United Kingdom (and EU regulation)

DORA review: Member States consider inclusion of payment card networks and retail payment infrastructures

On 28 April 2021 the Portuguese Presidency of the Council held a meeting of a Council working group in order to continue its legislative review of the proposed regulation on digital operational resilience for the financial sector (DORA). During the meeting, Member States discussed certain issues relating to the scope of the proposed legislation, as well as select provisions under Chapter V (managing of information and communication technology (ICT) third-party risk). In respect of the scope of the draft legislation, the Presidency put forward for Member States’ consideration two non-papers, namely a joint non-paper authored by a group of Member States on provisions concerning ICT infrastructures enabling retail payment clearing and a non-paper prepared by France on proposed inclusion within the scope of DORA of payment card schemes. Key points to note:

Scope: In its non-paper mentioned above, France noted that payment card networks play a major role in the payment chain and that large-scale, sophisticated attacks against the main providers have already occurred in the past. It suggests the need for extension of the scope of DORA to cover payment card networks by arguing that an attack on such market participants could have major consequences for financial stability and for the smooth functioning of payments in the EU, and also by highlighting lack of consistency and clarity in supervisory regime for card payment networks. In addition, the group of Member States in their joint paper pointed to evidence that the ICT infrastructures enabling retail payment clearing are some of the main sources of systemic cyber risk for the financial sector. Noting the lack of harmonised EU legal framework for addressing digital operational resilience for providers of such services, they argued in favour of inclusion of payment system infrastructures in the scope of DORA, and they proposed some drafting amendments for consideration of the working group.
Contractual arrangements for the use of ICT services: The Presidency proposed certain drafting amendments for Member States’ consideration, addressing – among other issues – responsibilities of financial entities prior to entering a contractual arrangement. It also proposed to amend provisions pertaining to an obligation of financial entities to record certain information in the Register of Information.
Oversight framework: The Presidency put forward several points for Member States’ review. Among other issues it sought to receive Member States’ final views as to which European Supervisory Authority should be designated a Lead Overseer for the purpose of the establishment of the oversight framework for critical third-party ICT service providers. It also proposed further drafting amendments concerning criticality assessment procedure for third-party service providers, the rules of procedure of the oversight forum, reporting by third-party service providers and the composition of the Joint Examination Team.