Digital operational resilience - European Commission considers new rules for the financial sector | Perspectivas

11 May 2021 Reed Smith Client Alerts

Inicio Perspectivas Digital operational resilience - European Commission considers new rules for the financial sector

The European Commission’s proposal

The European Commission is considering amending the existing rules for the financial sector regarding digital operational resilience, with a view to unifying and strengthening the legal framework in this area.

Autores: Howard Womersley Smith Philip H. Thomas

The proposed change to legislation would amend the existing Network and Information Security (NIS) Directive and create a new regulation on digital operational resilience, known as the Digital Operational Resilience Act (DORA). The new rules would extend to 20 types of regulated EU financial entities, including fintechs.

The adopted act is open for public feedback until 18 May 2021. All feedback received will be summarised by the European Commission and will be presented to the European Parliament and Council with the aim of feeding this into the legislative debate.

Reasoning

The need for operational resilience has become more urgent due to the rapid digital growth in the fintech industry, for example, in the use of blockchain technologies. The current legislative framework for information and communication technology (ICT) risk and operational resilience across the financial services sector is fragmented and inconsistent, with different guidance from the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Market Authority. By harmonising the legal framework, the European Commission hopes to remedy this.

Objective

The proposed update to the EU legislation will help to ensure that the financial sector’s ICT systems are able to withstand security threats and that third-party ICT providers are monitored appropriately. It would also create a temporary regime for distributed ledger technology market infrastructures to enable European Supervisory Authorities and national authorities to better understand the opportunities and specific risks created by crypto-assets traded on those infrastructures.

Obligations under the proposed rules

Data protection and cybersecurity are named as two of the pillars of the European strategy for operational resilience. The new rules would address ICT risks and ensure a high level of technical security though:

Improving existing rules on:

Governance.
Risk management, including setting ICT risk tolerance levels and assigning roles and responsibilities for ICT-related functions.
ICT-related incident reporting – financial entities would be required to establish and implement management processes to monitor and log incidents and classify them based on criteria provided.

Introducing new requirements regarding:

Digital testing.
Information sharing.
Digitalt of ICT third-party risks, including an oversight framework for critical ICT third-party service providers to monitor digital risks. Contracts with third-party service providers would be required to contain certain provisions, for example a complete description of services, an indication of locations and the storage of data, and provisions on the security and protection of personal data.

Next steps

Reed Smith will continue to provide updates on this proposal. If you have any questions or queries in the meantime, please do not hesitate to contact us.

Client Alert 2021-132

Cheng, Cue named among top lawyers for DeSPAC transactions

Industrias

Servicios

Equipos comerciales

PitchBook: Reed Smith leads on PE transactions in healthcare

Digital operational resilience - European Commission considers new rules for the financial sector

You May Be Interested

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Herramientas para compartir contenido