The European Parliament has started work on the Digital Operational Resilience Act (DORA), presented by the European Commission in September (see EUROPE 12567/4).
In his draft report published on 17 March, MEP Billy Kelleher (Renew Europe, Ireland), argues for a framework that is proportionate to the risks and does not discourage the further digitisation of financial services in the EU.
The proposed law aims to increase and test the risk management capabilities of financial actors, subject technology service providers considered to be systemic to harmonised prudential requirements and facilitate the reporting of incidents.
In the rapporteur’s view, the new framework should be flexible enough to take into account the new services and business models that may emerge in the near future.
It must also not hamper the competitiveness of the entities covered or the attractiveness of the EU, which must position itself as a key player on the digital scene, says Mr Kelleher.
To address these concerns, the draft text introduces several changes to the scope. In particular, it excludes small and medium-sized insurance and reinsurance undertakings, as well as small and medium-sized audit firms and statutory auditors.
The text also changes the structure of the new framework for the supervision of critical ICT third-party service providers.
The rapporteur also proposes that the roles of the “Oversight Forum”—established by the Joint Committee of the European Financial Supervisory Authorities (ESAs)—and “Lead Overseer” be merged into a single “Joint Oversight Executive Body” responsible for the day-to-day supervision of these providers and for preparing draft common positions and decisions. In addition, one of the ESAs would be designated as responsible for the legal adoption of decisions for each provider.
For the rest, the majority of the powers that the Commission proposed to confer on these bodies, including the power to conduct on-site inspections, have been maintained. However, certain safeguards have been put in place to ensure confidentiality and minimal disruption to customers not subject to the regulation, the rapporteur explains.
The possibility for financial entities to use technology service providers considered systemic from non-Member States has also been clarified. The text allows this on condition that the third-country suppliers have a legal entity in the EU and that the supplier and the financial entity have contractual arrangements.
Alignment of existing legislation
The draft report on the directive which introduces targeted changes to EU laws to align them with the ‘DORA’ regulation was also published on 18 March.
Its author, MEP Mikuláš Peksa (Greens/EFA, the Czech Republic), proposes that two further amendments be added to the Commission’s proposal, including an amendment to the ‘BRRD’ directive on bank resolution to give a mandate to the EBA to update regulatory standards in the light of this new framework on digital operational resilience.
The rapporteur also proposes not to wait for a future Commission proposal and to amend the anti-money laundering directive now to specify that the internal controls and policies put in place by obliged entities must comply with the DORA regulation.
Mr Peksa supports the Commission’s proposal to amend the MiFID Directive to clarify that the definition of financial instrument can also include instruments based on Distributed Ledger Technology (DLT) when they qualify as financial instruments.
However, he believes that the criteria and conditions for qualifying as a cryptoasset should be specified by technical standards developed by the European Securities and Markets Authority (ESMA).
See the ‘Kelleher’ draft report: https://bit.ly/31ea8LI and the ‘Peksa’ draft report: https://bit.ly/3vRsPTo (Original version in French by Marion Fontana)