Event report: Roundtable on the Digital Operational Resilience Act
Key takeaways
On 10 February, DIGITALEUROPE organised a roundtable that brought together a unique set of policymakers, regulatory agencies (ESAs), financial services and technology providers, to discuss the Digital Operational Resilience Act (DORA) that the European Commission published in September 2020. In total, 100 people joined us virtually.
Please see here DIGITALEUROPE’s response to the DORA consultation.
DIGITALEUROPE is at the forefront of cybersecurity, engaging with the revision of the NIS Directive[1]. It is also a member of both ENISA’s Stakeholder Cybersecurity Certification Group and AI Cybersecurity Expert Group.
“Reporting should be clear, concise, based on real risk, not imaginary risk. This should not be a box-ticking exercise.”
All present agreed that DORA should be proportional to the intended goal of building digital resilience in the financial space. it should be balanced and drive towards resilience without limiting innovative solutions in the financial services sector. MEP Billy Kelleher noted that “we want to ensure that we do not make Europe less competitive or cut off innovation creativity and research”, and that “the move to digitalisation allows for greater access to financial services by citizens.” Adding that we “do not want a situation where companies and entities are consistently reporting events or breaches which may not be major in themselves. If there is a very strict obligation for reporting you could end up with companies reporting anything considered a risk, but which is not a major incident.” To get there, “we have to raise the bar to a point that will protect the integrity of our financial services, but at the same time does not burden financial services with reporting on a continuous basis because of a very low threshold.”
DIGITALEUROPE provides an opportunity for traditional sectors to cooperate closely with the technology industry under the umbrella of our association. This diversity results in invaluable insights and expertise being shared between the industry peers. Our growing Digital Finance Working Group brings together cloud service providers, payments services providers, credit card networks and financial institutions, building up traction as a unique policy platform. DORA is of paramount importance to our members.
Event report
Policymakers and the wider industry are now actively discussing how DORA can enable digital change and innovation across the EU, whilst ensuring increased resiliency. Our roundtable, was seen as timely as the European Parliament prepares its response, debated this key challenge, and opportunity, by providing a wide range of industry perspectives across the many aspects of digital operational resilience. Together, we aimed to answer some of the following questions which can help to support ongoing negotiations:
- How can we guarantee technological neutrality and proportionality in the new framework?
- How can the new oversight regime not be burdensome or unachievable for both enforcers andfinancial services? How can we ensure the regulation not interfere with financial services embracing digital technology, like cloud computing?
A DIGITALEUROPE member proposed that “interaction between NIS and DORA could be done by giving ENISA a more enhanced role in the oversight process” and that “the role of ENISA as observer needs to be addressed, for example, by giving them full membership with voting powers.”
Some welcomed this idea and added that the finance sector is affected by many legislations, there is a plethora of obligations, it is important that this initiative should aim at streamlining the obligations and requirements. The ENISA representative, Evangelos Ouzounis, noted that “NIS 2 and DORA have synergies and interfaces, and we are lucky to see both of them being negotiated at the same time. We can definitely fix overlaps and avoid problems.” Dirk Clausmeier, head of IT security, German Finance Ministry added that “a cyber security incident notification mechanism should – if possible – avoid double reporting duties for financial firms.”
Panelists discussed how cybers security incident notification mechanisms could also include immediate access to incident notifications for national competent authorities under the NIS directive, which could potentially be done at the administrative level because double reporting duties for financial firms should be avoided.
Furthermore, some stressed that “we need a framework that continues to allow institutions to adopt technology and that is risk-based” and that “the automatic termination of contracts is not a proportionate way to address the issue of oversight”, in fact “automatic termination is not proportionate; it introduces legal uncertainty and it is bad for investment.”
DIGITALEUROPE recommends that the supervisory power leverages an effective mechanism which allows for the relevant expertise and inter-agency collaboration.
The EU framework will be the first of its kind globally, hence we strongly believe this demands an effective and well-coordinated effort to ensure its success. While we agree with the current proposal granting core oversight powers to the ESAs which will help ensure the effectiveness of this approach, one may consider appointing only one ESA as Lead Overseer rather than three to ensure capacity building and expertise. To avoid fragmentation, NCAs should not have additional oversight powers at the national level.
A unique platform for discussion
DIGITALEUROPE’s senior policy manager Vincenzo Renda moderated the discussion. But before the panels discussions were opened, AFME’s Director of Technology and Operations – David Ostojitsch – opened the roundtable, followed by a presentation of shared recommendations from both AFME and DIGITALEUROPE, voicing – in a unified way – the needs and concerns of the industries affected by DORA. These recommendations can be found here. Subsequently, the floor was given to:
- MEP Billy Kelleher, the rapporteur on DORA
- MEP Alfred Sant, shadow rapporteur on DORA
- MEP Frances Fitzgerald, shadow rapporteur on DORA
- Dirk Clausmeier, Head of IT Security, German Finance Ministry
- Boris Augustinov, European Commission DG FISMA B5
-
Evangelos Ouzounis, ENISA, Head of Unit – Secure Infrastructures and Services
- Diogo Lencastre, Bank of Portugal
- Ksenia Duxfield-Karyakina, Google
- Maria Tsani, Amazons Web Services
- Matthew Field, JP Morgan
- Valerie Hoess, Deutsche Bank
- Bank of Slovenia
- ESAs (ESMA, EIOPA, EBA)
Striking the right balance
“The legislation should be focused on financial institutions’ core operational functions, which present objectively identifiable resilience risks.”
MEP Frances Fitzgerald added that “We have to find the right balance between technological neutrality, harmonisation and proportionality.” Dirk Clausmeier stressed that “new regulation may lead to new costs and efforts for the industry and the public sector, that is why it is important that they are proportionate.” Adding that “it would be helpful to add into some of the provisions that they should be applied in line with the financial entity’s risk-profile.”
Still, there was consensus that businesses should be able to make their own choices for mitigating risks.
DIGITALEUROPE members argued that “getting the thresholds right is critical to avoid over reporting, which has risks in its own” and thus “proportionality of testing requirements is key.” Ultimately, “disproportionate testing could create – not remove – the resilience risk that DORA is designed to mitigate. We believe that there needs to be technical nuance in how this provider participation in the customer testing would work in a multi-tenant environment.”
DIGITALEUROPE recommends that proportionality should be a unifying element across DORA’s provisions.
Flexibility
More discussion is needed on the balance to strike between prescriptive legislation and flexibility, to accommodate innovation. MEP Alfred Sant noted that: “The devil might be in the detail. In such a rapidly changing technological scenario, how feasible is it to establish detailed prescriptions in the level one text?”
“One should avoid regulating the technology itself; or one risks coming up with a regulation that will be too quickly outdated and not adapted to the needs of the firms on the ground.”
DIGITALEUROPE recommends that the date of application should be after the publication in the OJEU[2] of the regulatory technical standards drafted by the ESAs.
The proposal for a 12-month period for compliance with DORA is unrealistic and inconsistent with DORA’s provisions, which foresee compliance with regulatory technical standards 12-36 months after DORA enters into force. We recommend postponing the date of DORA’s application to 24-36 months after the date of entry into force. This will ensure consistency and alignment with the application timelines for regulatory technical standards.
Alignment of regulatory requirements
MEP Alfred Sant argued that “we have to be careful about the alignment of DORA’s ICT incident reporting requirements with other incident reporting requirements, such as the GDPR, NIS and PSD2.” MEP Billy Kelleher raised concerns that “if there is confusion in terms of your obligation of compliance there is going to be confusion in terms of reporting and investigation.” Voicing that “we could end up with national competent authorities having an oversight role that is parallel to ESAs’ roles and that this will undermine the concept of what we are trying to do; to streamline the services.”
DIGITALEUROPE recommends an efficient and harmonised regulatory regime ensuring consistency among the different legislative initiatives on resilience and security.
DORA must not unnecessarily introduce duplication, complexity, or legal uncertainty, especially since the functioning of the proposed multi-layered Oversight Framework is already complex. In particular, the proposal for a revised NIS Directive has introduced substantial overlaps with DORA which makes it crucial that policymakers design a clearer hierarchy between DORA and NIS Directive for ICT providers.
Panelists discussed cybers security incident notification mechanisms could also include immediate access to incident notifications for national competent authorities under the NIS directive, which could be done at the administrative level because double reporting duties for financial firms should be avoided.
Furthermore, they stressed that “we need a framework that continues to allow institutions to adopt technology and that is risk-based” and that “the automatic termination of contracts is not a proportionate way to address the issue of oversight”, in fact “automatic termination is not proportionate; it introduces legal uncertainty and it is bad for investment.”
Third countries
MEP Frances Fitzgerald raised concern that “we do not want to close off third country digital solutions from EU financial institutions, but we also want to ensure the integrity of the single market and the digital resilience of our financial sector – which we want to grow of course”.
Ray Pinto – Director for Digital Transformation – concluded that DORA is developing a framework that recognises the global dimension of ICT operations, and rules should not be restrictive. They limit the choice of suppliers to a geographic location, which will handicap innovation.
DIGITALEUROPE recommends addressing the problematic language in the proposal to dissuade firms from using third-country providers.
These provisions need to be clarified as they would ultimately deter European firms against global technology players, despite the quality and commercial benefits of their services, and would create competitive challenges for the EU market denying its financial firms access to the benefits of global technology innovation.
Finally, DIGITALEUROPE would like to thank AFME for their invaluable contributions to this unique roundtable. We look forward to future cooperation.
Shared recommendations by DIGITALEUROPE and AFME
References:
[1] Revised Directive on Security of Network and Information Systems (NIS2)
[2] OJEU stands for the Official Journal of the European Union
