The three European Financial Supervisory Authorities (ESAs) have finished scrutinising the proposed Digital Operational Resilience Act (DORA) presented by the European Commission in September (see EUROPE 12567/4). They gave their verdict in a letter sent on Tuesday 9 February to the European Parliament, the Council of the EU, and the European Commission.
In principle, the ESAs say ‘yes’, but they also issued a warning: “The successful implementation of this EU-wide oversight framework requires granting the appropriate powers and mandate, along with the necessary resources and expertise”, they write.
The bill proposes the establishment of a new framework for the oversight of Critical Third Party Providers (CTPPs). To this end, it gives ESAs new powers: to carry out inspections on the premises of these providers, to issue recommendations, and to oppose certain arrangements that would affect the stability of the financial entity using the provider’s services.
First of all, according to the European authorities, a clarification is needed: “The proposed oversight role for ESAs is limited to the ICT risks which CTPPs may pose to financial entities, and the oversight currently envisaged will not amount to full supervision of CTPPs across their full range of activities”.
The complexity of the envisaged governance and decision-making process, which is divided between the Oversight Forum, the Joint Committee of ESAs, and the Boards of Supervisors of the individual ESAs, is also noted. Instead, the three authorities propose the creation of a common executive body for the ESAs which would integrate the role of the Oversight Forum and be responsible for the overall oversight work.
Another shortcoming identified in the letter is the mismatch between the powers given to the ESAs to carry out their oversight work and the lack of powers to follow up on their own recommendations.
At the same time, the authorities stress that the resources allocated are insufficient in the face of the scale and complexity of these new tasks, a situation that risks undermining the effectiveness of the oversight framework.
See the letter: https://bit.ly/2OuP00D (Original version in French by Marion Fontana)