The European Commission (EC) has looked at the EU financial sector and realised that it is critically dependent on Information and Communication Technologies (ICT). It sees that the regulatory focus on addressing this has been limited and incomplete.
The EC has prepared a proposal for a regulation on digital operational resilience for the financial sector which may affect not only financial entities, but major ICT service providers as well. The idea is to achieve a high level of harmonised digital operational resilience applicable to all financial entities in the EU.
The proposal is addressed to three groups of entities:
Further, ICT third-party service providers will be divided into two categories - ICT third-party service providers (all entities meeting the above definition) and critical ICT third-party service providers (selected and designated in an administrative procedure.
The authorities will look at six areas:
For the first time, major technology providers (primarily cloud service providers) will be directly subject to financial oversight (EBA, ESMA or EIOPA). Authorities, referred to in the proposal as ‘Lead Overseers’, will be authorised to issue binding recommendations to technology providers and impose administrative penalties if these recommendations are not met.
You will mostly likely be asked by your financial sector clients to review your contracts and terms and conditions, perhaps widen their access and audit rights, add an exit plan, and change how incident reporting works. You might be forced to review your contracts with sub-contractors in order to be able to satisfy contractual requirements in the documentation executed with financial clients.
Major financial institutions that follow the respective EBA, ESMA or EIOPA guidelines on outsourcing or cloud computing will not have to change much, except for new formalised testing and reporting obligations under the proposal.
Other financial institutions that to date have not had an obligation to follow the abovementioned or similar guidelines will have to review their contracts with technology providers and implement ICT risk management policies within their organisations.
Currently this is only a proposal and it will take time before it becomes binding law, so it is too early for the potentially affected entities to act at present. Once effective law, it would apply from 12 months from the moment of entry into force, except for Articles 23 and 24 (advanced testing and requirements for testers), which would apply as of 36 months after its entry into force.
We will monitor the developments and prepare client alerts – for updates, follow us on LinkedIn.
When the proposal becomes binding law, we can assess if your organisation is affected and help you to adjust to the requirements or respond to the resulting expectations of your financial sector clients.