It is understood that the European Commission is close to adopting its legislative proposal on Digital Operational Resilience for the Financial Sector. The legislative proposal, which follows a public consultation held by the Commission in Q1 2020, would establish a unified framework for the coherent application of all components of risk management for the information and communication technology (ICT)-related area and would apply to all types of financial entities recognised in EU financial services legislation. More specifically, the proposal will contain measures on ICT risk management and incident reporting; digital operational resilience testing; ICT third party risk; and reporting to competent authorities. The Commission’s intention is to publish the legislative proposal in September 2020, as originally planned.
In terms of ICT risk management, the Commission intends to lay down standards on governance and risk management. On governance, the proposal would prescribe an active role in steering the ICT risk management framework and would be fully responsible for its management. Specific requirements would be established in a number of sub-areas, including on the definition, approval and control of the implementation of arrangements to give effect to the ICT risk management framework and the accountability for such implementation. All financial enterprises except for entities employing fewer than 10 persons and with an annual turnover of below EUR 2 million would have to establish certain dedicated functions in the light of these governance requirements.
On risk management itself, the proposal would lay down high-level principles framing financial entities’ conduct of ICT risk management, with the level of digital operational resilience being adapted to risks, business needs, size and complexity of the entity. Conduct rules are included in relation to the identification of sources of ICT risk; protection of ICT systems; detection of anomalous activities; response to incidents; and communication on ICT-related incidents to clients, counterparties and the public.
The proposal also introduces a general requirement for financial entities to report major ICT-related incidents to the relevant competent authority. In this context, financial entities must monitor and log ICT-related incidents, classify them based on a to be developed taxonomy by the European Supervisory Authorities. Member State competent authorities should provide feedback on reported incidents to allow for a dialogue and identify appropriate remedies. To test whether ICT systems are resilient enough to avoid such incidents, financial entities would need to periodically test the capabilities and functions included in the ICT risk management framework for preparedness and identification of weaknesses, deficiencies or gaps. More advanced testing is required for the most significant financial entities.
With regard to outsourcing arrangements, the proposal would set out key principles and contractual elements deemed important for the safe performance and termination of contracts with ICT third party providers. For instance, this includes specifications of complete descriptions of functions and services, locations where functions are provided and data are processed, as well as an indication of full service level descriptions accompanied by quantitative and qualitative performance targets with agreed service levels. These new arrangements would replace the current outsourcing guidelines, which are produced by each European Supervisory Authority separately, with one single framework.
Finally, the legislative proposal would contain the possibility for financial entities to establish arrangements to exchange amongst themselves cyber threat information and intelligence, which would enhance financial entities’ capacity to prevent these threats from materialising.