Article 53 Digital Operational Resilience Act (DORA), Amendments To Regulation (EU) No 648/2012
The Digital Operational Resilience Act (DORA) aims to bolster the cyber resilience of financial entities across the European Union. It brings amendments to various regulations, including Regulation (EU) No 648/2012, to ensure institutions remain operational even during severe disruptions. These amendments, detailed in Article 53 of DORA, introduce several changes to ensure the integration of digital resilience into organizational structures, particularly focusing on the ICT (Information and Communication Technology) systems used by financial entities.
Amendments to Article 26: Organisational Structure of CCPs
The first significant amendment to Regulation (EU) No 648/2012 involves Article 26, which outlines the organizational structure requirements for Central Counterparties (CCPs). The new amendment replaces the existing paragraph 3, underscoring the importance of ICT systems in maintaining continuity.
- Paragraph 3: The updated provision mandates that CCPs maintain an organizational structure capable of ensuring continuous and orderly performance of their services. More importantly, the use of ICT systems must now be aligned with the standards set forth in DORA. This adjustment aims to improve the digital resilience of CCPs, making their operations more robust and ensuring better protection against cyber threats. The use of ICT systems must be proportionate and appropriate to the scale of the CCP’s activities, integrating the latest security standards outlined in DORA.
- Deletion of Paragraph 6: Additionally, paragraph 6 of Article 26 has been deleted. This removal signifies a streamlined approach to the requirements governing CCPs, focusing on operational efficiency and adaptability.
Amendments to Article 34: Business Continuity and Disaster Recovery for CCPs
Article 34 has also been revised to emphasize the role of ICT in business continuity and disaster recovery planning. The changes aim to ensure that CCPs are better prepared to handle disruptions in their operations, particularly those stemming from cyber incidents.
- Paragraph 1: The amended provision requires that CCPs establish, implement, and maintain robust business continuity and disaster recovery plans, with specific reference to ICT systems. These ICT business continuity and disaster recovery plans must comply with DORA, ensuring the timely recovery of operations and the fulfillment of obligations in the face of unforeseen disruptions. This change signifies a shift in regulatory focus towards the importance of technology in maintaining continuity in the financial sector.
- Paragraph 3: The first subparagraph of paragraph 3 has been updated to ensure consistent application of the article. The European Securities and Markets Authority (ESMA) is tasked with developing regulatory technical standards that will specify the minimum content and requirements for these continuity policies. However, these standards will exclude ICT-specific continuity and disaster recovery plans, which are to be governed under DORA. This ensures that the regulatory framework is well-defined and clear about the scope of ICT-related continuity requirements.
Amendments to Article 56: Registration of Trade Repositories
The amendments to Article 56 further clarify the requirements for the registration of trade repositories, which are institutions responsible for collecting and maintaining records of derivatives transactions.
- Paragraph 3: The first subparagraph of paragraph 3 is revised to specify that ESMA is responsible for developing regulatory technical standards for applications for registration, excluding requirements related to ICT risk management. By segregating ICT risk management under DORA, this amendment ensures that trade repositories follow a unified approach to operational resilience, particularly in ICT systems, as they apply for registration.
Amendments to Article 79: Operational Risk Management for Trade Repositories
In Article 79, paragraphs 1 and 2 have been significantly revised to incorporate ICT system management into operational risk assessments.
- Paragraph 1: The revised provision requires that trade repositories identify and mitigate operational risks, with specific emphasis on the development of appropriate systems, controls, and procedures. ICT systems must now be managed in accordance with the standards outlined in DORA, ensuring that trade repositories maintain high levels of digital resilience to prevent and respond to operational disruptions.
- Paragraph 2: This paragraph further emphasizes the need for trade repositories to establish and maintain business continuity and disaster recovery plans, with particular attention to ICT systems. These plans must comply with DORA to ensure that trade repositories can continue fulfilling their obligations in the event of a disruption. The update ensures that ICT resilience is a core component of operational risk management strategies, preparing institutions for a wide range of potential cyber threats.
Amendments to Article 80: Deletion of Paragraph 1
Finally, paragraph 1 of Article 80 has been deleted. While the specific rationale for this deletion is not explicitly stated in the text, it suggests an effort to streamline the operational requirements for trade repositories. By eliminating redundant or unnecessary provisions, the amendment seeks to make the regulation more efficient and focused on critical areas of digital resilience, particularly in line with the new requirements introduced by DORA.
Conclusion
The amendments to Regulation (EU) No 648/2012 through DORA bring significant changes to how financial entities manage their ICT systems and ensure business continuity. The integration of ICT resilience into regulatory frameworks ensures that institutions such as CCPs and trade repositories can effectively mitigate operational risks, particularly those arising from cyber threats. These changes reflect the growing importance of digital infrastructure in the financial sector, pushing organizations to adopt stronger, more robust systems that align with the latest technological advancements. By enforcing these standards through regulatory updates, DORA ensures that the European financial system is better equipped to handle disruptions, ultimately fostering a more resilient and secure financial environment across the EU.