existing rules under MiFID II and PSD2, centering on cybersecurity and third-party service provider management.
  • Uniform ICT Risk Management: Entities must have robust ICT risk management frameworks, reflecting DORA’s emphasis on managing digital threats alongside operational risks already covered in MiFID II and PSD2.
  • Incident Reporting and Cooperation: DORA mandates structured management and reporting of ICT-related incidents, encouraging the exchange of cybersecurity information, which aligns with the real-time reporting requirements of MiFID II and PSD2.
  • Enforcement and Supervision: Compliance with DORA will be overseen by familiar regulatory authorities, aiming to harmonize the enforcement of digital resilience with existing financial regulations.

This shortlist provides an executive synopsis of DORA’s role within the regulatory landscape for digital operations in the EU financial sector.

Assumptions

  1. Scope of New Technologies: Assume the technologies in question are essential for providing financial services and pertain to data processing, cyber security, and potential dependency on third-party ICT service providers.
  2. Company’s Role: Assume the company operates both as an investment firm under MiFID II and a payment service provider under PSD2.
  3. Current Regulatory Compliance: Assume the company is fully compliant with existing regulations mentioned (MiFID II and PSD2) as they pertain to financial transactions, services, and customer interactions.
  4. Specific Concerns or Scenarios: Assume the concerns about DORA primarily revolve around the management of ICT risks and the regulatory overlap in reporting obligations between DORA, MiFID II, and PSD2.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

Recognizing the intricate landscape of regulatory compliance in the financial sector, we have further analyzed the implications of the Digital Operational Resilience Act (DORA) in relation to other EU laws such as MiFID II and PSD2, particularly in the context of your role in integrating new technologies. This supplemental answer provides additional insights that detail the practical steps and considerations required in adhering to these overlapping regulatory environments.

Legal trace

Governance and the Management of ICT Third-Party Risk

Financial entities, as part of their ICT risk management framework, should adopt, and regularly review, a strategy on ICT third-party risk. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 7

The implementation of ICT risk management frameworks, as outlined here, advances our previous analysis by specifying the continuous and strategic review processes for managing third-party risk. For your role, it emphasizes that not only should these risk management strategies align with the regulations but they also require regular updates and assessments as part of broader governance practices.

The management body of a financial entity shall adopt a written policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers, and ensure its implementation on an individual and, as applicable, on a sub-consolidated and consolidated basis. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 10

This recommendation underscores the responsibility placed on the management body for the oversight of ICT third-party risks, bridging our original analysis with the specific governance requirements of DORA. It illustrates the level of engagement necessary from higher management to ensure new technologies comply across all organizational levels, reflecting a complex regulatory mosaic that includes MiFID II and PSD2 directives.

Risk Assessment and Due Diligence in Contractual Arrangements

Before entering into a contractual arrangement with an ICT third-party service provider a risk assessment shall be conducted […] taking into account all the relevant requirements under Regulation (EU) 2022/2554 and applicable sectoral legislations and regulations. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 13

This reinforces the notion that risk assessments are a critical preliminary step when entering contractual engagements with ICT third-party service providers, considering the comprehensive landscape of DORA and other sectoral laws. Integrating this requirement into the fabric of your operational risk management process can seamlessly accommodate both new technological integrations and ensure alignment with existing EU financial regulations.

The policy shall require that, before entering into a contractual arrangement, at least whether the ICT third-party service provider […] has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards […] (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 14

This quote highlights the importance of due diligence in the selection of ICT service providers. It presents a detailed outlook on the required standards ensuring a prospective provider’s suitability and operational resilience, facilitating a continuity between DORA and other regulatory frameworks, including MiFID II and PSD2, within which your company operates.

Contractual Arrangements and Operational Resilience

Financial entities shall only use testers for the carrying out of TLPT, that are of the highest suitability and reputability… (Article 27(1)(a))

By stressing the prerequisite of utilizing reputable testers for resilience testing, DORA echoes PSD2’s security emphasis. The directive specifically highlights the importance of operational resilience testing, directly connecting to your responsibilities in integrating new technologies and ensuring these technologies are robust against a multitude of risks.

Proportionality and Application within Financial Groups

The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers shall take into account, at least the following elements of increased or reduced risk or complexity […] (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 10

This quote elaborates upon the DORA’s call for a nuanced approach, considering each financial entity’s unique risk profile and complexity when drafting policies related to ICT services. It complements our initial answer by detailing how DORA’s requirements integrate and adapt to the size and structure of the entity, including within a financial group—elements that are equally paramount in PSD2 and MiFID II compliance efforts.

Conclusion

This supplemental answer has explored further details about the management of ICT third-party risk under DORA, presenting steps and considerations that directly respond to the need for establishing clear and robust policies. This guidance, consistent with the comprehensive approach to operational and market risks demanded by MiFID II and PSD2, should aid in integrating new technologies while satisfying various regulatory standards within the financial industry.