In the autumn of last year, the EU issued a proposed regulation on digital operational resilience which is likely to have broad implications, not only for EU financial entities, but also those which provide ICT services to such entities, including UK ICT service providers.
As part of the EU digital finance strategy, in the autumn of last year the European Commission issued a proposed regulation on digital operational resilience for the financial sector (DOR Regulation). This sets out requirements for operational resilience and Information and Communication Technology (ICT) risk management and seeks to consolidate and upgrade the ICT risk requirements in other separate pieces of EU legislation. A copy of the draft DOR Regulation can be found here.
The DOR Regulation applies to a large number of EU financial entities, including central securities depositories (CSDs), central counterparties (CCPs), trading venues, MiFID investment firms, payment institutions and e-money institutions. In addition, some aspects of the DOR Regulation will be relevant to entities which provide ICT services to EU financial entities.
We provided an overview of the DOR Regulation in a separate briefing, and also a separate look at the implications for market infrastructure. As set out in our other briefings, the DOR Regulation will see the introduction of an oversight mechanism for critical ICT third-party service providers ("critical" ICT service providers). In this briefing we will set out what a "critical" ICT service provider is, how this oversight mechanism is intended to work and the implications for critical and non-critical ICT third-party service providers both in the EU and third countries such as the UK.