Article 39 Digital Operational Resilience Act (DORA), International Cooperation

Article 39 of the Digital Operational Resilience Act (DORA) addresses the importance of international cooperation in managing ICT third-party risks across financial sectors. This article outlines the roles and responsibilities of the European Supervisory Authorities (ESAs) in fostering collaboration with third-country regulatory and supervisory authorities and in reporting on the outcomes of these international engagements.

Administrative Arrangements For International Cooperation

The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) are empowered to establish administrative arrangements with regulatory and supervisory authorities from third countries. These arrangements are designed to enhance international cooperation on managing ICT third-party risks that affect multiple financial sectors.

These administrative arrangements will be developed in line with Article 33 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010, which provide the framework for the ESAs’ interactions with non-EU authorities. The primary goal of these arrangements is to promote collaboration in reviewing ICT risk-management practices and controls, evaluating mitigation measures, and responding to incidents.

Through these arrangements, the ESAs and their international counterparts will work together to establish and refine best practices for managing ICT risks. This collaborative approach is essential for addressing the complexities of ICT third-party risks that span across different jurisdictions and sectors. By sharing knowledge and experiences, the ESAs and third-country authorities aim to enhance the overall resilience of the financial sector to ICT-related challenges.

Reporting and Analysis of International Cooperation

Every five years, the ESAs, through their Joint Committee, are required to prepare and submit a confidential report to the European Parliament, the Council, and the European Commission. This report will summarize the findings from discussions and interactions with third-country authorities, focusing on the evolution of ICT third-party risks and their implications for financial stability, market integrity, investor protection, and the functioning of the single market.

The confidential report will provide a comprehensive overview of the key issues identified in international discussions, including emerging trends and challenges in ICT risk management. It will also assess how these risks impact the stability and integrity of financial markets and the protection of investors. By analyzing these aspects, the report will help inform EU policymakers and stakeholders about the global landscape of ICT third-party risks and guide the development of effective regulatory measures.

The periodic nature of the report ensures that there is an ongoing evaluation of international cooperation efforts and their effectiveness. It also provides a platform for sharing insights and lessons learned from global interactions, which can be used to refine existing practices and enhance the overall resilience of the financial sector.

Conclusion

Article 39 of DORA underscores the significance of international collaboration in managing ICT third-party risks. By facilitating administrative arrangements with third-country authorities and producing detailed reports on international discussions, the ESAs aim to strengthen global cooperation and improve the resilience of the financial sector against ICT-related threats. This approach ensures that both EU and non-EU jurisdictions can work together to address shared challenges and enhance the stability and security of the global financial system.