The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial Companies

By | September 27, 2021

In September 2020, the European Commission released a proposed regulation on digital operational resilience for the financial sector (“DORA”), which aims to establish a detailed and comprehensive framework on digital operational resilience for financial entities in the European Union (“EU”). DORA includes provisions governing the management of risks associated with financial entities’ outsourcing to technology service providers (“TSPs”), and it mandates direct regulatory oversight of “critical” TSPs.

In our report, The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial Companies, we review how DORA will change the regulatory landscape for firms that provide cloud services to financial entities in the EU. We also set forth recommendations to better align DORA with its stated goals.

Technology Outsourcing in the Financial Sector

In response to the increasing trend of financial entities outsourcing technology functions to cloud and other TSPs, financial regulators in the EU have issued principles-based regulations and guidance addressing outsourcing by financial entities. Part one of the report provides background on technology outsourcing in the financial sector and current regulatory and supervisory frameworks.

These frameworks share several common themes. First and foremost, financial entities that use TSPs retain primary responsibility for assessing and managing risk in connection with the outsourced services. In addition, regulatory expectations vary based on the relative importance of outsourced functions: stricter criteria apply where financial entities outsource material, critical, or important functions. Factors considered when determining the importance of a function include whether it has a strong impact on a financial entities’ risk profile or internal control framework. Finally, supervisory frameworks generally emphasize that financial entities should assess and monitor outsourcing arrangements, and regulators should review compliance with outsourcing standards following a risk-based approach (i.e., considering both the nature of the outsourced function and its potential risks).

The Digital Operational Resilience Act

Part two describes provisions in DORA governing the management of third-party risk by financial entities, which include key principles governing sound management of third-party risk and a framework for direct oversight of TSPs deemed “critical” by EU supervisory authorities.

There is considerable overlap between DORA and existing outsourcing frameworks. For example, like other frameworks, DORA requires financial entities to undertake risk assessments and due diligence before entering into new outsourcing arrangements and report new arrangements to the applicable regulator. DORA also requires financial entities to manage the unique risks associated with cross-border outsourcing, to establish business continuity strategies that plan for service disruptions and other contingencies, and to monitor outsourcing risks on an ongoing basis by regularly auditing their TSPs.

However, DORA also diverges in notable ways from existing guidance on technology outsourcing. In particular, DORA establishes a robust supervisory framework that subjects each TSP designated as “critical” to direct oversight by EU supervisory authorities, which include the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority (together, the “ESAs”).

Under the new framework, the ESAs must designate TSPs that are “critical” for financial entities (“CTPPs”) based on specified criteria. These criteria include the systemic character and importance of its financial entity clients, the number of EU member states in which the TSP and its clients operate, the importance of functions that the TSP supports, the degree of substitutability of the TSP, and the effect of a large-scale operational failure at the TSP. Further, for each CTPP, the ESAs must jointly designate a single ESA as its “lead overseer” based on the total assets of the financial entities using the CTPP’s services. This lead overseer is responsible for directly monitoring the CTPP for financial sector risks and is vested with broad supervisory authorities to discharge its responsibilities, including the authority to issue substantive recommendations, impose penalties, and prohibit the use of non-EU TSPs.

This CTPP direct oversight regime represents a significant departure from the current regulatory framework for technology outsourcing by financial institutions in Europe, where EU financial regulators do not directly supervise TSPs. The proposed framework also represents a meaningful departure from TSP oversight in the United States, which involves risk-based (rather than prescriptive) supervision whose primary aim is to help client financial institutions comply with applicable legal requirements.

Recommendations to Improve DORA

DORA’s stated aims include establishing a proportionate and risk-based framework for digital operational resilience; facilitating innovation while promoting digital operational resilience; and promoting cross-border regulatory harmonization and coordination. Part three of the report shows where the DORA’s direct oversight framework falls short on those measures and outlines changes that could improve its effectiveness.

First, consistent with the position taken by the ESAs, we recommend that DORA be revised to more comprehensively incorporate the principle of proportionality, especially with respect to CTPP oversight. Specifically, the penalties regime should be revised to clarify that penalties should be proportionate rather than punitive. Lead overseers should have discretion to set financial penalties for non-compliance at any amount up to a certain cap based on the severity of the CTPP’s non-compliance—for example, one percent of a CTPP’s turnover attributable to its financial services business (not all business) in the EU (not globally).

Second, to meet DORA’s goal of enhancing cross-border harmonization and coordination, we recommend that DORA be revised to clarify the relationship between DORA and existing outsourcing guidelines (e.g., that DORA supersedes existing guidelines) and clarify the relationship between lead overseers and national financial regulators within the CTPP oversight framework. In addition, since many CTPPs will also be subject to oversight by national cybersecurity regulators and foreign regulators, DORA should clarify how lead overseers can and should cooperate with these authorities.

Third, we note that DORA restricts financial entities’ use of certain non-EU TSPs and subjects TSP subcontracting arrangements to a high level of scrutiny in a manner that would impede innovation by imposing significant compliance costs without promoting operational resilience. Consequently, we recommend that DORA’s restriction on the use of non-EU service providers be eliminated and provisions governing subcontracting should be limited to subcontracted functions that are “critical or important” to the operations of a financial institution.

Hal S. Scott, Emeritus Nomura Professor of International Financial Systems, Harvard Law School.

The full report can be accessed here.

Leave a Reply

Your email address will not be published. Required fields are marked *