|
The inherently cross-border nature of digital service solutions needs to be addressed by banks, regulators, and digital service providers on common ground, looking for the secure facilitation of financial service innovation across Europe. An appropriate and harmonized pan-European legal framework is key to facilitate adoption of innovative technology.
Consequently, the EBF welcomes the European Commission’s aim to enhance operational resilience in Europe. The financial industry’s own considerations will benefit from more harmonized ICT-related rules at the European level, aligned with the existing supervisory framework today. Detrimental fragmentation of the regulatory framework should be avoided, addressing risks consistently and proportionately across European jurisdictions without hampering the financial industry’s ability to apply innovative services.
With this position paper, the EBF addresses the proposal for a Regulation on digital operational resilience for the financial sector, as published by the Commission in September 2020.
KEY MESSAGES •The EBF calls for a risk-based approach and the consistent application of theproportionality principle across DORA consistently. (p. 8; p. 22; p. 23)•The EBF calls for a fully harmonized cyber incident reporting framework. (p.16)•The EBF calls for an EU-wide mutually recognized digital operational testing framework. (p.19)•The EBF calls for an alignment of DORA’s requirement for financial entities withexisting supervisory guidance under the EBA guidelines on outsourcing and ICTand security risk management. (p. 23)•The EBF emphasizes the need for close attention to the implicated additionalburden for critical third-party providers’ (CTPPs) customers under the proposedoversight framework. Access to innovation must not be detrimentally limited dueto disproportionate obligations and limits for the provider selection. (p. 23, p.29)•The EBF understands an appropriately designed oversight framework for CTPPs tobe of added value for TPP customers. (p. 30)•The EBF emphasizes that termination of the contractual arrangement by thecompetent authority should not be a standard enforcement tool, since it carriessignificant risk. (p. 31)•The EBF calls for enabling the establishment of meaningful and voluntary cyberthreat information-sharing arrangements among trusted circles. (p. 35)•The EBF believes that the numerous Regulatory Technical Standards (RTS)delegated to the ESAs should not be too prescriptive, providing flexibility in themeasures they adopt. (p.37)