EFAMA's response: Proposed changes to DORA require more proportionality and simplicity
EFAMA has responded to the public consultations launched by the European Supervisory Authorities’ (ESAs) on draft regulatory technical standards (RTS) and implementing technical standards (ITS) supplementing the Digital Operational Resilience Act (DORA). Their purpose is to establish further details on the core elements of this regulation harmonising how information and communication technology (ICT) risks are to be addressed in the financial sector. The drafts under discussion cover areas of ICT risk management frameworks, a register of information on contractual arrangements, as well as the classification of ICT-related incidents and threats.
The main issue that EFAMA highlights is the need for comprehensive incorporation of the proportionality principle of DORA. The scope of entities subject to DORA is very broad and ranges from credit and payment institutions, to insurance companies, to asset managers, as well as others. Their structure, size and business models vary significantly, from banks providing critical IT infrastructure, to companies with a far lower dependency on ICT services. The currently proposed “one size fits all” approach will be excessive for many of them, including asset management companies. The ESAs should allow for elements such as smaller size, decreased complexity, criticality of systems and functions, as well as the entity’s risk assessment and appetite, to be taken into account, in particular when implementing the ICT risk management framework.
The proposed templates for the register on contractual arrangements for ICT services are very complex in terms of content, form and technology and include additional elements with no (or questionable) added value. For example, the obligation to keep the register both at the entity and consolidated/sub-consolidated level, would be an unnecessary duplication, contradictory to basic standards of accountability for group consolidation. Moreover, EFAMA stresses that information on the service provider’s supply chain could be provided to authorities more efficiently by the ICT third-party service providers themselves, rather than through financial entities. We also question the need to keep information on terminated contracts in the register for 5 years and the inclusion of sensitive, contractual data.
We appreciate the attempt to give financial entities more clarity on the classification of ICT-related incidents, with thresholds for identifying major incidents. However, the methodology proposed would require constant monitoring of various criteria, engaging significant resources, which in many cases will not detect a major ICT-related incident. In fact, these criteria could lead to a higher number of identified incidents, which would make it more difficult to detect the truly major ones. This methodology has also not been clearly linked to the definition of major ICT-related incidents included in DORA. Further technical consultations on DORA are expected to be launched by the ESAs in the fall.
Zuzanna Bogusz, Regulatory Policy Advisor at EFAMA, commented: “The asset management industry is very serious about tackling the risks that arise from increasing use and sophistication of information and communication technology. Operational resilience is also key to stable financial markets. However, the high degree of bureaucracy incorporated in the draft technical standards undermines this goal. Financial entities will be overwhelmed with drafting procedures, filling in templates and gathering data, when their attention should be focused on prevention, detection and swift reaction to threats. Also, if a high proportion of ICT-related incidents qualify as “major”, it would become harder to detect those truly harmful ones and channel available resources towards them. In other words, it would be counterproductive for the task at hand.”