DORA is the new regulation that now forms part of the EU’s Digital Finance Package, which also includes MiCAR and the DLT Pilot Regime, and it aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. DORA will endeavour to harmonise national rules around operational resilience and cybersecurity regulation across the EU by establishing uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector, which include amongst others, credit institutions, payment institutions, e-money institutions, investment firms, crypto asset service providers (authorised under MiCAR), investment funds and management companies, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries.
DORA will however also capture Critical ICT Third Party Service Providers providing services related to information communication technologies, such as cloud platforms, payment gateways etc to Financial Entities under its regulatory capture pursuant to a newly established Oversight Framework. This is a novel concept under European Financial services legislation where the European Supervisory Authorities, [the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)], who will be acting through their Joint Committee, and nominated as European Supervisory Authorities (ESAs) will have the remit to designate Critical ICT Third-Party Providers in line with the designation mechanism under Article 31 of DORA, which is based on a set of qualitative and quantitative assessment criteria of these ICT Third-Party Providers, including:
The designation mechanism mentioned above will only be operative after the Commission has adopted a delegated act, (within 18 months from the publication of DORA), specifying further details on the criteria to be used in making such an assessment. The mechanism used by ESAs will also involve quantitative and qualitative criteria to set the criticality parameters in order to ensure the accuracy of that assessment, regardless of the corporate structure of the ICT third–party service provider. Critical ICT third–party service providers, which are not automatically designated by virtue of the application of those criteria, should have the possibility to opt into the Oversight Framework on a voluntary basis.
Designated Critical ICT Third-Party Providers will be required to have in place robust, comprehensive, effective policies, procedures, mechanisms and arrangements to understand, monitor, manage and mitigate the ICT risks that they may pose to Financial Entities as well as European Subsidiary. Financial Entities will not be permitted to obtain ICT services from a third country Critical ICT Third-Party Provider if the latter fails to establish a subsidiary in the EU within 12 months following its designation as critical.
The ESAs under the Oversight Framework will also be designated as Lead Overseers will have other powers, listed under Article 35 of DORA, which include the power to investigate, be granted access as well as to make ‘recommendations’ to Critical ICT Third-Party Providers. Lead Overseers shall also ensure a consistent approach to oversight activities and draw up a common oversight protocol specifying the detailed procedures to be followed for carrying out the day–to–day coordination and for ensuring swift exchanges and reactions. The protocol shall be periodically revised to reflect operational needs, in particular the evolution of practical oversight arrangements. There will also be a sanctions regime where the Lead Overseers have the ability to notify and publicise such non-compliance and “as a last resort” the option to require Financial Entities to temporarily suspend services provided by such provider until the relevant risks identified in the recommendations have been addressed.
The Oversight Framework is without prejudice to Member States’ competence to conduct their own oversight or monitoring missions with respect to ICT Third–Party Service Providers which are not designated as critical under DORA, but which are regarded as important at national level. Certain categories of ICT Third-Party Service Providers are also expressly excluded from the designation mechanism, including Financial Entities providing ICT services to other Financial Entities, ICT intra-group service providers, and ICT Third-Party Service Providers providing ICT services solely in one Member State to Financial Entities that are only active in that Member State.
For further information and assistance kindly contact Dr Ian Gauci.