Operational Resilience: Autumnal Update
Following the publication of our detailed analysis of the draft EU Digital Operational Resilience Act (DORA) earlier this year: ‘DORA: the why, what and what next’, we have been keeping a close eye on both the further development of the draft legislation and the broader changes affecting the legislative and regulatory framework relating to operational resilience across the UK and EU.
Since then, ongoing political negotiations of DORA in its draft form have led to the publication of two texts of the provisional agreements reached (published on 24 June and 7 July 2022) by the European Parliament (EP). It is expected that further consideration by the EP and the Council of the EU (CoEU) will be followed by the formal adoption process and DORA coming into force later this year.
One of the key proposed changes relates to the length of time for the implementation of the requirements laid down by the incoming legislation. It has been agreed between the EP and the CoEU that the original 12-month implementation period for the majority of DORA’s requirements is too short, however, in relation to resilience testing requirements there is a disagreement as to whether 24 or 36 months would be most appropriate. It remains to be seen what the outcome will be, although as businesses work towards meeting the requirements of the latest draft of DORA in anticipation of its imminent introduction, working towards the shorter 24-month period advocated by the CoEU would be prudent at this stage.
A key development since the publication of the original draft of DORA in September 2020 is that financial entities will need to conduct a business impact analysis of their exposure to severe business disruptions (Art. 4a). The requirement prescribes that such assessment should be carried out by applying both “quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate”. This may add an additional burden to financial entities operating within the EU to develop their testing methods further. There is an additional requirement in the ICT-related incident management process laid down by Article 15 to “record all ICT-related incidents and significant cyber threats” (Art. 15(2). Financial entities may wish to notify the relevant competent authority about any such cyber threats on a voluntary basis if they deem it to be relevant to the financial system, service users or clients (Art. 22).
As we eagerly anticipate DORA coming into force, these and other requirements of the legislation are at the forefront of many of our financial service sector clients’ minds.
In other news relating to the broader spectrum of EU resilience legislation, in June 2022 the EP and the CoEU reached a political agreement on the EU Directive on the resilience of critical entities, which was first published in December 2022. The next stage is for the final draft to be finalised and formally adopted, at which point it will replace the current 2008 Directive that deals with the identification and designation of critical infrastructure.
Finally, the summer of 2022 also heralded the publication of a Discussion Paper by the PRA, FCA and BoE in July proposing that certain UK entities supporting the FS sector designated as ‘critical third parties’ should meet specific operational resilience requirements. Our article summarising the implications of the Discussion Paper can be read here.