Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
DigiTalks - Exploring DORA - The EU’s Digital Operational Resilience Act
70 Plays2 years ago
In this podcast we explore the EU’s Digital Operational Resilience Act (DORA), which entered into force in January 2023 with application from January 2025.
Listen as Mhairi Sandeman, HSBC Securities Services’ Senior Product Manager for Global Trustee and Fiduciary Services, speaks with Claire Harrop, Senior Associate in the Financial Institutions Group at Freshfields, to help digest the final DORA requirements and consider the steps financial entities need to take to be ready.
Hosted on Acast. See acast.com/privacy for more information.
Recommended
Transcript
Introduction to the Podcast Series
00:00:01
Speaker
Welcome to HSBC Global Viewpoint, the podcast series that brings together business leaders and industry experts to explore the latest global insights, trends, and opportunities.
00:00:12
Speaker
Make sure you're subscribed to stay up to date with new episodes.
00:00:15
Speaker
Thanks for listening.
00:00:16
Speaker
And now onto today's show.
Introduction to DigiTalks and DORA
00:00:22
Speaker
Welcome to the latest in our DigiTalks podcast series.
00:00:26
Speaker
We are featuring a variety of different topics that are currently trending in the digital world.
00:00:31
Speaker
And we now explore again, the EU's Digital Operational Resilience Act, in short, Dora.
00:00:38
Speaker
Introducing the topic is HSBC Security Services Senior Product Manager for Global Trustee and Fiduciary Services, Vary Sandeman.
00:00:47
Speaker
Vary,
Overview of DORA and Its Implementation Timeline
00:00:48
Speaker
over to you.
00:00:48
Speaker
Thanks, Gabriella.
00:00:51
Speaker
Now, in our DigiTalks podcast series, we've previously explored DORA, the EU's Digital Operational Resilience Act, in its draft form when it was introduced as part of the EU's digital finance package.
00:01:06
Speaker
The final DORA regulation has now been published and entered into force in January 2023, with application from January 2025.
00:01:18
Speaker
To help us digest the final DORA rules,
00:01:21
Speaker
and also to consider the steps financial entities need to take to be ready.
00:01:26
Speaker
I am really delighted to welcome back Clare Harrop, Senior Associate in the Financial Institutions Group at Freshfields.
00:01:35
Speaker
Clare, thanks so much for joining me today.
Purpose and Role of DORA in Financial Innovation
00:01:38
Speaker
Now, could you firstly explain briefly the backdrop and motivation for introducing the DORA regulation, please?
00:01:46
Speaker
Certainly, Vahri, and thank you so much for having me back.
00:01:49
Speaker
As we covered on our last podcast, the Commission originally published the DORA proposal in the OJ on the 24th of September 2020 as part of its digital finance package, along with the markets and crypto asset regulation and a number of other proposals designed to enable innovation and competition in the financial sector whilst mitigating risks.
00:02:10
Speaker
DORA was published in the OJ at the end of December last year.
00:02:14
Speaker
The DORA legislation sets out that the use of information and communications technology, or ICT, has acquired a critical importance in the operation of typical daily functions of financial entities.
Addressing ICT Risks with DORA
00:02:28
Speaker
In addition, increased digitalisation has deepened into connectedness and dependencies within the financial sector and with third-party infrastructure and service providers.
00:02:38
Speaker
This has introduced systemic vulnerability and amplified ICT risk.
00:02:42
Speaker
One particular area that was identified by the legislators is a lack of harmonisation.
00:02:48
Speaker
Of course, the EU financial sector is regulated by a single rulebook and governed by a European system of financial supervision.
00:02:55
Speaker
However, provisions tackling digital operational resilience and ICT security are not yet fully or consistently harmonised.
00:03:03
Speaker
This is despite digital operational resilience being vital for ensuring financial stability and market integrity in the digital age, and it's certainly no less important than, for example, common prudential or market conduct standards.
00:03:16
Speaker
EU legislators have also recognised that differences between legislation and national supervisory or regulatory approaches with regard to ICT risk might be an obstacle to the functioning of the internal market in financial services,
00:03:30
Speaker
and that competition between the same type of financial entities operating in different Member States could also be distorted.
00:03:37
Speaker
Thanks for clarifying the background and rationale, Claire.
Entities Affected by DORA
00:03:41
Speaker
And who will DORA apply to and will this be limited to EU firms only?
00:03:47
Speaker
DORA will apply to what it terms financial entities, which encompasses most types of financial institution that are subject to EU legislation.
00:03:56
Speaker
And that group includes credit institutions, investment firms, payment institutions, central counterparties, central securities depositories and crypto asset service providers.
00:04:06
Speaker
DORA will also be relevant for ICT third party service providers, including cloud computing service providers providing ICT services to financial entities.
00:04:16
Speaker
That group includes those established in a third country outside the EU providing services to EU financial entities.
00:04:23
Speaker
Indirectly, ICT third party service providers will need to be aware of the obligations with which financial entities will be required to comply.
00:04:31
Speaker
But there are also some direct implications for certain service providers.
00:04:35
Speaker
Those service providers, which are designated as critical by the European supervisory authorities, will be subject to oversight by a lead authority
00:04:44
Speaker
and also subject to certain provisions of DORA directly.
00:04:48
Speaker
Thanks, Claire.
00:04:49
Speaker
A very wide-ranging application then.
Compliance Obligations under DORA
00:04:52
Speaker
Now, in terms of the content of DORA, could you please talk us through some of the high-level requirements for risk management, incident reporting and resilience testing?
00:05:02
Speaker
Of course.
00:05:03
Speaker
So financial entities will need to have an internal governance and control framework that ensures effective and prudent management of ICT risk.
00:05:12
Speaker
The management body of the financial entity will have responsibility for defining, overseeing, approving and implementing all arrangements related to the framework.
00:05:22
Speaker
Financial entities will also need to have a sound, comprehensive and well-documented ICT risk management framework in place to help enable them to address ICT risk quickly, efficiently and comprehensively.
00:05:34
Speaker
Further, there are also requirements to have mechanisms in place to detect anomalous activities promptly.
00:05:41
Speaker
For example, ICT network performance issues and ICT-related incidents.
00:05:45
Speaker
On that subject of incidents, firms will also need to have in place ICT-related incident management processes to detect, manage and notify ICT-related incidents and the ability to classify ICT-related incidents and their impact.
00:06:00
Speaker
Major ICT-related incidents will need to be reported to the financial entity's competent authority.
00:06:05
Speaker
and financial entities may also notify significant cyber threats to the relevant competent authority on a voluntary basis when the financial entity deems the threat to be of relevance to the financial system, to service users or to clients.
00:06:19
Speaker
Reporting will eventually be harmonised by the European supervisory authorities who will publish draft regulatory technical standards on this subject.
00:06:27
Speaker
Finally, there will also be requirements on financial entities to establish, maintain and review a sound and comprehensive operational resilience testing framework as an integral part of the entity's ICT risk management framework.
00:06:41
Speaker
Thanks, Claire.
00:06:41
Speaker
Some robust requirements there then.
00:06:44
Speaker
And turning now to the management of ICT third party risk, what principles are being introduced?
Key Provisions and Oversight for ICT Services
00:06:51
Speaker
So there are a number of key contractual provisions that financial entities will be required to put in place.
00:06:57
Speaker
In the EU legislators view, despite the fact that many financial entities are subject to outsourcing rules already,
00:07:04
Speaker
There is an absence of clear and bespoke EU standards applying to the contractual arrangements concluded with ICT third-party service providers, so the external source of ICT risk is not comprehensively addressed at the moment.
00:07:17
Speaker
DORA sets out certain key principles to guide financial entities' management of ICT third-party risk, which are particularly important when outsourcing critical or important functions.
00:07:28
Speaker
These principles are complementary to sectoral law applicable to outsourcing.
00:07:33
Speaker
And Article 30 of DORA sets out the minimum requirements which financial entities are required to ensure are included in their contractual arrangements on the use of ICT services.
00:07:44
Speaker
The European supervisory authorities will also have the ability to designate certain third-party service providers that are critical for financial entities, following an assessment that takes into account certain criteria.
00:07:56
Speaker
Such criteria include the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provider would face a large-scale operational failure to provide its services,
00:08:11
Speaker
and the degree of substitutability of the ICT third party service provider.
00:08:16
Speaker
Once a service provider has been designated as critical, it will be subject to the oversight of a lead overseer, which will be one of the European supervisory authorities.
00:08:24
Speaker
And that authority will have certain powers relating to the critical third party provider.
00:08:30
Speaker
As we mentioned earlier, third country ICT providers can also be designated as critical.
00:08:35
Speaker
And if they are, the third country provider must set up a subsidiary in the EU within 12 months of becoming designated.
00:08:42
Speaker
and there are express powers for the lead overseer which apply to third country providers.
00:08:47
Speaker
I'd also note just one point that designation as a critical ICT third party service provider won't apply to financial entities that are providing ICT services to other financial entities since they are already subject to supervisory mechanisms established by EU financial services law.
00:09:04
Speaker
Claire thanks for explaining so clearly the key requirements of DORA.
Preparation for DORA's Implementation
00:09:08
Speaker
Now, what should financial entities be doing now ahead of the January 2025 deadline to be ready?
00:09:16
Speaker
So, as you say, the provisions of DORA will apply from 17th of January 2025.
00:09:21
Speaker
So that's when financial entities will become subject to the obligations that we've just discussed.
00:09:26
Speaker
I should flag that we haven't yet seen drafts of the technical standards yet.
00:09:31
Speaker
So there's quite a bit of detail yet to come, which financial entities should keep an eye out for.
00:09:36
Speaker
But firms can start thinking about the changes that they will need to make themselves in order to manage their ICT risk.
00:09:43
Speaker
So firms should start thinking about things like the internal governance and control framework and their ICT risk management framework and how those will be implemented.
00:09:53
Speaker
Institutions should also think about what systems will need to be put in place in order to ensure that financial entities can comply with their detection obligations and check whether their crisis communication plans are up to date.
00:10:05
Speaker
Firms should also start thinking about the ICT services that they outsource and whether any of those are services which support critical or important functions.
00:10:14
Speaker
The contractual agreements in place with ICT service providers are likely to need to be updated and it may be worth institutions starting to think about whether they should put in place template provisions which cover the minimum requirements.
00:10:27
Speaker
DORA does provide that there may be standard contractual clauses developed by public authorities for specific services, but it's possible that those won't be available for some time or cover all services that the institution receives.
00:10:40
Speaker
And then finally, financial entities might also start thinking about whether they might want to participate in any information sharing arrangements on cyber threat information and intelligence.
00:10:50
Speaker
DORA expressly provides that such information sharing arrangements might be set up
00:10:54
Speaker
Although these arrangements would need to protect the potentially sensitive nature of the information shared and be governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.
00:11:10
Speaker
Thanks.
00:11:10
Speaker
Some really helpful considerations there and obviously a lot of important steps that firms should be taking now, Claire.
00:11:19
Speaker
Thank you so much for joining me today to discuss DORA and for providing a deeper insight into all the requirements.
00:11:26
Speaker
And importantly, the steps financial entities will need to take for readiness.
00:11:30
Speaker
If clients do have any questions on this topic, please do follow up with your HSBC representative.
00:11:36
Speaker
Back
Conclusion and Subscription Reminder
00:11:37
Speaker
to you.
00:11:37
Speaker
Thanks, Gabriella.
00:11:38
Speaker
Thanks so much, Ferry and Claire.
00:11:40
Speaker
And I totally agree.
00:11:41
Speaker
This is quite enlightening.
00:11:44
Speaker
I would like to thank you for listening to this edition in our series of DigiTalks podcasts.
00:11:48
Speaker
We hope that you enjoyed learning more about DORA.
00:11:51
Speaker
Stay tuned for more from our podcasts as we explore more trends in the coming weeks.
00:11:57
Speaker
Thank you for joining us at HSBC Global Viewpoint.
00:12:00
Speaker
We hope you enjoyed the discussion.
00:12:02
Speaker
Make sure you're subscribed to stay up to date with new episodes.