Digital operational resilience for the financial sector - New regulatory hit?

The European Commission (EC) has looked at the EU financial sector and realised that it is critically dependent on Information and Communication Technologies (ICT). It sees that the regulatory focus on addressing this has been limited and incomplete.

The EC has prepared a proposal for a regulation on digital operational resilience for the financial sector which may affect not only financial entities, but major ICT service providers as well. The idea is to achieve a high level of harmonised digital operational resilience applicable to all financial entities in the EU.

Who will be affected?

The proposal is addressed to three groups of entities:

  1. Financial, regulated entities – the list is long and finite and includes traditional institutions like credit institutions, payment institutions, and insurers (including insurance intermediaries) as well as crypto-asset service providers, issuers of crypto-assets, electronic money institutions etc

  2. Financial information handlers – data reporting service providers, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks

  3. ICT third-party service providers – digital and data service providers, including providers of cloud computing services, software, data analytics services, data centres.

Further, ICT third-party service providers will be divided into two categories - ICT third-party service providers (all entities meeting the above definition) and critical ICT third-party service providers (selected and designated in an administrative procedure.

What are the criteria for a critical ICT third-party service provider?

The authorities will look at six areas:

  1. Large-scale operational failure impact (number of financial entities affected)

  2. The systemic importance of the financial entities that depend on the provided ICT services

  3. The criticality of functions and processes supported by the provided ICT services

  4. The degree of substitutability of the ICT third-party service provider

  5. The number of Member States in which the ICT services are provided

  6. The number of Member States in which the ICT services user operates. 
How important is it?

For the first time, major technology providers (primarily cloud service providers) will be directly subject to financial oversight (EBA, ESMA or EIOPA). Authorities, referred to in the proposal as ‘Lead Overseers’, will be authorised to issue binding recommendations to technology providers and impose administrative penalties if these recommendations are not met.

What if you are a non-critical ICT third-party service provider?

You will mostly likely be asked by your financial sector clients to review your contracts and terms and conditions, perhaps widen their access and audit rights, add an exit plan, and change how incident reporting works. You might be forced to review your contracts with sub-contractors in order to be able to satisfy contractual requirements in the documentation executed with financial clients.

How will financial institutions be affected?

Major financial institutions that follow the respective EBA, ESMA or EIOPA guidelines on outsourcing or cloud computing will not have to change much, except for new formalised testing and reporting obligations under the proposal.

Other financial institutions that to date have not had an obligation to follow the abovementioned or similar guidelines will have to review their contracts with technology providers and implement ICT risk management policies within their organisations.

How can we help?

Currently this is only a proposal and it will take time before it becomes binding law, so it is too early for the potentially affected entities to act at present. Once effective law, it would apply from 12 months from the moment of entry into force, except for Articles 23 and 24 (advanced testing and requirements for testers), which would apply as of 36 months after its entry into force.

We will monitor the developments and prepare client alerts – for updates, follow us on LinkedIn.

When the proposal becomes binding law, we can assess if your organisation is affected and help you to adjust to the requirements or respond to the resulting expectations of your financial sector clients.