On 15 November 2023, the European Banking Authority published a speech (dated 10 October 2023) by its chair, José Manuel Campa. The speech is entitled Operational resilience in EU financial services. Before exploring the concept of operational resilience (the ability of a financial entity to continue to deliver critical activities for the good functioning of the financial sector during disruptions) Mr Campa shares some observations on digitalisation trends across the EU.
Key points in Mr Campa’s speech on operational resilience include:
- At the EU level, new legislation on digital operational resilience for the financial sector (DORA) entered into force in January 2023 and it will become applicable to almost all EU financial entities from January 2025.
- The first pillar of DORA aims at consolidating and upgrading ICT risk requirements that have so far been spread over in different texts of financial services legislation and to foster convergence and efficiency in supervisory approaches when addressing ICT risks (including ICT third-party risk) in the financial sector.
- The second pillar of DORA introduces an EU-wide oversight framework for the ICT providers that are assessed as critical for the EU financial sector.
- DORA has given new roles and tasks to the three European Supervisory Authorities (ESAs) hence they are currently developing the complementary level 2 regulatory texts that allow the application of this Regulation and the design of the new supervisory framework.
- In terms of type of ICT providers, DORA covers a wide range, including providers of cloud computing services, software, data analytics services and providers of data centre services.
- The ESAs will collect data from the EU financial entities (via their Member State competent authorities) on the ICT services they receive from ICT providers and on those providers. Based on these, the ESAs will designate the critical ICT providers for the EU financial sector taking into account a number of criticality criteria. This exercise will be done on an annual basis and the list of critical ICT providers will be published. Each critical ICT provider will be overseen by one of the ESAs (Lead Overseer) where essentially the ESAs will be assessing whether each provider has in place adequate mechanisms to manage the ICT risks to which they may expose EU financial entities. Recommendations and lines of improvement will be issued to address the weaknesses detected. If these reports are not made or are not considered sufficient, action may also be taken via the supervised financial entities that receive services from that provider, requesting reports on the way in which the service is provided, or ultimately the identification of alternative providers.
- To make this work the ESAs will be setting out a comprehensive cooperation and coordination framework building on the existing institutional architecture enhanced by new structures.
- The Lead Overseer may exercise its powers on premises in a country outside of the EU which is used by the critical ICT provider to provide services in the EU – a very important element of DORA considering the landscape of ICT providers. For this purpose, DORA envisages the possibility for the ESAs to conclude cooperation arrangements with third-country authorities.