Skip to main content

EU Digital Operational Resilience: The Path to Enhanced Resilience

By Jason Harrell, DTCC Managing Director and Head of External Engagements | 3 minute read | March 7, 2022

Today’s financial services industry increasingly leverages technology and ICT providers to extend financial services to excluded or underserved individuals, increase efficiency and lower transactional costs, and diversify financing. To provide greater assurance of a level playing field across Member States and increase the safety and soundness of financial markets, the DORA framework must establish an oversight framework that meets these stated goals.

Related: The Essential Building Blocks of a Successful Digital Landscape

The European Parliament (EP) issued its amendments to the European Commission (EC) text which it will use to enter negotiations with the EC and Council of Ministers. The EP has made significant strides to strengthen the EC’s proposal. I believe that this text will ultimately deliver on its expected goals. However, there are areas where further improvements may increase clarity for financial entities.

Operational Resilience Principles

During the DORA negotiations, financial entities and authorities worked to develop operational resilience principles for use by supervisors when developing rulemaking. In 2021, the Basel Committee on Banking Supervision (BCBS) published its Principles for Operational Resilience. These Principles, developed in collaboration with the private sector, defines operational resilience concepts such as critical operations, tolerance for disruption, mapping of interconnections and scenario testing. These activities are to occur at the financial entity’s business operations level. DORA has taken these terms and integrated them at the technology level which may lead to financial entities being unclear on their requirements.

As an example, the BCBS Principles require financial entities to map the people, process, technology and suppliers needed to deliver its critical operations while DORA may require that these mappings include technology systems configurations. In addition, DORA requires impact tolerance for ICT disruptions while the BCBS Principles require impact tolerance at the business’ critical operation level. Further guidance will clarify financial entities’ operational resilience expectations.

While DORA is the first step in a multi-phased effort, a solid foundation will serve to support resilience and provide the flexibility needed for Europe’s digital finance goals.

Intragroup / Third-Party ICT Relationships

The Proposed Text includes intragroup relationships in the definition of third-party ICT relationships. While intragroup relationships may be external to the covered entity, the parent-to-affiliate relationships deliver numerous common services which may include: IT services, cyber risk, and audit. Further, these relationships provide consistent governance, resource management, and technology alignment that simplify technology service delivery and enhance resilience. The inclusion of intragroup ICT relationships in the definition of ICT third-party relationships by the EP text extends requirements that may not promote stronger resilience.

  • Exit Strategies: By changing this definition, financial entities will be required to develop exit strategies for their intragroup ICT relationships. Exiting intragroup ICT services may interrupt other tech-supported services by the parent organization and remove the ability of the parent to provide sophisticated cybersecurity services which enhance the cyber preparedness of the covered entity
  • Supervision/Oversight: Given the breadth of services offered by the parent to the affiliate for daily operations, the parent organization may be considered a concentration risk by the Joint Committee. In the Proposed Text this may further allow oversight of the parent organization by the ESAs. This may create supervisory issues between the national authorities who oversee the parent organization and the ESAs who are expected to oversee the ICT third-party relationships that sit outside of the institutional protection scheme.

Public/Private Partnerships

I believe that sound rulemaking requires feedback from the industry. This allows subject matter experts from both sectors and their unique points of view to be reflected in rulemaking. This creates rulemaking that is fit for purpose and enhances the implementation of measures that promote resilience. EU lawmakers should envisage consultations with the industry to develop technical standards.

It is my hope that clarifying these matters takes a front seat in these discussions. While DORA is the first step in a multi-phased effort, a solid foundation will serve to support resilience and provide the flexibility needed for Europe’s digital finance goals.

This article was originally published in the February 2022 edition of Eurofi’s Views Magazine.

Jason Harrell - 432x576px
Jason Harrell DTCC Head of External Engagements, Operational and Technology Risk, CISM

post
DTCC Connection
Feb 22, 2022 The Essential Building Blocks of a...
post
DTCC Connection
Jan 25, 2022 Log4j Remediation: How DevSecOps...
post
DTCC Connection
Nov 22, 2021 At the Intersection of Risk Management...
Back to DTCC Connection
dtccdotcom