Today’s financial services industry increasingly leverages technology and ICT providers to extend financial services to excluded or underserved individuals, increase efficiency and lower transactional costs, 多样化融资. To provide greater assurance of a level playing field across Member States and increase the safety and soundness of financial markets, the DORA framework must establish an oversight framework that meets these stated goals.
Related: 的基本组成部分 Successful Digital Landscape
The European Parliament (EP) issued its amendments to the European Commission (EC) text which it will use to enter negotiations with the EC and Council of Ministers. The EP has made significant strides to strengthen the EC’s proposal. I believe that this text will ultimately deliver on its expected goals. However, there are areas where further improvements may increase clarity for financial entities.
操作弹性原则
在DORA谈判期间, financial entities and authorities worked to develop operational resilience principles for use by supervisors when developing rulemaking. In 2021, the Basel Committee on Banking Supervision (BCBS) published its 操作弹性原则. 这些原则, developed in collaboration with the private sector, defines operational resilience concepts such as critical operations, 对中断的容忍, mapping of interconnections and scenario testing. These activities are to occur at the financial entity’s business operations level. DORA has taken these terms and integrated them at the technology level which may lead to financial entities being unclear on their requirements.
举个例子, the BCBS Principles require financial entities to map the people, 过程, technology and suppliers needed to deliver its critical operations while DORA may require that these mappings include technology systems configurations. 除了, DORA requires impact tolerance for ICT disruptions while the BCBS Principles require impact tolerance at the business’ critical operation level. 进一步 guidance will clarify financial entities’ operational resilience expectations.
While DORA is the first step in a multi-phased effort, a solid foundation will serve to support resilience and provide the flexibility needed for Europe’s digital finance goals.
集团内部/第三方ICT关系
The Proposed Text includes intragroup relationships in the definition of third-party ICT relationships. While intragroup relationships may be external to the covered entity, the parent-to-affiliate relationships deliver numerous common services which may include: IT services, 网络风险, 和审计. 进一步, these relationships provide consistent governance, vns6060威尼斯城官网管理, and technology alignment that simplify technology service delivery and enhance resilience. The inclusion of intragroup ICT relationships in the definition of ICT third-party relationships by the EP text extends requirements that may not promote stronger resilience.
- 退出策略:通过改变这个定义, financial entities will be required to develop exit strategies for their intragroup ICT relationships. Exiting intragroup ICT services may interrupt other tech-supported services by the parent organization and remove the ability of the parent to provide sophisticated cybersecurity services which enhance the cyber preparedness of the covered entity
- Supervision/Oversight: Given the breadth of services offered by the parent to the affiliate for daily operations, the parent organization may be considered a concentration risk by the Joint Committee. In the Proposed Text this may further allow oversight of the parent organization by the ESAs. This may create supervisory issues between the national authorities who oversee the parent organization and the ESAs who are expected to oversee the ICT third-party relationships that sit outside of the institutional protection scheme.
公私伙伴关系
I believe that sound rulemaking requires feedback from the industry. This allows subject matter experts from both sectors and their unique points of view to be reflected in rulemaking. This creates rulemaking that is fit for purpose and enhances the implementation of measures that promote resilience. EU lawmakers should envisage consultations with the industry to develop technical standards.
It is my hope that clarifying these matters takes a front seat in these discussions. While DORA is the first step in a multi-phased effort, a solid foundation will serve to support resilience and provide the flexibility needed for Europe’s digital finance goals.
This article was originally published in the February 2022 edition of Eurofi 's Views杂志.