9 October 2020
Digital finance – 1 of 3 Insights
Plans to harmonise the EU regulatory framework for digital operational resilience in financial services have now been published.
Let's look at the potential impact on EU firms and the new measures they'll need to put in place to prevent or limit the impact of ICT-related incidents.
On 24 September 2020 the European Commission published its Proposal for a Regulation on Digital Operational Resilience for the Financial Sector. The proposed regulation would introduce a detailed and comprehensive framework on digital operational resilience and management of ICT-risk across EU financial services firms.
It aims to consolidate and update the ICT risk requirements currently addressed across various pieces of EU sectoral legislation. Instead, all provisions addressing digital risk in finance in the EU would be brought together in a consistent manner in a single legislative act for the first time.
The requirements would apply across the EU banking, insurance and securities sectors (which we'll refer to here as "Financial Entities) to ensure consistency around ICT risk management in financial services.
The requirements focus specifically on the management of "ICT risks", which is broadly defined. To date, financial services legislation has tended to focus on operational risks generally or those associated with outsourcing specifically (the EBA's recent guidelines on ICT and Security Risk Management are one exception to this).
By contrast, the proposals take a holistic approach to ICT risks specifically, seeking to provide supervisors with tools to prevent ICT risks from materialising and causing wider financial stability concerns.
The proposals seek to enshrine targeted rules on ICT risk management capability, reporting and testing, in a way which enables firms to withstand, respond to and recover from ICT incidents. The proposals include requirements relating to:
Proportionality and risk-based application is embedded in the proposals, including through the use of qualitative and quantitative assessment criteria. This is intended to enable Financial Entities to tailor the requirements to their specific risks and needs, depending upon their size, business profiles, and technology risks.
The proposed regulation would also establish a framework for the oversight of ICT third-party service providers which the European Supervisory Authorities (acting through their Joint Committee) designate as “critical” for Financial Entities. This would be based on specified criteria including their systemic importance to the EU financial system.
Technology risks have no borders. Unsurprisingly, some of the proposed requirements share similarities with the FCA's and PRA's proposals on operational resilience, although the EU proposals focus more specifically on ICT risk.
The FCA and PRA proposals focus more expressly upon setting impact tolerances for important business services and implementing measures to ensure the firm can remain within those tolerance levels in severe but plausible scenarios (including but not limited to ICT/cyber incidents).
By contrast, the European Commission's proposals would still require Financial Entities to establish risk tolerance levels for ICT risk, but this is part of the wider ICT risk management framework, rather than a key tenet of the requirements.
The FCA has also announced its intention to keep its guidance for firms outsourcing to the cloud and other third-party IT services under review and ensure this remains consistent with relevant international standards "where appropriate". It will be interesting to see how (if at all) the approach of the FCA and PRA develop in response to the EU proposals.
The European Commission's proposal makes up part of a broader digital finance package published by the Commission, including:
If you're an ICT service provider, don't miss our separate article which looks at the proposals to establish a framework for the oversight of ICT third-party service providers designated as "critical" to the EU financial services system. If you have any questions about what we've covered in this article, please contact a member of our Financial Services Regulatory team.
by Multiple authors
by multiple authors