DORA proposes changes to financial services sector

With every passing day we realise that there is no stopping the development and use of digital platforms for personal and business purposes. This is no different for the financial services sector. Well established financial entities are overhauling their business models to aggressively integrate technology and digitise finance. A more digitally focused financial sector would undoubtedly help repair the social and economic damage caused by the pandemic. There is no doubt that such digital advancements are key to the modernisation of the European economy and that through improved access and quality assurance, these developments help consumers, stakeholders and businesses tackle the unprecedented situation created by the COVID-19 pandemic. Though one cannot ignore the fact that these same technological developments bring about an increased awareness to the level and nature of risk. It is therefore imperative that for the European Union to be a digital leader in critical technology and quality assurance, it must promote the expansion of digital finance whilst safeguarding the sound regulation of risk.

In order to safeguard consumers, as well as the market as a whole, the European Commission has published a proposal for a regulation on digital resilience for the financial services industry, with some micro-enterprise exceptions (“DORA” and/or the “Proposal”).[1] The Proposal lays down uniform requirements concerning the security of network and information systems supporting the business process of financial entities, (including but not limited to: credit institutions; payment institutions; electronic money institutions; crypto-asset service; central securities depositories; central counterparties; trading venues; data reporting service providers; and crowdfunding service providers (as listed in article 2)). Such requirements as proposed by the EU Commission are principally focused on addressing the ever-increasing dependency on Information and Communication Technology (“ICT”). As this dependence continues to increase with the growing use of emerging models, concepts or technologies, as evidenced by financial services benefiting from the use of distributed ledger and artificial intelligence, the financial business world will need to abide by a new framework of digital resilience. The increasing level of digitalisation of financial services coupled with the presence of high value assets and (often sensitive) data make the financial system vulnerable to operational incidents emanating from ICT related incidents/issues. In order to combat such risks, the requirements are based on sound measures of information and intelligence sharing, digital operational resilience testing and supervision and enforcement. Every aspect of these requirements is designed to achieve a high common level of digital operational resilience. The Proposal focuses on the finance sector though it does mention digital disruption which would then lead to an impact on other sectors. Cyber threats and ICT disruptions on other sectors (like health, energy etc) may also arise due to disruptions experienced by the financial sector. Hence, it would be ideal if greater emphasis is given to digital resilience at a wider level and its application extended to all economic activities which may involve ICT risk, and not just limited to the financial services industry.

The concept of resiliency, which is the backbone of the Proposal, has, primarily due to the increase in popularity of sustainable finance, become a well-established theme in the EU’s recovery plan. So much so, that President Ursula von de Leyen, in her speech at the European Parliament Plenary on the EU Recovery package stated that “In total, the Commission will raise EUR 750 billion for Next Generation EU. Of that total, EUR 500 billion will be distributed in grants and EUR 250 billion in loans passed on to Member States. The grants will be clear investments in our European priorities: Strengthening our digital single market, European Green Deal and resilience.” President von de Leyen continued to highlight the importance of this investment by emphasising that these grants and plans are a joint investment into our future, and they are in no way connected to the past debts of the Union.

DORA, through operational resilience, provides a safeguard against cyber and ICT related risks, however it fails to properly distinguish between the ICT element and the financial risk element. Such a distinction is important so that the Malta Financial Services Authority (the “MFSA”) need not be exclusively responsible for a highly technical and complex field, but instead remain focused on the financial element whilst relying on the expertise of another national competent authority for the non-financial risk element. In that vein, it is important to consider how the term ‘ICT risk’ is defined by the Proposal:

“any reasonably identifiable circumstance in relation to the use of network and information systems – including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event – which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects”.

This definition could easily be applied to most industries and beyond the limitations of the financial services market. For example, industries such as transport, health, energy and aviation all have the use of ICT as the base of their operations. It is only the application of the technology that changes and not the technology itself. Risk, when considered independently from ICT, is a consequence of some sort of disruption or incident (whether ICT related or not) that hinders a financial entity’s ability to meet its obligations and which in turn would mean that investors, consumers and even society would be at risk.

It may consequently be considered that the defined term (as provided above) has a universal application and the Proposal fails to take into consideration the possibility of already existing frameworks and authorities that specifically deal with ICT from a holistic point of view, and that therefore ICT risk should be supervised and regulated (in terms of this Proposal) jointly and independently by both a financial authority (the MFSA) and an ICT authority ( the Malta Digital and Innovation Authority (the “MDIA”) whose functions are consistent with the Proposal’s agenda). This would imply that, whilst the MFSA would deal with risk from a financial perspective, the MDIA would focus on ICT risk in terms of finance as well as any other industry where ICT is relevant. Having an ICT competent authority that has the authority, resources, knowledge, expertise and drive to deal with ICT related issues is more efficient and would result in a much more focused delegation of resources. The MDIA has in fact introduced pre-certification of ICT technology so that operators could have the comfort of using it with security and assurance. This kind of certification and the required testing programme may be used as a model for discussion in other EU member states for the benefit of the whole EU market.

The Proposal also attempts to address certain contractual arrangements. Though it should also provide legal certainty in remedies against losses caused through defects in the product sector and place caps on compensation when dealing with third party products, open source software and automated and decentralised platforms. The MDIA, and the legal framework that surrounds it, has already started to address the latter issues by means of the Innovative Technology Arrangements and Services Act (Cap. 592, Laws of Malta), which caters for aspects of quality assurance in the areas on innovative technology and has in fact recently broadened its remit to “keep pace with an evolving cyber threat landscape”[2]by virtue of Legal Notice 389 of 2020[3]. It is critically important that national authorities in each member state proactively work together to strengthen digital resilience so that all parties can benefit from digital services and innovations irrespective of the industry.

 

[1] REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

[2] Recital 39 of the Proposal

[3] LN 389 of 2020 Innovative Technology Arrangements and Services Act (Amendment) Regulations, 2020.