EU financial regulators seek greater powers over tech providers

Out-Law News | 17 Feb 2021 | 2:26 pm | 4 min. read

EU financial regulators have called on legislators to simplify plans that involve bringing major technology providers within the scope of their regulation, and to provide them with the powers to enforce recommendations issued to providers concerning their digital operational resilience.

The joint letter, signed by Steven Maijoor, José Manuel Campa and Gabriel Bernardino, who chair the European Securities and Markets Authority (ESMA), European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA) respectively, concerns proposals for a new EU regulation on digital operational resilience for the financial sector, also known as the proposed Digital Operational Resilience Act (DORA), that were outlined by the European Commission last autumn.

Luke Scanlon, who specialises in financial services and technology law at Pinsent Masons, the law firm behind Out-Law, said: "The letter highlights that there is still a long way to go before the text of DORA can operate as a clear unified framework for governing ICT third party risk at EU level."

Under DORA, the EBA, EIOPA and ESMA would together be responsible for designating "the ICT third-party service providers that are critical for financial entities" (CTTPs), with those providers designated falling subject to oversight and regulation by the three authorities.

A 'lead overseer' would be responsible for checking whether the designated providers have in place "comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities", with a multitude of factors – from providers' physical security measures and governance arrangements, to their mechanisms for data portability and testing of ICT systems – relevant to that assessment.

The authorities would enjoy wide powers under their remit, including to compel information to be shared by providers, to conduct investigations including on-site inspections, and to make recommendations to providers on a broad range of issues – including potentially to call on providers to "refrain from entering into a further subcontracting arrangement" in certain circumstances.

An 'oversight forum' bringing together representatives from the three EU supervisory authorities would feed in to individual cases and to recommendations made to providers, while the proposals envisage a follow-up role too for national regulators in monitoring whether regulated firms take account of the risks identified in the recommendations made to their providers.

Providers that fail to comply with the lead overseer could face fines totalling hundreds of millions of euros in some cases: daily penalty payments are provided for under the proposed new regulation at the rate of "1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year" and those penalties could be levied repeatedly to account for each day of non-compliance for up to a total period of six months.

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

At the moment DORA appears to be introducing a lot of complexity around supervision and oversight without clear justification as to why that complexity is necessary. Hopefully, amendments will be made which provide for more practical alternatives which are better aimed at protecting against digital operational risk

In their letter, the regulators said they "strongly support the establishment of an oversight framework to cover the ICT services that CTPPs provide to the financial sector", but warned that "the current proposal raises challenges on the practical functioning of the oversight framework".

Specific concerns include around the complexity of the governance arrangements and decision making processes, as well as the size and composition of the oversight forum and the technical expertise its members will be required to have to perform their activities competently.

The regulators also said there is a need to ensure the oversight framework accounts for the fact that providers may operate across different financial services sub-sectors and to "clearly attribute the legal responsibilities that arise". They said it should be made clear that the regulatory remit extends only to the providers' activities in financial services and not to their activities in other sectors, and that the proposals should set out in detail how the three EU supervisory authorities (ESAs) should interact with other regulators, such as data protection authorities, that also have a role in regulating the CTTPs.

The regulators also said there was a need to ensure that recommendations made to CTTPs under the new regulatory framework could be enforced at EU level, as there is currently a "mismatch between the powers given to the ESAs to conduct their oversight work and the lack of powers relating to the follow-up process of their own recommendations".

"To the maximum extent compatible with existing frameworks, enforcement should be done at EU level, mirroring the oversight and promoting a coherent approach," the regulators said. "To this end, we propose far greater involvement for the ESAs in the follow-up process and the introduction of effective enforcement measures at EU level that can be applied directly to CTPPs. Enforcement actions against a CTPP could be endorsed by competent authorities through the Board of Supervisors of one or more of the ESAs."

"Moreover, DORA could allow for market transparency tools to strengthen the oversight framework and to encourage CTPPs to adhere to recommendations. For example, the ESAs could publish high-level information on the number and types of recommendations issued to each CTPP (acknowledging that the publication of the full recommendations could raise significant competition and confidentiality issues), along with the respective intention of each CTPP to follow those recommendations," they said.

Scanlon said: "As the ESAs have highlighted, the oversight framework needs to acknowledge more clearly that ICT third party providers can only be expected to comply with rules specific to financial services to the extent they provide services to financial entities and not in relation to their businesses generally."

"There is also a lot of uncertainty within the text about the roles and duties of the various supervisory and oversight bodies. The ESAs have roles as lead overseers, the regulators at member state have follow-up duties and oversight forums and joint committees are intended to be established. There is also overlap where ICT providers are regulated under the existing EU NIS Directive. At the moment DORA appears to be introducing a lot of complexity around supervision and oversight without clear justification as to why that complexity is necessary. Hopefully, amendments will be made which provide for more practical alternatives which are better aimed at protecting against digital operational risk," he said.