On 22 October 2020, the German Presidency of the Council held a meeting of a working party on financial services, agenda of which included discussion on the recently published European Commission proposal for a Regulation on digital operational resilience in financial services (DORA). We provided an overview of the proposed legislation in our earlier blog post on DORA. During the meeting this week Member States were supposed to discuss certain general provisions and elements of information and communication technology (ICT) risk management as well as provisions relating to the management of third-party ICT risks.
In respect of the general provisions, we understand that while the majority of Member States expressed support for the proposed Regulation in its written feedback to the Presidency, a number of issues will require more in-depth discussion in order to find a workable compromise. This includes the scope of entities subject to the proposed law, certain definitions, as well as implementation of an Information Security Management System as part of an institution’s ICT risk management framework and further harmonization of ICT risk management tools, methods, processes and policies. In respect of scope, we understand that there are divergent views between Member States – with some of them advocating that the list of in-scope entities be extended whilst others are advocating that it be reduced by removing certain entities such as crypto-asset service providers.
Regarding third-party ICT risks, we understand that the discussions were intended to focus on the suggestion by some Member States that the designation of a mechanism to determine the lead overseer for critical third-party ICT service providers may need further adjustments. Among other issues, the Presidency sought Member States’ views on whether the oversight powers of the critical ICT third-party service providers should be held by all three European Supervisory Authorities. Another topic for discussion included the criteria and mechanism for designating such critical ICT third-party service providers. As some Member States have asked for further clarification of the relevant designation criteria, the Presidency sought views on what – if any – specific adjustments should be considered. Finally, Member States’ representatives were to discuss the role competent authorities would play in the oversight framework, the powers within the oversight framework and provisions relating to ICT third-party service providers located in third countries. On this last point, Member States were asked to provide views on the proposed requirement for critical non-EEA ICT third-party service providers to establish legal presence in the Union.