Digital operational resilience

Key points:

The EESC

  • welcomes the Digital Operational Resilience (DORA) proposal, as it aims to bring legal clarity on the ICT risk provisions, reduce regulatory complexity, establish common standards to mitigate ICT risks and a harmonised supervision, while also providing safeguards for financial firms and ICT providers.
  • recommends enhancing the effectiveness of DORA by means of the following steps:
    • Include within the scope of DORA any provider of critical financial services that develops financial activities and excluding the use of ICT services for non-critical functions.
    • Ensure consistency in definition and scope between DORA and the requirements set out in existing guidelines issued by the ESAs.
    • Regarding ICT Management, have a framework focused on a principle and risk-based approach that facilitates the implementation of controls that are future-proof, flexible and proportionate to the risks.
    • Regarding ICT-related incidents, full alignment with the FSB's Cyber Incident Response and Recovery toolkit.
    • Regarding digital operational resilience testing, emphasise not only the scale of the financial institution, but also the complexity and critical nature of the service; avoid mandatory outsourcing conducted by the limited number of external testers, and ensure the mutual recognition of testing results.
    • Consolidate requirements on outsourcing into a single rulebook.
    • Enforce lead overseers' recommendations and a clear set of roles and responsibilities for the different authorities involved in the oversight of CTTPs.
    • Ensure access to outsourced services that are deemed critical to TPPs established in third countries to avoid restricting firms' freedom of contract and the capacity to access the services of high value-added providers.
    • Include proportionality in the penalty regime to avoid disincentives for ICT providers to serve EU financial entities and moving away from the current reference to worldwide turnover.
    • Provide clarity on the ability of firms to share cyber-threat information by ensuring that such arrangements are put in place on a voluntary basis and that an explicit provision allowing for the exchange of personal information is included in the DORA proposal.
    • Consider raising the exemption threshold to micro and small enterprises and reducing the number of requirements for them proportionally to their digital risk profiles.
  • supports the empowerment of the lead overseers to execute the audit and inspection procedures over the CTPPs.