Regulatory spotlight: The Digital Operational Resilience Act (DORA)

(Update to October 2022 regulatory spotlight article)[1]

Background

Operational resilience in the financial sector continues to be a priority for Supervisory Authorities around the world, who are coordinating their efforts in this area.

The Digital Operational Resilience Act (DORA), is one of the most important upcoming legislative proposals that will shape third-party risk management (TPRM) requirements for the Financial Services industry in the European Union (E.U.). The game-changer is the expanded regulatory perimeter that captures Critical Third Parties. This includes non-financial organizations whose role is deemed critical to the functioning of financial markets.

DORA introduces new legislative powers, and as such, pertinent organizations will be accountable and required to demonstrate compliance by adhering to the policies and promoting resilience outcomes.

What is this spotlight about?

In this issue, we are featuring the joint Discussion Paper[2] by the three European Supervisory Authorities (EBA/ESMA/EIOPA), which specifies the criteria used to assess criticality and the fee structure for overseeing ICT third-party providers.

The feedback collected in this consultation will inform the technical advice that the ESAs will deliver to the European Commission.

Why does this development matter?

This development signals that Authorities are moving along the policy roadmap swiftly and seeking input into implementation considerations. This is an important milestone as it provides the criteria used to assess the criticality of ICT third-party service providers in the context of ICT risk and its potential impact on operational resilience. Considerations that need to be taken into account include:

• The impact of the ICT provider on the provision of financial services in the event of a large scale operational failure
• The importance of the financial entities using the ICT provider, which can lead to increased risk for the overall market in the case of ICT failure
• The reliance of multiple financial entities on the use of an ICT provider for critical/important functions
• The degree of substitutability possible considering the possibly limited number of specific ICT providers where substitutions could be challenging.

Furthermore, the joint Discussion Paper proposes a structure, based on which oversight fees will be levied on organizations that fall within the scope of DORA as Critical Third-Party Providers (CTPPs). The Discussion Paper details the proposed method and basis for calculating the types of expenditures to be covered by oversight fees.

Key dates

The following are the next two important milestones on the roadmap.

• Response forms are due by 23 June 2023.
• ESA technical advice is due to the European Commission by 30 September 2023.

[1] Regulatory Spotlight: DORA | S&P Global (spglobal.com)

[2] ESAs Discussion Paper CfA DORA criticality criteria and OVS fees_clean (europa.eu)

S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.