The EU has issued a proposed regulation on digital operational resilience which may have practical implications for certain financial market infrastructure providers, including central securities depositories, central counterparties and trading venues.
As part of the EU digital finance strategy, the European Commission has issued a proposed regulation on digital operational resilience for the financial sector (the DOR Regulation). This sets out requirements for operational resilience and information and communications technology (ICT) risk management and seeks to consolidate and upgrade the ICT risk requirements contained within separate pieces of EU legislation. A copy of the draft DOR Regulation can be found here.
The DOR Regulation applies to a large number of EU financial entities, including central securities depositories (CSDs), central counterparties (CCPs), trading venues, MiFID investment firms, payment institutions and e-money institutions. In addition, some aspects of the DOR Regulation will impact upon entities which provide ICT services to EU financial entities.
We provided an overview of the DOR Regulation in a separate briefing available here.
In this briefing, we consider in more detail some of the proposed requirements for ICT risk management and ICT third-party service arrangements, as well as their potential implications for market infrastructure providers (MIPs), such as CSDs, CCPs and trading venues. In our view, the DOR Regulation is unlikely to have significant implications for MIPs on the basis that many MIPs may, in fact, already have processes in place that would meet the minimum requirements proposed in the Regulation. However, in the short-term, we think it would be prudent for MIPs to carry out a "gap analysis" to determine what (if any) amendments need to be made to their processes in order to comply with the more granular requirements proposed by the DOR Regulation.
Although the DOR Regulation will not come into force before the end of the Brexit transition period (i.e. before 11pm GMT on 31 December 2020) and therefore will not apply directly to UK MIPs, the EU measures likely indicate a strong direction of travel for UK-specific regulation in this area. This argument is supported by the Bank of England and the UK Financial Conduct Authority's recent focus on cyber security and other operational resilience issues (as well as the global focus on these topics from international organisations, such as IOSCO and the Financial Stability Board). In addition, from an industry and marketing perspective, UK MIPs might find that EU market participants will want to see UK MIPs demonstrating compliance with equally stringent rules.