Digital finance: EU gets tough on operational resilience

The proposed new EU regulation on digital operational resilience for the financial sector was published alongside a draft directive which would amend existing legislation concerning operational risk and risk management requirements in EU financial services.

The two legislative proposals make up part of a broader digital finance package published by the Commission. The package includes legislative proposals concerning the regulation of cryptoassets and a related draft regulation aimed at supporting a pilot regime for market infrastructures based on distributed ledger technology – often referred to as blockchain. The package also includes an overarching digital finance strategy, which among other things trails Commission plans to "harmonise rules on customer onboarding" in digital financial services, as well as a new retail payments strategy that hints at potential future reform of the EU's second Payment Services Directive (PSD2).

Operational resilience requirements in EU financial services are currently reflected in a variety of legislation and guidelines. This includes separate guidelines issued by supervisory authorities the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), which between them set out requirements around outsourcing, the use of cloud providers specifically, and on ICT and security risk management.

The Commission's new proposals would apply a single set of overarching rules for financial entities around ICT risk management – including requirements around business continuity and disaster recovery; the reporting of major ICT-related incidents; digital operational testing – including stringent new obligations around penetration testing; and around management of third-party ICT risk.

In addition, requirements concerning the contractual arrangements concluded between ICT third-party service providers and financial entities would be harmonised, addressing issues such as audit rights, oversight of sub-outsourcing, data requirements, termination and exit strategies.

Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, said: "This is a major development which needs to be assessed very carefully as it will have a significant impact for the ways in which financial services are provided across the EU. At one level it is very promising to see an attempt to override the inconsistent, overlapping and confusing amount of different rules which apply to regulated entities in relation to operational resilience and outsourcing. Particularly for large financial groups, consistency across different sub-sectors – insurance, banking and securities markets – is to be welcomed."

Scanlon said the other significant aspect of the Commission's proposals on digital operational resilience concern its plans to directly regulate major technology providers to financial entities for the first time.

Under the Commission's proposals, the EBA, EIOPA and ESMA would together be responsible for designating "the ICT third-party service providers that are critical for financial entities", with those providers designated falling subject to oversight and regulation by one of the three authorities.

The 'lead overseer' will be responsible for checking whether the designated providers have in place "comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities", with a multitude of factors – from providers' physical security measures and governance arrangements, to their mechanisms for data portability and testing of ICT systems – relevant to that assessment.

The authorities would enjoy wide powers under their remit, including to compel information to be shared by providers, to conduct investigations including on-site inspections, and to make recommendations to providers on a broad range of issues – including potentially to call on providers to "refrain from entering into a further subcontracting arrangement" in certain circumstances.

The regulated providers would be under a legislative duty to "cooperate in good faith" with the lead overseer and to assist it in the fulfilment of its tasks.