(Update to June 26, 2023 regulatory spotlight article)[1]
Background
Operational resilience in the financial sector continues to be a priority for Supervisory Authorities around the world, who are coordinating their efforts in this area.
The Digital Operational Resilience Act (DORA), is one of the most important upcoming legislative proposals that will shape third-party risk management (TPRM) requirements for the Financial Services industry in the European Union (E.U.). The game-changer is the expanded regulatory perimeter that captures Critical Third Parties. This includes non-financial organizations whose role is deemed critical to the functioning of financial markets.
DORA introduces new legislative powers, and as such, pertinent organisations will be accountable and required to demonstrate compliance by adhering to the policies and promoting resilience outcomes.
What is this spotlight about?
In this issue, we are featuring the batch of policy products [2]published by the three European Supervisory Authorities (EBA/ESMA/EIOPA). The authorities released the final draft policy products in an initial batch in January 2024 [2], a second batch in July 2024[3], with one more released later in the same month[4], consisting of eight regulatory technical standards (RTS), two sets of Implementing Technical Standards (ITS) and 2 guidelines all of which aim at enhancing the digital operational resilience of the EU’s financial sector.
|
Batch 1 |
Batch 2 |
Batch 3 |
|
|
|
Why does this development matter?
This is a significant milestone in providing specificity on the requirements for financial institutions and competent authorities to meet when implementing DORA. This detail has been much needed and anticipated, with some organisations reluctant to fully commit to executing changes prior to the final requirements.
Organisations now face tight timelines to translate the final draft requirements into actionable steps and execute before the January deadline. This is compounded by the fact that subcontracting rules which are among the most challenging for firms and their ICT providers, were the last to be released in late July 2024. ICT providers will also need to implement the necessary changes and remediate their contracts to be able to continue to provide services to the financial services industry in adherence with DORA requirements when they come into force.
The European Commission will now review the final draft of the technical standards submitted and aim to adopt them in the coming months. Although material deviations from the final drafts are now unlikely, changes could still be made to the requirements before they become binding.
Key next steps and dates
- Final drafts to be reviewed by the European Commission, European Parliament, and the Council of the European Union prior to adoption.
- “Dry run” of collection of the register of information, throughout the remainder of 2024
- Application of DORA, 17 January 2025
[2] ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification | European Banking Authority (europa.eu)