DIGITALEUROPE's Response to the Joint European Supervisory Authorities Discussion Paper on DORA

Executive summary

This document offers DIGITALEUROPE’s contributions to the European Supervisory Authorities’ discussion paper on implementing measures under the Digital Operational Resilience Act (DORA). It focuses on aspects such as criticality criteria, degree of substitutability and oversight fees.

Indicative process for criticality assessment

• Clarity is needed in relation to how each criterion is weighted against the others. It would be challenging to accurately assess if the criteria are appropriate, without clarity on the weighting given to each criterion and the relationship between them. As a methodology for designation, it may be more appropriate for the criteria to be read sequentially. This can reduce the initial broad list of services considered. For example, criterion 1 focuses on identifying ICT services provided to financial entities that may have an impact on the “stability, continuity, or quality of the provision of financial services”. Yet, this factor is not reflected in the indicators 1.1 and 1.2, which instead focus only on whether all ICT services are received from the same ICT TPP. If the indicators for criterion 1 are revised, the initial review could reduce the list of services under consideration to only those impacting the stability, continuity, or quality of financial services. Following this, criterion 2 could be applied to further narrow down the list by assessing whether these relevant services are provided to G-SIIs and O-SIIs. Then, criterion 3 can then be applied, and the list may be further reduced by focusing on whether the listed services are for critical or important functions, and whether they are provided by the same source ICT TPP. A final round of reductions to the list could then be achieved by applying criterion 4. This involves removing references to services that are readily substitutable.
• We believe that it is necessary to consider the notion of “regionality” in the criteria. This triage would filter out TTPs that have a very high presence in a specific region, but whose presence is not as representative on a pan-European presence. An operational failure of this type of TPP would have a substantial negative impact in a certain region with a risk of contagion to financial institutions in other regions (due to their dependencies).

Criterion 1: Impact on Provision of Financial Services

• We recommend that indicators 1.2 and 1.3 include the notion of ‘supporting critical or important functions’. As proposed, the criticality criteria are not sufficiently risk-based. Ths may therefore cause an increase in oversight burden associated with a decrease in overall oversight quality. This is because such an approach would likely result in disproportionately lengthy lists of designated CTPPs, which are not necessarily linked to critical or important use cases.
• For example, we observe that criterion 1 does not have an association in step 1 with critical or important functions. As currently drafted, Indicator 1.3 does not align with DORA Art 31(2)(a). Further, Art 31(2)(a) is limited to the impact on the stability, continuity or quality of the provision of financial services. It does not extend to the impact on the services, activities and operation of financial entities generally (i.e. beyond their provision of financial services). Given that Indicators 1.1 and 1.2 are very broad (i.e. entailing any financial entities using the services), it is crucial that the Step 2 indicator is properly scoped and consistent with the focus of Art 31(2)(a).

Criterion 2: Importance of Financial Entities

• We believe that indicators 2.1 and 2.2 should address “reliance” on ICT services providers (as opposed to mere “use”). We suggest a replacement of the wording accordingly. As currently drafted, Indicators 2.1 and 2.2 do not align with DORA Art 31(2)(b). Art 31(2)(b) refers to financial entities that “rely” on the ICT TPP. Merely using an ICT service should not automatically equate to ”reliance”. The latter necessarily entails some level of impact on systemic or important activities if the ICT services were unavailable. It is crucial to address reliance in Indicators 2.1 and 2.2., since the Step 2 indicator only addresses interdependence between financial entities, and not the reliance each financial entity places on the ICT services.

Criterion 4: Degree of Substitutability

• We believe that indicators 4.1 and 4.2 require clear definitions of / thresholds for the terms of “alternative” or “complex / difficult”. These indicators are highly subjective. Without a common understanding of such terms, different financial entities using the same ICT services may report differently substitutability. This would compromise the reliability of these indicators.

Part II: Oversight Fees

• We believe considerations on oversight fees highlight the need for flexibility in estimating expenditure incurred, and the possibility to reassess fees from one year to another. The discussion paper valuably underlines the challenge of distinguishing between revenues generated by ICT services supporting critical functions on the one hand, and those supporting non-critical functions on the other hand. However, the paper does not propose an alternative criterion or method to determine the applicable turnover based on the criticality of functions supported by ICT services. Article 43 of DORA suggests that the fees shall cover the Lead Overseer’s necessary expenditure related to executing oversight tasks. Yet, the ESAs’ suggestion to take into account all CTPPs services would lead to a higher revenue base than the real oversight costs. This issue could be addressed by introducing a provision that includes ‘effort’ in the calculation of the fees. In this manner, the fees would be proportionate to the effort of the Lead Overseer in the execution of its tasks. In detail, this could be achieved by allocating hours/FTE days as a way to measure effort.

Methods of Calculation of the Oversight Fees

• We recommend that the Delegated Act focuses on providing more certainty about in-scope ICT services for the purposes of the fees. It would not be proportionate to set the basis for calculating the fees on the turnover generated by all the services provided by a CTPP, regardless of their relevance to DORA or financial entities. This is especially relevant since the ESAs contemplate that such revenue may not be limited to services provided to financial entities or even to users in the EU.