European finance regulators demand more powers to enforce "digital operational resilience"
Lack of follow-up powers poses risk to "effectiveness of enforcement"
Three leading European financial regulators want more powers to audit "digital operational resilience risks".
The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) say pending legislation should "enlarge the scope of action" by "directly assigning them the necessary legal mandate" under proposed new legislation.
They were writing to the European Commission (EC) this month about the Digital Operational Resilience Act (DORA), which sets out key rules governing ICT risk management, incident reporting, testing and oversight.
See also: NIS 2: Winds of change blowing as Europe sharply tightens up cybersecurity requirements.
DORA forms part of a digital finance package on September 24, 2020. Under it, the three so-called European Supervisory Authorities (ESAs), would have the power to request information, conduct off-site and on-site inspections, issue recommendations and requests, and impose fines in certain circumstances.
It notes that "The Union needs to adequately and comprehensively address digital risks to all financial entities stemming from an increased use of ICT in the provision and consumption of financial services. Operators in the financial sector are heavily reliant on the use of digital technologies in their daily business and it is therefore of utmost importance to ensure the operational resilience of their digital operations against ICT risks. This need has become even more pressing because of the growth in the market for breakthrough technologies."
Digital Operational Resilience Act: "Enlarge our scope of action", say ESAs.
“Successful implementation of this EU-wide oversight framework requires granting the appropriate powers and mandate, along with the necessary resources and expertise”, the three said.
“It is essential for the oversight framework to clearly attribute the legal responsibilities that arise. Equally, the framework should sufficiently enlarge the scope of action of the ESAs by directly assigning them the necessary legal mandate in the legislative text”, they added in the letter.
Gabriel Bernardino, José Manuel Campa, and Steven Maijoor, the ESA chairs, noted in their February 9 letter that DORA raises "challenges on the practical functioning of the oversight framework", with regulators likely to "face challenges from a technical capacity and expertise perspective" as they "discuss and address quite technical IT issues related to the oversight activities".
They proposed the creation of a joint-ESAs executive body to help run the oversight, while warning the EC that its current proposals suffered as the result of a “mismatch” between the powers is bestowed them to conduct their oversight and “lack of powers” when it came to following up on their recommendations. This gap poses a significant challenge to the “effectiveness and soundness of the enforcement mechanism” they warned crisply, calling for greater staffing resources.
Luke Scanlon, who specialises in financial services and technology law at law firm Pinsent Masons, noted: "The letter highlights that there is still a long way to go before the text of DORA can operate as a clear unified framework for governing ICT third party risk at EU level."