Explanatory Memorandum to COM(2020)595 - Digital operational resilience for the financial sector

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2020)595 - Digital operational resilience for the financial sector.
source COM(2020)595 EN
date 24-09-2020
1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

This proposal is part of the Digital finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it. It is in line with the Commission priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people. The digital finance package includes a new Strategy on digital finance for the EU financial sector with the aim to ensure that the EU embraces the digital revolution and drives it with innovative European firms in the lead, making the benefits of digital finance available to consumers and businesses. In addition to this proposal, the package also includes a proposal for a regulation on markets in crypto assets , a proposal for a regulation on a pilot regime on distributed ledger technology (DLT) market infrastructure , and a proposal for a directive to clarify or amend certain related EU financial services rules .Digitalisati on and operational resilience in the financial sector are two sides of the same coin. Digital, or Information and Communication Technologies (ICT), gives rise to opportunities as well as risks. These need to be well understood and managed, especially in times of stress.

2.

Policymakers and supervisors have therefore increasingly focused on risks stemming from


reliance on ICT. They have notably tried to enhance firms’ resilience through the setting of

standards and through the coordination of regulatory or supervisory work. This work has been carried out at both international and European level, and both across industries as well as for a number of specific sectors, including financial services.

ICT risks nevertheless continue to pose a challenge to the operational resilience, performance and stability of the EU financial system. The reform that followed the 2008 financial crisis primarily strengthened the financial resilience of the EU financial sector, only addressing ICT risks indirectly in some areas, as part of the measures to address operational risks more broadly.

While the post-crisis changes to the EU financial services legislation put in place a Single Rulebook governing large parts of the financial risks associated with financial services, they did not fully address digital operational resilience. The measures ta ken in relation to the latter were characterised by a number of features that limited their effectiveness. For example, they were often devised as minimum h ar m onisati o n directives or pri nc ipled - base d regulations, leaving substantial room for diverging approaches across the Single Market. In addition, there has been only some limited or incomplete focus on ICT risks in the context of the operational

Communication from the Commission to the European Parliament, the European Council, the Council,

3.

the European Central Bank, the European Economic and Social Committee and the Committee of the


Regions on a Digital Finance Strategy for the EU, 23 September 2020, COM(2020)591.

4.

Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets


and amending Directive (EU) 2019/1937, COM(2020) 593.

5.

Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market


infrastructures based on distributed ledger technology, COM(2020) 594.

6.

Proposal for a Directive of the European Parliament and of the Council amending Directives


7.

2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and


EU/2016/2341, COM(2020) 596.

8.

The different measures adopted fundamentally aimed at increasing the capital resources and liquidity of


financial entities, as well as to reduce market and credit risks.

2

3

4

5

risk coverage. Finally, these measures vary across the sectoral financial services legislation. Thus, the intervention at Union level did not fully match what European financial entities needed for managing operational risks in a way that withstand, respond and recover from impacts of ICT incidents. Nor did it provide financial supervisors with the most adequate tools to fulfil their mandates to prevent financial insta bi lity stemming from the materialization of those ICT risks.

The absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies). Action at Member State level, however, only has a limited effect given cross-border nature of ICT risks. Moreover, the uncoordinated national initiatives have resulted in overlaps, inconsistencies, duplicative requirements, high administrative and compliance costs -especially for cross-border financial entities - or in ICT risks remaining undetected and hence unaddressed. This situation fragments the single market, undermines the sta bi lity and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.

It is therefore necessary to put in place a detailed and comprehensive framework on digital operational resilience for EU financial entities. This framework will deepen the digital risk management dimension of the Single Rulebook. In particular, it will enhance and stream li ne

the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by

9.

financial entities, as well as introduce powers for financial supervisors to oversee risks


stemming from financial entities’ dependency on ICT third-party service providers. The

proposal will create a consistent incident reporting mechanism that will help reduce admini strati ve burdens for financial entities, and strengthen supervisory effectiveness.

Consistency with existing provisions in the policy area

This proposal is part of wider work ongoing at European and international level to strengthen the cybersecurity in financial services and address broader operational risks.

It also responds to the 2019 Joint technical advice7 of the European Supervisory Authorities (ESAs) that called for a more coherent approach in addressing ICT risk in finance and recommended the Commission to strengthen, in a proportionate way, the digital operational resilience of the financial services industry through an EU sector-specific initiative. T he ESAs

advice was a response to the Commission’s 2018 Fintech action plan.8

Consistency with other Union policies

As stated by President von der Leyen in her Political Guidelines,9 and set-out in the

Communication ‘Shaping Europe’s digital future’,10 it is crucial for Europe to reap all the

10.

benefits of the digital age and to strengthen its industry and innovation capacity, within safe


10

Basel Committee on Banking Supervision, Cyber-resilience: Range of practices, December 2018 and

Principles for sound management of operational risk (PSMOR), October 2014.

11.

Joint Advice of the European Supervisory Authorities to the European Commission on the need for


legislative improvements relating to ICT risk management requirements in the EU financial sector, JC

2019 26 (2019).

European Commission, Fintech Action Plan, COM/2018/0109 final.

President Ursula Von Der Leyen, Political Guidelines for the next European Commission, 2019-2024,

https://ec.europa.eu/commission/sites/beta-political/files/political-guidelines-next-commission_en.pdf.

12.

Communication from the Commission to the European Parliament, the Council, the European


Economic and Social Committee and the Committee of the Region, Shaping Europe’s Digital Future,

COM(2020) 67 final.

6

The European strategy for data11

and ethical boundaries. The European strategy for data sets out four pillars - data protection, fundamental rights, safety and cybersec u rity - as essential pre-re qui sites for a society empowered by the use of data. More recently, the European Parliament is working on a report on digital finance, which inter alia calls for a common approach on cyber resilience of the financial sector .A legislative framework strengthening the digital operational resilience of EU financial entities is consistent with these policy objectives. The proposal would also support policies aimed at recovering from the coronavirus, as it would ensure that increased reliance on digital finance goes hand in hand with operational resilience.

The initiative would maintain the benefits associated with the horizontal framework on cybersecurity (e.g. the Directive on Security of Networks and Information Systems, NIS Directive) by keeping the financial sector within its scope. The financial sector would remain closely associated to the NIS cooperation body and financial supervisors would be able to exchange relevant information within the existing NIS ecosystem. The initiative would be consistent with the European Critical Infrastructure (ECI) Directive, which is currently being reviewed in order to enhance the protection and resilience of critical infrastructures against non-cyber related threats. Finally, this proposal is fully in line with the Security Union Strategy that called for an initiative on the digital operational resilience for financial sector given its high dependence on ICT services and its high vulnerability to cy ber attacks.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The proposal for regulation is based on Arti c le 1 14 TFE U.

It removes obstacles to, and improves the establ ishment and functioning of the internal market for financial services by harmonising the rules applicable in the area of ICT risk management, reporting, testing and ICT third-party risk. Current disparities in this area, both at legislative and supervisory levels, as well as national and EU levels, act as obstacles to the single market in financial services because financial entities that engage in cross-border activities face different, where not overlapping, regulatory requirements or supervisory expectations with the potential to impede the exercise of their freedoms of establishment and of provision of services. Different rules also distort competition between the same type of financial entities in diff erent Member States. Moreover, in areas where harmonisation is absent, partial or limited, the development of divergent national rules or approaches, either already in force or in the process of adoption and implementation at national level, can act as a deterrent to the single market freedoms for financial services. This is particularly the case as regards to digital operational testing frameworks and the oversight of critical IC T third-party service providers.

12

13

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Region, A European strategy for data, COM(2020) 66 final.

‘Report with recommendations to the Commission on Digital Finance: emerging risks in crypto-assets -regulatory and supervisory challenges in the area of financial services, institutions and markets (2020/2034(INL)),

https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2020/2034(INL)&l=en Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, COM(2020) 605 final.


As the proposal has an impact on several Directives of the European Parliament and of the Council adopted on the basis of Article 53 i of the TFEU, a proposal for a Directive is also adopted at the same time to reflect the necessary amends to those Directives.

Subsidiarity

A high degree of interconnection across financial services, a significant cross-border activity of financial entities and an extensive dependency of the financial sector as a whole on ICT third-party service providers call for enabling a strong digital operational resilience as a matter of common interest to uphold the soundness of EU financial markets. Disparities resulting from uneven or partial regimes, overlaps or multiple requirements applying to the same financial entities operating cross-border or holding several authorisations across the Single Market can only be tackled efficiently at Union level.

This proposal harmonises the digital operational component of a deeply integrated and interconnected sector that already benefits from a single set of rules and supervision in most other key areas. For matters such as ICT -related incident reporting, only Union harmonised rules could reduce the level of administrative burdens and financial costs associated with the reporting of the same ICT -related incident to different Union and national authorities. EU action is needed to also facilitate the mutual recognition of advanced digital operational resilience testing results for entities operating cross-border, which in the absence of Union rules are or may be subject to different frameworks in diff erent Member States. Only act ion at Union level can address the differences in testing approaches that Member States have introduced. EU-wide action is also needed to address the lack of appropriate oversight powers to monitor risks stemming from ICT third-party service providers, including concentration and contagion risks for the EU financial sector.

Proportionality

The proposed rules do not go beyond what is necessary in order to achieve the objectives of the proposal. They cover only the aspects that Member States cannot achieve on their own and where the administrative burden and costs are commensurate with the specific and general objectives to be achieved.

Proportionality is designed in terms of scope and intensity through the use of qualitative and quantitative assessment criteria. T hese aim to ensure that, while the new rules cover all financial entities, they are at the same time tailored to risks and needs of their specific characteristics in terms of their size and business profiles. Proportionality is also embedded in the rules on ICT risk management, digi tal resilience test ing, reporting of major ICT -related incidents and oversight of critical ICT third-party service providers.

Choice

13.

of the instrument


The measures needed to govern ICT risk management, ICT-related incident reporting, testing and oversight of critical ICT third-party service providers must be contained in a Regulation in order to ensure that the detailed requirements be effectively and directly applicable in a uniform manner, without prejudice to proportionality and specific rules foreseen by this Regulation. Consistency in addressing digital operational risks contributes to enhancing confidence in the financial system and preserves its stability. Since the use of a regulation

14 The same financial entity may have a banking, an investment firm, and a payment institution licence,

14.

each issued by a different supervisor in one


or several Member States.

helps reducing regulatory complexity, fosters supervisory convergence and increases legal certainty, this Regulation also contributes to limit financial entities compliance costs, especially for those operating on a cross-border basis, which in turn would help remove competitive distortions.

This Regulation also does away with legislative disparities and uneven national regulatory or supervisory approaches on ICT risk and thus removes obstacles to the single market in financial services, in particular to the smooth exercise of the freedom of establ ishment and the provision of services for financial entities with cross-border presence.

Lastly, the Single Rulebook has mostly been developed via regulations, and its update with the digital operational resilience component should follow the same choice of legal instrum ent.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

No Union financial services legislation has until now focussed on operational resilience and none has comprehensively tackled risks emerging from digi talisati on, not even those whose rules address more generally the operational risk dimension with ICT risk as a subcomponent. Union intervention so far have helped to address needs and problems that were present in the aftermath of the 2008 financial crisis: credit institutions were not sufficiently capitalised, financial markets were not sufficiently integrated, and har m on isation up until that point had been kept minimal. ICT risk was not considered a priority then, and, as a result, the legal frameworks for the different financial subsectors has evolved in an uncoordinated manner. Still, Union action has achieved its objectives of ensuring financial stability and to establish a single set of harmonised prudential and market conduct rules applicable to financial entities throughout the EU. Since factors driving Union legislative intervention in the past did not enable specific or comprehensive rules to address the widespread use of digital technologies and consequent risks in finance, carrying out an explicit evaluation appears challenging. An implicit evaluation exercise and consequent legislative amendments are reflected in each pillar of this Regulation..

Stakeholder consultations

The Commission has consulted stakeholders throughout the process of preparing this proposal, in particular:

15.

i) The Commission carried out a dedicated open public consultation (19


December 2019 - 19 March 2020);15

16.

ii) The Commission consulted the public via an inception impact assessment (19


December 2019 - 16 January 2020);16

15

16

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12090-Digital-Operational-

17.

Resilience-of-Financial-Services-DORFS-Act-/public-consultation


https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12090-Digital-Operational-

18.

Resilience-of-Financial-Services-DORFS-Act-


iii) The Commission services consulted Member State experts in the Expert Group

on Banking, Payments and Insurance (EGBPI) on two occasions (18 May 2020 and 16 July 2020);17

19.

iv) The Commission services held a dedicated webinar on digital operational


resilience, as part of the Digital Finance Outreach 2020 series of events (19 May 2020).

The purpose of the public consultation was to inform the Commission on the development of a potential EU cross-sectoral digital operational resilience framework in the area of financial services. Responses showed a broad support for introducing a dedicated framework with actions focused on the four areas subject to the consultation, while stressing the need to ensure proportionality and to carefully address and explain the interaction with the horizontal rules of the NIS Directive. The Commission received two responses on the inception impact assessment, where respondents addressed specific aspects related to their area of activity.

Member States expressed in the EGBPI meeting organized on 18 May 2020 high support for strengthening the digital operational resilience of the financial sector through the actions envisaged along the four elements outlined by the Commission. Member States also stressed the need for clear articulation of the new rules with those on operational risk (within the EU financial services legislation) and with the horizontal rules on cybersecu ri ty (NIS Directive). During the second meeting, some Member States stressed the need to ensure proportionality and consider the specific situation of small companies or subsidiaries of larger groups, as well as the need to have a strong mandate for NCAs involved in the oversight.

The proposal also builds on and integrates the feedback drawn from meetings held with stakeholders and EU authorities and institutions. Stakeholders, including ICT third-party service providers, have been overall supportive. An analysis of the received feedback shows a call for preserving proportionality and following a principle and risk-based approach in the design of rules. On the institutional side, the main input came from the European Systemic Risk Board (ESRB), the ESAs, the European Union Agency on Cybersecur i ty (ENI SA) and

the European Central Bank (ECB), as well as from Member States’ competent authorities.

Collection and use of expertise

In preparing this proposal, the Commission relied on qualitative and quantitative evidence collected from recognised sources, including the two joint technical advices by the ESAs. This has been complemented with confidential input, and publicly available reports from supervisory authorities, international sta nda rd-sett ing bodies and leading research institutes, as well as quantitative and qualitative input from identified stakeholders across the global financial sector.

Impact assessment

20.

This proposal is accompanied by an impact assessment , which was submitted to the Regulatory Scrutiny Board (RSB) on 29 April 2020 and approved on 29 May 2020. The RS B


18

https://ec.europa.eu/info/business-economy-euro/banking-and-finance/regulatory-process-financial-services/expert-groups-comitology-and-other-committees/expert-group-banking-payments-and-insurance_en

21.

Commission Staff Working Document - Impact Assessment Report Accompanying the document Regulation of the European Parliament and of the Council on digital operational resilience for the


17

recommended improvements in some areas with a view to: (i) provide more information on how proportionality would be ensured; (ii) better highlight the extent to which the preferred option differs from the ESAs joint technical advice, and why that option is the optimal one; and (iii) further highlight how the proposal interacts with existing EU legislation, including with rules currently being reviewed. The impact assessment was adjusted to address these

points, also addressing the RSB’s more detailed comments.

The Commission considered a number of policy options for developing a digital operational resilience framework:

“Do nothing”: rules on operational resilience would continue to be set by the current,

diverging set of EU financial services provisions, partly by the NIS Directive, and by existing or future national regimes;

Option 1: strengthening capital buffers: additional capital buffers would be

introduced to increase financial entities’ ability to absorb losses that could arise due

to a lack of digital operational resilience;

Option 2: introducing a financial services digital operational resilience act: enabling a comprehensive framework at EU level with consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishing an Oversight framework for critical ICT thi rd - party providers;

Option 3: a financial services digital operational resilience act combined with centralised supervision of critical ICT third-party service providers: in addition to a digital operational resilience act (option 2), a new authority would be established to supervise the provision of services by ICT third party service providers.

The second option was retained, as it achieves most of the intended objectives in a manner that is effective, efficient and coherent with other Union policies. Most stakeholders also prefer th is option.

22.

The retained option would give rise to costs of both one-off and recurring nature . The one-off costs are mainly due to investments in IT systems and as such are difficult to quantify


given the different state of firms’ complex IT landscapes and in particular of their legacy IT

systems. Even so, these costs are likely to be limited for large firms, given the significant ICT investments they have already made. Costs are also expected to be limited for smaller firms, as proportionate measures would apply given their lower risk.

The retained option would have positive effects on SMEs operating in the financial services industry in terms of economic, social and environmental impacts. The proposal will bring clarity to SMEs on what rules apply, which will reduce compliance costs.

The main social impacts of the retained policy option would be on consumers and investors. Higher levels of digital operational resilience of the EU financial system would decrease the number and average costs of incidents. Society as a whole would benefit from the increased trust in the financial services industry.

financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, SWD(2020)198 of 24.09.2020. 19 Ibid, p 89-94.

Finally, in terms of environmental impacts, the policy option chosen would encourage an enhanced use of the latest generation of ICT infrastructures and services, which are expected to become environmentally more sustainable.

Regulatory fitness and simplification

The removal of overlapping ICT -related incident reporting requirements would reduce administrative burdens and decrease associated costs. In addition, harmonised digital operational resilience testing with mutual recognition across the Single Market will decrease costs, especially for cross-border firms that could otherwise face multiple tests across Member

States20.

Fundamental rights

The EU is committed to ensuring high standards of protection of fundamental rights. All voluntary information sharing arrangements between financial entities that this Regulation promotes would be conducted in trusted environments in full respect of Union data protection rules, notably Regulation (EU) 2016/679 of the European Parliament and of the Council in particular when processing personal is necessary for the purposes of a legitimate interest pursued by the controller.

Contents

1.

BUDGETARY IMPLICATIONS



In terms of budgetary implications, as the current Regulation foresees an enhanced role for the ESAs by means of powers granted upon them to adequately oversee critical ICT third-party providers, the proposal would entail the deployment of increased resources, in particular to fulfil the oversight missions (such as onsite and online inspections and audits exercises) and the use of staff possessing specific ICT security expertise.

The scale and distribution of these costs will depend on the extent of the new oversight powers and the (precise) tasks to be performed by the ESAs. In terms of providing new staff resources, EBA, ESMA and EIOPA will require in total 18 full-time employees (FTE) - 6 FTEs for each authority - when the different provisions of the proposal will enter into application (estimated at EUR 15,71 million for the period 2022 - 2027). The ESAS will also incur additional IT costs, mission expenses for the onsite inspections and translation costs (estimated at EUR 12 million for the period 2022 - 2027), as well as other administrative expenditure (estimated at EUR 2,48 million for the period 2022 - 2027). Therefore, the estimated total cost impact is approximately EUR 30,19 million for the period 2022 - 2027.

It should also be noted that, while the headcount (e.g. new staff members and other expenditure related to the new tasks) necessary for direct oversight will depend over time on the development of the number and size of the critical ICT th ird- party service providers to be overseen, the respective expenditure will be fully funded by fees raised from those market participants. Therefore, no impact on EU budget appropriations is foreseen (except for the additional staff), as these costs will be fully funded by fees.

The financial and budgetary impacts of this proposal are explained in detail in the legislative financial statement annexed to this proposal.

23.

20 21


Ibid.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p.

1).

5. OTHERELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The proposal includes a general plan for monitoring and evaluating the impact on the specific objectives, requiring the Commission to carry out a review at least three years after the entry into force, and to report to the European Parliament and the Council on its main findings.

The review is to be conducted in line with the Commission’s Better Regulation Guidelines.

Detailed explanation of the specific provisions of the proposal

The proposal is structured around several main policy areas which are key inter-related pillars consensually included in European and international guidance and best practices aimed at enhancing the cyber and operational resilience of the financial sector.

Scope of the Regulation and proportionality application of required measures (Article 2)

To ensure consistency around the ICT risk management requirements applicable to the financial sector, the regulation covers a range of financial entities regulated at Union level, namely credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers.

Such a coverage facilitates a homogenous and coherent application of all components of the risk management on ICT -related areas, while safeguards the level playing field among financial entities in respect of their regulatory obligations on ICT risk. At the same time, the regulation acknowledges that significant differences exist between financial entities in terms of size, business profiles or in relation to their exposure to digital risk. Since larger financial entities have more resources, only financial entities not qualifying as m ic roe nte rprises are required, for instance, to establish complex governance arrangements, dedicated management functions, perform in-depth assessments after major changes in the network and information system infrastructures, regularly conduct risk analyses on legacy ICT systems, expand the testing of business continuity and response and recovery plans to capture switchover scenarios between their primary ICT infrastructure and redundant facilities. Moreover, only financial entities identified as significant for the purposes of the advanced digital resilience testing will be required to conduct threat led penetration tests.

Notwithstanding this broad coverage, it is not exhaustive. Notably, this regulation does not capture system operators as defined in point (p) of Article 2 of Directive 98/26/EC22 on settlement finality in payment and securities settlement systems (SFD), nor any system participant unless such participant is itself a financial entity regulated at Union level and as such it would be covered by this regulation in its own right (i.e. credit institution, investment firm, CCP). In addition, the Union registry for emission allowances which is operated, in

22 Directive 98/26/EC of the European Parliament and of the Council of 19 May 1998 on settlement

finality in payment and securities settlement systems (OJ L 166, 11.6.1998, p. 45).

accordance with Directive 2003/87/EC,23 under the aegis of the European Commission is also outside the scope.

Such exclusions from the SFD take into account the need for a further review of legal and policy matters touching the SFD system operators and participants while duly considering the impact of frameworks currently applying to payment systems24 operated by central banks. As these matters may entail aspects, which remain distinct from issues covered by this regulation, the Commission will continue assessing the necessity and impact of a further extension of this regulation’s scope to entities and ICT infrastructures currently outside of its remit.

Governance related requirements (Article 4)

This regulation is designed to better aligning financial entities’ business strategies and the conduct of the ICT risk management. To that effect, the management body will be required to maintain a crucial, active role in steering the ICT risk management framework and shall pursue the respect of a string cyber hygiene. The full responsibility of the management body in managing financial entity’s ICT risk will be an overarching principle to be further translated into a set of specific requirements, such as the assignment of clear roles and responsibilities for all ICT-related functions, a continuous engagement in the control of the monitoring of the ICT risk management, as well in the full range of approval and control processes and an appropriate allocating of ICT investments and trainings.

ICT risk management requirements (Articles 5 to 14)

Digital operational resilience is rooted in a set of key principles and requirements on ICT risk management framework, in line with the joint ESAs technical advice. These requirements, inspired from relevant international, national and industry-set standards, guidelines and recommendations, revolve around specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication). To keep pace with a quickly evolving cyber threat landscape, financial entities are required to set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk, to identify on a continuous basis all sources of ICT risk, to set-up protection and prevention measures, promptly detect anomalous activities, put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy. The latter components are required for a prompt recovery after ICT-related incidents, in particular cyber-attacks, by limiting damage and prioritising safe resumption of activities. The regulation does not itself impose specific standardization, but rather builds on European and internationally recognized technical standards or industry best practices, insofar they are fully compliant with supervisory instructions on the use and incorporation of such international standards. This regulation also covers the integrity, safety and resilience of physical infrastructures and facilities that support the use of technology and the relevant ICT-related processes and people, as part of the digital footprint of a financial entity’s operations.

ICT-related incident reporting (Articles 15 to 20)

23

24

Directive 2003/87/EC of the European Parliament and of the Council of 13 October 2003 establishing a scheme for greenhouse gas emission allowance trading within the Community and amending Council Directive 96/61/EC (OJ L 275, 25.10.2003, p. 32).

In particular Regulation of the European Central Bank (EU) No 795/2014 of 3 July 2014 on oversight requirements for systemically important payment systems.

Harmonising and streamlining the reporting of ICT-related incidents is achieved via, first, a general requirement for financial entities to establish and implement a management process to monitor and log ICT-related incidents, followed by an obligation to classify them based on criteria detailed in the regulation and further developed by the ESAs through to specify materiality thresholds. Second, only ICT-related incidents that are deemed major must be reported to the competent authorities. The reporting should be processed using a common template and following a harmonised procedure as developed by the ESAs. Financial entities should submit initial, intermediate and final reports and inform their users and clients where the incident has or may have an impact on their financial interests. Competent authorities should provide pertinent details of the incidents to other institutions or authorities: to the ESAs, to the ECB and to the single points of contact designated under Directive (EU) 2016/1148.

To set off a dialogue between financial entities and competent authorities that would help minimising the impact and identifying appropriate remedies, the reporting of major ICT-related incidents should be complemented by supervisory feedback and guidance.

Lastly, the possibility of centralisation at Union level of ICT-related incident reporting should be further explored in a joint report by the ESAs, ECB and ENISA assessing the feasibility of establishing a single EU Hub for major ICT-related incident reporting by financial entities.

Digital operational resilience testing (Articles 21 to 24)

The capabilities and functions included in the ICT risk management framework need to be periodically tested for preparedness and identification of weaknesses, deficiencies or gaps, as well as the prompt implementation of corrective measures. This regulation allows for a proportionate application of digital operational resilience testing requirements depending on the size, business and risk profiles of financial entities: while all entities should perform a testing of ICT tools and systems, only those identified by competent authorities (based on criteria in this regulation and further developed by the ESAs) as significant and cyber mature should be required to conduct advanced testing based on TLPTs. This regulation also sets out requirements for testers and the recognition of TLPT results across the Union for financial entities operating in several Member States.

ICT third-party risk (Articles 25 to 39)

The regulation is designed to ensure a sound monitoring of ICT third-party risk. This objective will be achieved first through the respect of principle-based rules applying to financial entities’ monitoring of risk arising through ICT third-party providers. Second, this regulation harmonises key elements of the service and relationship with ICT third-party providers. These elements cover minimum aspects deemed crucial to enable a complete monitoring by the financial entity of ICT third-party risk throughout the conclusion, performance, termination and post-contractual stages of their relationship.

Most notably, the contracts that govern that relationship will be required to contain a complete description of services, indication of locations where data is to be processed, full service level descriptions accompanied by quantitative and qualitative performance targets, relevant provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recover and return in the case of failures of the ICT third-party service providers, notice periods and reporting obligations of the ICT third-party service providers, rights of access, inspection and audit by the financial entity or an appointed third-party, clear termination rights and dedicated exit strategies. Moreover, as some of these contractual elements can be standardized, the regulation promotes a voluntary use of standard contractual clauses which are to be developed for the use of cloud computing service by the Commission.

Finally, the regulation seeks to promote convergence on supervisory approaches to the ICT-third-party risk in the financial sector by subjecting critical ICT third-party service providers to a Union oversight framework. Through a new harmonised legislative framework, the ESA designated as lead overseer for each such critical ICT third-party service provider receives powers to ensure that technology services providers fulfilling a critical role to the functioning of the financial sector are adequately monitored on a Pan-European scale. The oversight framework envisaged by this regulation builds on the existing institutional architecture in the financial services area, whereby the Joint Committee of the ESAs ensures cross-sectoral coordination in relation to all maters on ICT risk, in accordance with its tasks on cybersecurity, supported by the relevant subcommittee (Oversight Forum) carrying out preparatory work for individual decisions and collective recommendations to CTPPs.

Information sharing (Article 40)

To raise awareness on ICT risk, minimise its spread, support financial entities’ defensive capabilities and threat detection techniques, the regulation allows financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.