25 juin 2024
In recent years, the ever-increasing adoption of new technologies for the provision of financial services has reshaped the financial services industry in many different ways. This digital evolution has, nonetheless, made financial institutions largely dependent on the proper functioning of IT systems underpinning their financial infrastructure that have become the backbone of the global financial system in today’s digital environment.
This has also opened a new chapter for the financial services industry that is now, more than ever, exposed to new types of risks, particularly those that can jeopardize its resilience to cybersecurity related threats. By recognising the critical need to bolster the digital operational resilience of the financial services industry in the EU, as part of its Digital Finance Package published in September 2020, the EU Commission has proposed the Regulation on digital operational resilience of the financial services industry, commonly known as the Digital Operational Resilience Act “DORA”.
The rules on digital operational resilience applicable to financial institutions are currently fragmented and placed in various sector specific pieces of EU financial regulation (e.g., MiFID II, CRD, PSD2 etc.) as well as the Guidelines of the European Supervisory Authorities (ESAs) that are the in many ways the cornerstone of the EU regulatory framework on outsourcing arrangements that the financial services industry has been increasingly dependent on in recent years. However, a lack of proper harmonisation of sector specific regulations as well as the scope of application of the Guidelines on outsourcing of European Supervisory Authorities (ESAs) combined with their rather non-binding character (i.e. application on a comply-or-explain basis), leave space for regulatory ambiguity in this important area which in the digital age has become a backbone of the proper functioning of the financial services industry.