The following posts provide a snapshot of selected UK, EU and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.
-
European Commission calls on Member States to fully transpose EU DORA Directive
27 March 2025
The European Commission (EC) has announced that it has opened infringement procedures by sending a letter of formal notice to 13 Member States (Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the Digital Operational Resilience Act Directive (Directive 2022/2556) (DORA Directive). Member States had to transpose the DORA Directive into national law by 17 January. The Member States concerned now have two months to respond and to complete their transposition and notify their measures to the EC. In the absence of a satisfactory response, the EC may decide to issue a reasoned opinion, the second stage of the formal infringement procedure.Topic : Operational Resilience -
European Commission adopts RTS on the elements to assess when subcontracting certain ICT services under DORA
24 March 2025
The European Commission has adopted a Delegated Regulation supplementing Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. Articles 1 and 2 establish the rules on proportionality and group application. Article 3 sets out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions. Article 4 establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted. Articles 5 and 6 contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions and the provisions on the termination of the contractual arrangement. The Delegated Regulation will enter into force 20 days after its publication in the Official Journal of the EU.Topic : Operational Resilience -
RTS on criteria for the composition of joint examination teams under EU DORA published in OJ
24 March 2025
Commission Delegated Regulation 2025/420 has been published in the Official Journal of the EU. This Delegated Regulation supplements Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the European Supervisory Authorities and from the relevant competent authorities, their designation, tasks and working arrangements. The Delegated Regulation will enter into force on 13 April.Topic : Operational Resilience -
EU DORA guidelines on estimation of costs of major ICT-related incidents published
18 March 2025
Translations have been published of the joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines supplement the EU Digital Operational Resilience Act (DORA) which requires that financial entities report on request to their national competent authorities an estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines indicate how those estimations should be arrived at and include a related reporting template. The guidelines will apply from 19 May.Topic : Operational Resilience -
ESMA guidelines on maintenance of systems and security access protocols under MiCAR
26 February 2025
The European Securities and Markets Authority (ESMA) has published official translations of the guidelines on the maintenance of systems and security access protocols for offerors and persons seeking admission to trading of cryptoassets other than asset referenced tokens (ARTs) and e-money tokens (EMTs). The guidelines apply to competent authorities and to 'offerors' as defined in Article 3(1)(13) of the Markets in Crypto-Assets Regulation (MiCAR) and persons seeking admission to trading of cryptoassets other than ARTs or EMTs in relation to Article 14(1), point (d), of MiCAR.
The purpose of these guidelines is to specify the appropriate standards for offerors and persons seeking admission to trading who are not subject to the same operational resilience under MiCAR and the Digital Operational Resilience Regulation as their cryptoasset service provider and issuer counterparts. The guidelines include discussion of: (i) the general principle on proportionality; (ii) administrative arrangements and roles and responsibilities concerning systems and security access protocols; (iii) physical security access protocols; (iv) security access protocols for network and information systems; and (v) cryptographic key management.
The guidelines will apply from 27 April. National competent authorities must notify ESMA by 26 April whether they comply, do not comply but intend to comply or do not intend to comply with the guidelines. Offerors and persons seeking admission to trading are not required to report whether they comply with the guidelines. -
ESMA guidelines on reverse solicitation under MiCAR
26 February 2025
The European Securities and Markets Authority (ESMA) has published official translations of its guidelines on situations in which a third-country firm is deemed to solicit clients established or situated in the EU and supervision practices to detect and prevent circumvention of the reverse solicitation exemption under the Markets in Crypto-Assets Regulation (MiCAR). The guidelines apply to competent authorities in relation to Article 61(3) of MiCAR. The guidelines include discussion of: (i) the means of solicitation; (ii) the fact that the solicitation may be carried out by the third-country firm itself or any person acting on its behalf or having close links with the third-country firm; and (iii) the construction of the concept of 'exclusive initiative of the client'. The Annex to the guidelines contains a non-exhaustive list of examples of circumstances where a third-country firm is likely to be regarded as soliciting clients in the EU.
The guidelines will apply from 27 April. National competent authorities must notify ESMA by 26 April whether they comply, do not comply but intend to comply or do not intend to comply with the guidelines. -
EU DORA technical standards published
20 February 2025
Two delegated acts were published in the Official Journal of the European Union (OJ) in respect of the EU Digital Operational Resilience Act (DORA). These are:- Commission Delegated Regulation (EU) 2025/301, which comprises regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.
- Commission Implementing Regulation (EU) 2025/302, which comprises implementing technical standards for the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.
Both sets of technical standards relate to ICT-related incident management, one of the key pillars of the DORA legislation, and are mandated by article 20 of DORA which seeks to harmonise reporting content and templates in relation to ICT-related incidents and cyber threats. The Delegated and Implementing Regulations will enter into force on the twentieth day following their publication in the OJ.Topic : Operational Resilience -
ESAs roadmap for designation of critical ICT third-party service providers under DORA
18 February 2025
The European Supervisory Authorities (ESAs) have published a roadmap for the designation of critical ICT third-party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). The roadmap of key dates between now and the end of the year. The roadmap sets out four milestones:- By 30 April, the ESAs will collect the registers of information that financial entities submitted to the competent authorities.
- By the end of July, the ESAs will perform criticality assessments required under DORA and notify third-party service providers if they are classified as critical.
- By the first half of September, there will be a hearing period where ICT third-party service providers may object to the assessment, with a reasoned statement and supporting information.
- By the end of this year, the ESAs will have designated and published the list of CTPPs and started the oversight engagement.
Alongside the roadmap, the European Banking Authority published a press release confirming that ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published, with details of how to make such a request to be provided soon. The ESAs also plan to organised a workshop with ICT third-party providers in Q2 this year, with details to be published in due course.Topic : Operational Resilience -
European Commission adopts Delegated Regulation on RTS on threat-led penetration testing under DORA
13 February 2025
The European Commission (EC) has adopted a Commission Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to RTS specifying the criteria used for identifying financial entities required to perform threat-led penetration testing (TLPT). Article 26(11) of DORA mandates the European Supervisory Authorities (ESAs), in agreement with the European Central Bank (ECB), to develop joint draft RTS in accordance with the ECB's European framework for threat intelligence-based ethical red teaming (TIBER-EU framework) to specify further the following: (i) the criteria to identify financial entities required to perform TLPT; (ii) the requirements regarding test scope, testing methodology and results of TLPT; (iii) the requirements and standards governing the use of internal testers; and (iv) the rules on supervisory and other cooperation needed for the implementation of TLPT and for mutual recognition of testing. The Delegated Regulation will enter into force on the 20th day following its publication in the Official Journal of the EU. The ECB has also published an updated version of the TIBOR-EU framework that aligns with the DORA RTS on TLPT.Topic : Operational Resilience -
European Banking Authority publishes amending guidelines on ICT and security risk management in the context of DORA
11 February 2025
The European Banking Authority (EBA) has published a final report with amending guidelines in respect of Guidelines EBA/GL/2019/04 on ICT and security risk management. The EBA reviewed the Guidelines in light of the Digital Operational Resilience Act (DORA), which introduced harmonised requirements for ICT, risk management framework (RMF), incident reporting and third-party risk management and testing for certain financial entities. The entities subject to DORA and the related RTS on RMF overlap with those subject to the Guidelines. Therefore, to ensure transparency and legal certainty, the EBA reviewed the Guidelines and concluded that the entities subject to the Guidelines should be narrowed down, and the scope of the Guidelines should be reduced to cover certain institutions providing payment services which are not in scope of DORA, and guidelines on relationship management of payment services where this is not covered by the DORA requirements. The amending guidelines will be translated into the official EU languages and apply by two months after issuance (at the latest).Topic : Operational Resilience -
European Central Bank updates TIBER-EU framework to align with DORA RTS on TLPT
11 February 2025
The European Central Bank (ECB) has published an updated version of the threat intelligence-based ethical red teaming framework (TIBER-EU framework) (dated January) to align with the Digital Operational Resilience Act (DORA) RTS on threat-led penetration testing (TLPT) (see item above). The ECB also published a news item on the updated framework.
The TIBER-EU framework enables EU and national authorities to work with financial and other entities to put in place a programme to test and improve their resilience against sophisticated cyber-attacks. It also sets out detailed guidance on how to complete DORA TLPT in a qualitative, controlled and safe manner, applying a uniform approach across the EU. The updates introduced in the framework include: (i) aligning the process steps with the deliverables derived from the DORA RTS on TLPT; (ii) specifying purple-teaming as mandatory under TIBER-EU, as prescribed in the DORA RTS; (iii) introducing terminological changes to ensure consistency with DORA terminology, e.g., "White Team" to "Control Team" (iv) providing advice on how to assess the quality of a provider in the updated Guidance for Service Provider Procurement; (v) moving away from the requirement for authorities that want to implement TIBER-EU to publish a full national implementation guide; authorities can instead refer to the adoption of the TIBER-EU documentation and publish a short implementation document described in the framework; and (vi) establishing TIBER-EU guidance documents to facilitate the implementation of different parts of the framework and to ensure a secure and controlled TLPT execution.
Topic : Operational Resilience -
European Commission rejects draft technical standards on sub-contracting ICT services under Digital Operational Resilience Act
31 January 2025
The European Commission has published a letter (dated 21 January 2025) addressed to the Joint Committee of the European Supervisory Authorities (ESAs) rejecting certain draft regulatory technical standards (RTS) the ESAs submitted under the Digital Operational Resilience Act in July 2024. The draft RTS specified the elements which a financial entity should determine when subcontracting ICT services supporting critical or important functions. These include the overall risk profile of the financial entity and its services and operations, the need for due diligence processes and a risk assessment of service providers, and the need for a description of the services and the conditions under which they would be provided. The Commission rejected the draft RTS on the grounds that proposed Article 5, on subcontracting in relation to the chain of ICT subcontractors for critical or important functions, went beyond the scope of the mandate granted to the ESAs under DORA, because it introduced requirements not specifically linked to the conditions for subcontracting. The Commission has also proposed certain non-substantive drafting amendments to the draft RTS. The Commission intends to adopt the RTS once these modifications have been made by the ESAs.Topic : Operational Resilience -
European Supervisory Authorities approve terms of reference for new EU systemic cyber incidence co-ordination framework forum under the EU Digital Operational Resilience Act
January 27, 2025
The European Supervisory Authorities have published the terms of reference for the EU systemic cyber incident co-ordination framework Forum established under the EU Digital Operational Resilience Act. The Forum will be composed of representatives of EU and national bodies, including the ESAs and the European Commission. The Forum is tasked with: (i) developing and maintaining documents, protocols, procedures, arrangements, taxonomy and plans to support co-ordination in case of crisis mode, taking into account the existing coordination frameworks and the cyber threat landscape; (ii) preparing the set-up of a dedicated ad-hoc group responsible for managing crisis mode; and (iii) exercise and test the protocols and procedures to ensure continued preparedness in the event of activation of crisis mode. The terms of reference will be subject to review and endorsement by the Joint Committee and subsequent approval by the ESAs' Boards of Supervisors, and adapted to reflect any new developments, as relevant and appropriate, every two years. The terms of reference came into effect on January 17, 2025.Topic : Operational Resilience -
Financial Markets Standards Board publishes standard for sharing standard settlement instructions
January 27, 2025
The Financial Markets Standards Board has published the final version of its standard for sharing standard settlement instructions. The standard establishes core principles which set out expected practices for the sharing of SSIs between market participants and also includes templates for manually shared SSIs for cash and securities. These core principles relate to: use of industry platforms; off-platform settlement; timing; data fields; data format; data validation; validity; governance and responsibility; and periodic review. The standard is intended to supplement existing laws, regulation and guidance and applies to FMSB member firms in respect of their own or their clients' SSIs.Topic : Operational Resilience -
UK Prudential Regulation Authority writes to domestic and international banks on its 2025 supervisory priorities
January 21, 2025
The Prudential Regulation Authority has published a Dear CEO letter outlining its supervisory priorities for 2025 for domestic banks and international banks and large investment firms. The PRA's key areas of focus for 2025 include:- Risk management, governance and controls: firms' senior management, and boards need to ensure that their organizations have robust governance, risk management and controls frameworks in place that are adaptive and resilient, leveraging stress and scenario analyses to inform risk management, strategy and business planning. Firms are expected to have these frameworks in place across businesses, risk and internal audit functions, commensurate with the firm's business model. The PRA also notes that counterparty credit risk will remain an area of focus.
- Data risk: firms must continue to improve their ability to aggregate data to ensure that they have the information necessary to support holistic risk management, robust board decision-making, and accurate regulatory calculations. Throughout 2025 the PRA will continue to assess data accuracy.
Read more. -
EBA repeals guidelines on major incident reporting under the revised Payment Services Directive
January 17, 2025
The European Banking Authority has announced that it has repealed its guidelines on major incident reporting under the revised Payment Services Directive due to the application of harmonized incident reporting under the Digital Operational Resilience Act. DORA introduced harmonized incident reporting requirements that apply to financial entities across the banking, securities/markets, insurance, and pensions sectors, including most payment service providers. DORA also disapplies the incident reporting requirements under PSD2 for those PSPs. As such, the EBA has repealed the guidelines to simplify the reporting of major incidents by PSPs and provide legal certainty to the market. The EBA reminds firms that incident reporting requirements under PSD2 still apply for other types of PSPs, such as post office giro institutions and credit unions, that are not covered by DORA. The EBA notes that those PSPs that are still subject to PSD2 incident reporting requirements may be subject to national incident reporting requirements, regardless of the existence of the EBA guidelines. Competent national authorities willing to retain the incident reporting approach included in the EBA guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures. -
EU joint report on the feasibility for further centralization of reporting of major ICT-related incidents
January 17, 2025
The European Supervisory Authorities have published a joint report on the feasibility of further centralization of the reporting of major ICT-related incidents by financial entities to competent authorities. The ESAs' joint report explores the potential for further centralization through the establishment of a single EU hub assessing the feasibility of three different models: (i) the baseline model; (ii) a model with enhanced data sharing arrangements; and (iii) a fully centralized model (i.e., an EU hub). The report considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices.
Read more.Topic : Operational Resilience -
European Supervisory Authorities dry run exercise on reporting registers of information under Digital Operational Resilience Act
December 17, 2024
The European Supervisory Authorities have published a summary report with the key findings from the 2024 Dry Run exercise on reporting the registers of information under DORA. The quality of data observed in the registers submitted by almost 1,000 financial entities across the EU was in line with the ESAs' expectations, considering the 'best effort' nature of the exercise. The ESAs are confident that the objective of having registers of sufficient quality in 2025 that would allow for the designation of critical third-party service providers is not out of reach, subject to some additional efforts from the industry. The ESAs advise that all industry stakeholders carefully consider the report and all supporting materials to aid in preparing to report the registers in 2025.Topic : Operational Resilience -
UK authorities consult on operational incident and third-party reporting
December 13, 2024
The Financial Conduct Authority, Prudential Regulation Authority, and the Bank of England have launched consultations on operational incident and third-party reporting. The regulators propose to establish a framework to enhance incident and third-party risk management, strengthen firms' operational resilience and minimize harm. To achieve this, the regulators propose a definition for an operational incident and introduce new material third-party reporting rules. The proposals introduce standardized reporting templates to allow the regulators to collect data which would be used to monitor and respond to potential risks arising from operational incidents and firms' increasing reliance on third parties.
The deadline for comments is March 13, 2025. The FCA intends to publish finalized rules in H2 2025. The PRA and the BoE propose that the implementation date for the proposals will be no earlier than H2 2026. You may like to see our client bulletin, "Operational incident reporting: UK financial regulators propose new rules", which goes into the details of these proposals. -
European Supervisory Authorities Urge Financial Entities to Ensure Timely Compliance with EU Digital Operational Resilience Act
December 4, 2024
The European Supervisory Authorities have published a joint statement on the application of the EU Digital Operational Resilience Act. The ESAs emphasise that as DORA does not provide for a transitional period, it is important for financial entities to adopt a robust, structured approach in order to meet their obligations in a timely manner. DORA, and the technical standards and guidelines supplementing it, applies from January 17, 2025. Financial entities are expected to identify and address in a timely manner gaps between their internal setups and the DORA requirements. Financial entities should also prepare for the new reporting obligations. In particular, financial entities need to have their registers of ICT third-party providers' contractual arrangements available for competent authorities early in 2025, as the latter will have to report them to the ESAs by April 30, 2025. The ESAs note that competent authorities will supervise compliance with the DORA requirements in a risk-based manner considering the risk profile, size, complexity and scale of financial entities. The ESAs invite ICT third-party service providers, which consider they may meet the criticality criteria published in May, to assess their operational setup against DORA requirements. The first designation of critical third-party service providers is expected to take place in H2, 2025.Topic : Operational Resilience -
Implementing Regulation on Standard Templates for the Register of Information
December 2, 2024
Commission Implementing Regulation 2024/2956 laying down Implementing Technical Standards for the application of the EU Digital Operational Resilience Act with regard to standard templates for the register of information, was published in the Official Journal of the European Union. Under Article 28(3) of DORA, as part of their ICT risk management framework, financial entities must maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information for all contractual arrangements on the use of ICT services provided by ICT third-party service providers. These ITS set out the standard templates for the register of information.
The European Commission rejected the European Supervisory Authorities' draft ITS in September on the basis that financial entities should have the choice of using either EU unique identifiers or legal entity identifiers. The ESAs published an opinion in October setting out their concerns for introducing the EUID as an identifier for these purposes. Nonetheless, the Implementing Regulation refers to financial entities using a valid and active LEI or EUID.
The Regulation enters into force on December 22, 2024, 20 days after publication in the Official Journal.Topic : Operational Resilience -
Mansion House: HM Treasury Publishes Remit and Recommendations Letter for Financial Policy Committee
November 15, 2024
HM Treasury has published a letter from Rachel Reeves, Chancellor of the Exchequer, to Andrew Bailey, Governor of the Bank of England, setting out the remit and recommendations for the Financial Policy Committee for 2024/25.
In the letter, Ms. Reeves states that: (i) the FPC should continue to prioritize its work to address systemic vulnerabilities in market-based finance and ensure that the BoE continues to cooperate with relevant authorities and across jurisdictions to increase resilience in a way that is consistent with supporting sustainable economic growth; (ii) the FPC should continue to focus on cyber and operational risks, noting the evolving threat landscape, including how this might increase these risks, and other potential impacts for financial stability; and (iii) the FPC should assess and identify areas where there is potential to increase the ability of the financial system to contribute to sustainable economic growth without undermining financial stability.
The letter sets out: (a) the matters that the FPC should regard as relevant to the BoE's financial stability objective, and the responsibility of the FPC in relation to the achievement of that objective; (b) the responsibility of the FPC in relation to support for the U.K. government's economic policy; and (c) matters to which the FPC should have regard in exercising its functions. The FPC must respond to the government, describing any action it has taken or intends to take in response to a specific recommendation. -
UK Regulators Finalize Rules on Critical Third Parties to the UK Financial Sector
November 12, 2024
The Prudential Regulation Authority and Financial Conduct Authority have published a joint policy statement on operational resilience for critical third parties (CTPs) in the U.K. financial sector, which includes their final rules for CTPs. The overall objective of the final policy is to manage risks to the stability of, or confidence in, the U.K. financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to one or more authorised persons, relevant service providers and/or financial market infrastructure entities.
The rules will take effect from January 1, 2025, but will only apply to individual CTPs from the date their HM Treasury CTP designations come into force. HM Treasury has not yet made any such CTP designations.
Read more. -
European Commission Adopts Regulatory Technical Standards on Conduct of Oversight Activities under EU Digital Operational Resilience Act
October 24, 2024
The European Commission has adopted a Commission Delegated Regulation supplementing the EU Digital Operational Resilience Act with regard to Regulatory Technical Standards on harmonization of conditions enabling the conduct of the oversight activities. The draft RTS cover: (i) the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical; (ii) the information to be submitted by the ICT third–party service providers that is necessary for the Lead Overseer to carry out its duties; and (iii) the details of the competent authorities' assessment of the measures taken by critical third party providers based on the recommendations of the Lead Overseer. Separate RTS will be adopted focusing on the criteria for determining the composition of the joint examination team, their designation, tasks, and working arrangements. The Delegated Regulation shall enter into force 20 days after publication in the OJ. DORA will apply as of January 17, 2025.Topic : Operational Resilience -
European Commission Adopts Implementing Technical Standards and Regulatory Technical Standards on Notification of Major ICT-Incidents and Cyber Threats under EU Digital Operational Resilience Act
October 23, 2024
The European Commission has adopted the following legislation supplementing the EU Digital Operational Resilience Act: (i) Commission Delegated Regulation containing Regulatory Technical Standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and (ii) Commission Implementing Regulation laying down Implementing Technical Standards with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. The Council of the European Union and the European Parliament will now scrutinize the Delegated Regulation. If neither object, it will be published in the Official Journal of the European Union. The Implementing Regulation will be published in the Official Journal without further scrutiny. Both Regulations will enter into force 20 days after publication in the Official Journal of the European Union. DORA will apply as of January 17, 2025.Topic : Operational Resilience -
Financial Stability Board Letter to G20 Finance Ministers and Central Bank Governors – Cyber and Operational Resilience
October 22, 2024
The Financial Stability Board has published a letter sent to G20 finance ministers and central bank governors providing an update on various workstreams, including on cyber and operational resilience. The FSB notes that cyber and operational resilience risks continue to pose a threat to financial stability and is therefore delivering, for public consultation, a common Format for Incident Reporting Exchange (FIRE). FIRE is designed to enhance convergence in incident reporting, address operational challenges arising from reporting to multiple authorities and foster better communication amongst authorities. After public consultation, the FSB expects to publish the final version of FIRE by Q2 2025. The FSB's other publications include: (i) G20 status reports on crypto-asset policy implementation; (ii) a report on the financial stability implications of tokenisation; (iii) G20 roadmap progress reports on cross-border payments; and (iv) a report on lessons learned from the March 2023 banking turmoil.Topic : Operational Resilience -
Revised Eurosystem Cyber Resilience Strategy Published
October 18, 2024
The Eurosystem revised its cyber resilience strategy to further address evolving cyber threats. The revised strategy updates the original 2017 Strategy taking account of the evolving threat landscape and leveraging industry best practices, lessons learnt from the original strategy and the practical application of the Cyber Guidance issued by the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions.
Revisions to the strategy include: (i) the incorporation of new non-FMI entities that are overseen under the Eurosystem oversight framework for electronic payment instruments, schemes and arrangements – the PISA framework. These entities are encouraged to use tools developed by the Eurosystem to periodically assess and continuously enhance their cyber resilience; (ii) measures to address threats linked to geopolitical tensions or technological innovation such as artificial intelligence and quantum computing; and (iii) amendments to take into account recent EU regulation, namely the EU Digital Operational Resilience Act, which applies to certain FMIs covered by the strategy including central securities depositories and central counterparties. The strategy also includes a new overarching component for monitoring implementation, which is designed to promote harmonisation.Topic : Operational Resilience -
European Central Bank Publishes Paper on TIBER-EU and EU Digital Operational Resilience Act Requirements
September 26, 2024
The European Central Bank has published a paper outlining how the European framework for threat intelligence-based ethical red teaming, the TIBER-EU framework, can help competent authorities and financial entities fulfil their threat-led penetration testing requirements under the EU Digital Operational Resilience Act. TIBER-EU is a common European framework that delivers a controlled, bespoke and intelligence-led red team test of financial entities' critical live production systems. It was established as a tool for testing and improving key elements of the cyber resilience of participating financial entities, while focusing heavily on the learning opportunities provided by the testing. The ECB suggests that guiding and performing threat-led penetration testing on the basis of the DORA regulatory technical standards alone will be challenging given the high standards required by such tests but that TIBER-EU will alleviate these difficulties to a large extent and provides a framework that can be used to fulfil the DORA threat-led penetration testing requirements. The paper considers the benefits of the TIBER-EU framework for authorities and financial entities subject to DORA.Topic : Operational Resilience -
European Central Bank Supervisory Board Speech on Banks' Operational Resilience
September 4, 2024
The European Central Bank has published a speech by Frank Elderson, ECB Executive Board member and Supervisory Board Vice-Chair, on banks' operational resilience. Operational resilience has become a key priority for regulators globally. Mr Elderson notes that EU's Digital Operational Resilience Act, which applies from January 17, 2025, will significantly enhance IT and cyber risk management. However, the ECB's cyber resilience stress test earlier this year illustrated that there is scope for improvement, and the ECB appeals to Eurozone banks to prioritize operational and cyber resilience.
Read more.Topic : Operational Resilience -
Final Technical Standards on Subcontracting ICT Services Under the EU Digital Operational Resilience Act
July 26, 2024
The European Supervisory Authorities have published a final report on draft regulatory technical standards to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the Digital Operational Resilience Act. The draft RTS set out requirements when the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers is permitted by financial entities and set out the conditions applying to such subcontracting. In particular, the draft RTS require financial entities to assess the risks associated with subcontracting during the precontractual phase, which includes the due diligence process.
The draft RTS also set out requirements regarding the implementation, monitoring, and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof ensuring that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions. The ESAs will now submit the draft RTS to the European Commission for adoption.Topic : Operational Resilience -
King's Speech 2024
July 17, 2024
The King's speech to Parliament sets out the new government's legislative program. The government has published background briefing notes relating to the King's Speech, providing a summary of the legislation to be brought forward. The Bills announced, in relation to financial services, include:- A Bank Resolution (Recapitalisation) Bill, which would aim to enhance the U.K.'s resolution regime, providing the Bank of England with a more flexible toolkit to respond to the failure of small banks. The Bill would expand the statutory function of the Financial Services Compensation Scheme to provide funds to the BoE upon request, to be used where necessary to support the resolution of a failing bank. The FSCS would then recover the funds provided by charging levies on the banking sector, similar to the current arrangements for funding depositor pay-outs in insolvency. Credit unions will not be in scope of this levy. The BoE will also be provided with the power to require a bank in resolution to issue new shares, facilitating the use of FSCS funds to meet a failing bank's recapitalization costs.
-
European Supervisory Authorities Finalize Second Set of Technical Standards and Guidelines Under Digital Operational Resilience Act
July 17, 2024
The European Supervisory Authorities have published the final reports for the second collection of policy materials under the Digital Operational Resilience Act. These are the:- ​Final report on draft regulatory technical standards and implementing technical standards on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats under Article 20 DORA.
- Final report on draft RTS on the harmonization of conditions enabling the conduct of the oversight activities under Article 41(1)(c) DORA.
- Final report on draft RTS on the harmonization of conditions enabling the conduct of the oversight activities under Article 41(1)(a), (b) and (d) of DORA.
- Final report on draft RTS specifying elements related to threat-led penetration tests under Article 26(11) DORA.
- Final report on joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Article 11(11) DORA.
Topic : Operational Resilience -
EU Technical Standards on classification of ICT-Related Incidents, Contractual Arrangements Policy and Risk Management Tools Published
June 25, 2024
The following three regulatory technical standards supplementing the Digital Operational Resilience Act have been published in the Official Journal of the European Union:- RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (Delegated Regulation 2024/1772).
- RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (Delegated Regulation 2024/1773).
- RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework (Delegated Regulation 2024/1774).
The Delegated Regulations will enter into force on July 15, 2024, the twentieth day following their publication in the Official Journal.Topic : Operational Resilience -
EU Consultation on Draft Technical Standards for Operational Risk Loss under Third Capital Requirements Regulation
June 6, 2024
The European Banking Authority has opened a consultation on a package of draft regulatory technical standards that aim to standardize the collection and the record of operational risk losses and to provide clarity on the exemptions for the calculation of the annual operational risk loss and on the adjustments to the loss data set that banks must perform in case of merged or acquired entities or activities. The package consists of:- Draft RTS on establishing a risk taxonomy on operational risk, which provide a list of operational risk event types, categories, and attributes that institutions must use when recording operational risk loss events in line with the current framework and the international standards.
- Draft RTS on the conditions under which it would be unduly burdensome for an institution to calculate the annual operational risk loss. In such cases, the draft RTS allow for a temporary waiver from the requirement to calculate the annual operational risk loss.
- Draft RTS on the adjustments to an institution's loss data set following the inclusion of losses from merged or acquired entities or activities, which provide indications on the currency and the risk taxonomy to be used when incorporating the loss data set of merged entities or activities.
The deadline for comments is September 6, 2024. The EBA intends to finalize the draft RTS by the end of 2024. -
UK Prudential Regulation Authority Delays Publication of Second Resolvability Assessment Due to General Election
June 6, 2024
The Prudential Regulation Authority has published a modification by consent of Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook. The PRA explains that, as with previous general elections, it will be following the Cabinet Office's election guidance, which includes limiting communications activities until after the election. In line with this approach, the Bank of England and PRA have chosen to delay publication of the second Resolvability Assessment Framework assessment of the major U.K. banks to early August. The publication of the BoE's assessment was due by June 14, 2024, alongside firms' own public disclosures (as required by Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook). As such, the PRA is offering a modification by consent to delay the deadline for firms to publish their RAF disclosures from the second Friday in June, to the second Friday in August at the latest. Each firm that wishes to take advantage of this modification should consider the terms of the direction. -
International Organization of Securities Commissions Report on Trading Venues' Resilience
June 5, 2024
The International Organization of Securities Commissions has published its final report on market outages. The report examines key findings from recent market outages on listing trading venues in IOSCO jurisdictions and builds on past IOSCO work on operational resilience and business continuity planning to identify good practices for listing trading venues that may enhance market-wide resilience in the event of a market outage.
The good practices include: (a) establishing and publishing an outage plan; (b) implementing a communication plan, which provides, through an appropriate communication channel, initial notice (as soon as practicable) of the outage to market participants and the general public and, thereafter, regular updates to all market participants on the status of the outage and the recovery pathway; (c) communicating information relevant to the reopening of trading in a timely and simultaneous manner to all market participants, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading; (d) ensuring the processes and procedures that trading venues will follow to operate a closing auction and/or to establish alternative closing prices are published in the outage plan and communicated to all market participants during an outage; and (e) conducting and sharing with the relevant regulators a lessons-learnt exercise of the market outage and adopt a post-outage plan, with clearly defined timelines and allocation of responsibilities for remediation, designed to reduce the likelihood of future incidents and to improve the ability of the trading venue to effectively respond to outages.
Read more. -
European Central Bank Consults on Draft Guide on Outsourcing Cloud Services
June 3, 2024
The European Central Bank has opened a consultation on a draft guide on outsourcing cloud services to cloud service providers. The guide aims to clarify both the ECB's understanding of related legal requirements, including those under the EU's Digital Operational Resilience Act and the Capital Requirement Directive, and its expectations for the banks it supervises. The guide sets out detailed supervisory expectations, drawing on risks and best practices observed in the context of ongoing supervision and dedicated on-site inspections. It covers topics including: (i) the governance of cloud services; (ii) the availability and resilience of cloud services; (iii) ICT security, data confidentiality and integrity; (iv) exit strategy and termination rights; and (v) oversight monitoring and internal audits. The deadline for comments is July 15, 2024. -
Delegated Regulations under the EU Digital Operational Resilience Act Published
May 30, 2024
The following Delegated Regulations supplementing Digital Operational Resilience Act have been published in the Official Journal of the European Union:- Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities.
- Delegated Regulation (EU) 2024/1505 determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.
Both Delegated Regulations will enter into force on June 19, 2024, except for the systemic assessment sub-criterion on the ICT third-party service provider's dependency on subcontractors, which will be effective as of January 16, 2025.Topic : Operational Resilience -
UK Financial Conduct Authority Shares Insights on Firms’ Preparations for Operational Resilience
May 28, 2024
The Financial Conduct Authority has set out its observations and insights on the preparations firms have made towards complying with its operational resilience rules ahead of March 31, 2025. The FCA expects firms to use these observations to review their approach and assess their readiness on the following key areas of the policy:- important business services;
- impact tolerance;
- mapping and third parties;
- scenario testing;
- vulnerabilities and remediation;
- response and recovery plans; and
- governance and self-assessment.
Read more.Topic : Operational Resilience -
UK Approach to Critical Third-Party Supplier Designation Published
03/31/2024
The Financial Services and Markets Act 2023 established a framework for the regulation of third parties who provide significant services to financial institutions, giving HM Treasury power to designate an entity as a "critical third party" if its failure would pose financial stability or confidence risk to the U.K. We discussed this in our client note, "The U.K.'s New Regime for Critical Third Party Supervision". HM Treasury published on March 21, 2024, its policy approach to designation of critical third parties.
When designating CTPs, HM Treasury is required by the FSM Act 2023 to consider the materiality of the third party's services to the delivery of essential activities, services or operations in the financial sector as well as the number and type of licensed firms to which the services are provided. This is a process where HM Treasury carries out the designation; a "critical third party" is not a status that firms would apply for. The policy paper sets out the process for designation, including receipt of a recommendation from one of the financial regulators and assessment of the basis for making a designation decision. HM Treasury discusses how it will engage with the relevant third-party service provider and the regulators, including communicating its decision. The process for de-designating a critical third party is also described.
Read more. -
UK Regulators Propose Rules for Supervising Critical Third Parties
12/12/2023
Following feedback to their July discussion paper, the U.K. regulators—the Bank of England, Prudential Regulation Authority and Financial Conduct Authority—have launched a joint consultation proposing rules and regulatory expectations for critical third parties. This follows concerns that the financial sector relies heavily on unregulated service providers, particularly in the IT sector, for critical infrastructure whose failure could cause systemic issues or customer issues. The Financial Services and Markets Act 2023 gave HM Treasury powers to designate an entity as a "critical third party" if its failure would pose financial stability or confidence risk to the U.K. and the regulators will have new direct powers over third parties that provide critical services to authorized firms, their service providers and financial market infrastructures. The regulators' rules would only apply to the services provided by a CTP to one of those firms. Responses to the consultation may be submitted until March 15, 2024.
Read more. -
First Commencement Regulations Under UK Financial Services and Markets Act 2023
08/03/2023
The Financial Services and Markets Act 2023 (Commencement No. 1) Regulations 2023 were made on July 10, 2023 and will bring into force provisions under the Financial Services and Markets Act 2023 (which we discuss in our client note, "A Boost for U.K. Financial Services: The U.K. Financial Services and Markets Act 2023") from either July 11, 2023, August 29, 2023 or January 1, 2024.
Read more -
UK Regulators Propose Requirements for Critical Third Parties' Services to UK Regulated Firms
07/21/2022
The Bank of England, Prudential Regulation Authority and Financial Conduct Authority (together, the supervisory authorities) have published a discussion paper proposing measures to supervise and enhance the resilience of critical third parties (CTPs) to the U.K. financial sector. Responses to the discussion paper may be submitted until December 23, 2022. The supervisory authorities intend to consult on proposed requirements for CTPs in 2023.
Currently, the supervisory authorities' direct powers over entities providing critical services to U.K. authorized firms, their service providers (authorized e-money institutions, payment institutions and registered account information services) and financial market infrastructures (together, U.K. regulated firms) are limited. The Financial Services and Markets Bill, introduced to Parliament yesterday, would grant HM Treasury and the supervisory authorities' new express powers to oversee such third parties. HM Treasury will be able to designate an entity as a CTP if it provides services to U.K. regulated firms and its failure would pose financial stability or confidence risk to the U.K.
Read more. -
European Systemic Risk Board Publishes Recommendation on Pan-European Systemic Cyber Incident Coordination Framework
01/27/2022
The European Systemic Risk Board has published a Recommendation on a pan-European systemic cyber incident coordination framework for EU national regulators. The ESRB observes that major cyber incidents may pose a systemic risk to the financial system, as they are capable of disrupting critical financial services and operations. This could in turn lead to contagion or an erosion of confidence in the financial system. The COVID-19 pandemic has also brought the threat of cyber incidents to the fore, as the number of cyber incidents reported to the ECB increased by 54% between 2019 and 2020. The Recommendation aims to build on the proposed roles of the European Supervisory Authorities under the EU's proposed Regulation on digital operational resilience for the financial sector. DORA is intended to strengthen digital operational resilience considering the risks arising from the increase in digital opportunities within the financial sector.
Read more. -
European Supervisory Authorities Publish Joint Response on Proposed EU Digital Operational Resilience Act
02/09/2021
The European Supervisory Authorities (the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority) have published a letter to the European Parliament, the Council of the European Union and the European Commission, setting out responses to the proposed EU Digital Operational Resilience Act, a new piece of EU regulation on digital operational resilience for the financial sector. The European Commission first published the draft DORA in September 2020. It forms part of the European Commission's digital finance strategy, which aims to embrace digital finance for the benefit of consumers and businesses while ensuring digital transformation is soundly regulated. The DORA is particularly focused on combatting risks arising from information and communication technologies in order to protect operational resilience and the performance of the financial system.
Read more.Topic : Operational Resilience -
European Commission Proposals for Digital Operational Resilience Regulation and Amending Directive
09/24/2020
The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.
Read more. -
Basel Committee on Banking Supervision Proposes Principles for Operational Risk
08/06/2020
The Basel Committee on Banking Supervision has opened a consultation on proposed principles for operational resilience and updated Principles for the Sound Management of Operational Risk (PSMOR). The consultation closes on November 6, 2020.
Read more. -
UK Conduct Regulator Update on COVID-19 Response and 2020 Expectations
06/04/2020
The U.K. Financial Conduct Authority’s Executive Director of Supervision for Investment, Wholesale and Specialists, Megan Butler, has given a speech setting out the FCA’s current priorities, its expectations of firms during the COVID-19 pandemic and the outcomes it is focusing on for the wealth management sector, as well as the future priorities for financial regulation.
The FCA initially prioritized immediate relief for firms and consumers, including on mortgages and unsecured lending products, at the outset of the COVID-19 crisis, but is now looking at how it will respond to the challenges of COVID-19 on a more long-term basis. This longer-term approach includes ensuring a good level of operational resilience (in line with the FCA’s ongoing consultation on that topic), that markets can continue to function well, that customers are treated fairly and protected from scams and that the FCA understands firms’ financial resilience so that they can fail in an orderly manner.
Read more. -
UK Regulators Launch Consultation on Operational Resilience in Financial Services
12/05/2019
The Bank of England, U.K. Prudential Regulation Authority and U.K. Financial Conduct Authority have published a shared policy summary and consultation papers on strengthening operational resilience in the financial services sector. The consultation impacts banks, building societies, PRA-designated investment firms, firms subject to the Solvency II Directive, recognized investment exchanges, CCPs, central securities depositories, payment system operators, FCA enhanced scope SM&CR firms and entities authorized and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011. Responses to the consultation should be submitted by April 3, 2020.
Read more. -
UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector
11/23/2018
The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.
The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.
Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.
View the announcement.