Article 54 Digital Operational Resilience Act (DORA), Amendments To Regulation (EU) No 909/2014

Article 54 of the Digital Operational Resilience Act (DORA) introduces significant amendments to Regulation (EU) No 909/2014, which governs central securities depositories (CSDs). These amendments aim to enhance the operational resilience of CSDs by incorporating stricter requirements for risk management, business continuity, and disaster recovery.

Revision of Paragraph 1

The amendment to Article 45(1) of Regulation (EU) No 909/2014 stipulates that CSDs must identify and mitigate operational risks, both internal and external. The revised text specifies that CSDs should deploy appropriate ICT tools, processes, and policies, as outlined in Regulation (EU) 2021/xx (DORA). In addition, CSDs are expected to utilize other relevant tools, controls, and procedures to manage various types of operational risk, including those associated with securities settlement systems they operate. The updated regulation emphasizes the integration of DORA’s provisions, reinforcing the requirement for CSDs to align their risk management strategies with broader EU regulatory standards.

Removal of Paragraph 2

The amendment removes Article 45(2) entirely. This deletion signifies a streamlining of the regulatory framework, possibly consolidating or updating the requirements that were previously covered under this paragraph. The removal suggests a shift towards more comprehensive and integrated risk management practices as outlined in the revised paragraphs and new regulations.

Update to Paragraphs 3 and 4

The amendments to paragraphs 3 and 4 of Article 45 introduce enhanced requirements for business continuity and disaster recovery plans:

• Business Continuity and Disaster Recovery Planning: CSDs are now required to establish, implement, and maintain robust business continuity and disaster recovery plans for all the services they provide and securities settlement systems they operate. These plans must include ICT business continuity and disaster recovery measures in accordance with Regulation (EU) 2021/xx (DORA). The objective is to ensure the preservation of services, timely recovery of operations, and the fulfillment of CSD obligations in the event of significant operational disruptions.

• Recovery of Transactions and Positions: The updated regulation mandates that the continuity plan must ensure the recovery of all transactions and participants’ positions at the time of disruption. This requirement is crucial to enable participants to continue operating with certainty and complete settlements on scheduled dates. The plans must ensure that critical IT systems can resume operations from the point of disruption, in line with the provisions of Articles 11(5) and 11(7) of Regulation (EU) 2021/xx (DORA).

Changes to Paragraph 6

The first subparagraph of Article 45(6) is revised to enhance risk management obligations for CSDs. The revised text requires CSDs to:

• Identify, Monitor, and Manage Risks: CSDs must identify and manage risks that key participants, service and utility providers, other CSDs, and market infrastructures may pose to their operations. This broader risk management framework ensures that CSDs are prepared for potential threats from a wide range of sources.

• Information Disclosure and Incident Reporting: CSDs are obligated to provide competent and relevant authorities with information on any identified risks upon request. Additionally, they must promptly inform the competent authority and relevant authorities of any operational incidents, excluding those related to ICT risks, that result from such identified risks.

Revision of Paragraph 7

The amendment to Article 45(7) updates the role of the European Securities and Markets Authority (ESMA) in developing regulatory technical standards:

• Development of Regulatory Technical Standards: ESMA, in close cooperation with the members of the European System of Central Banks (ESCB), is tasked with developing draft regulatory technical standards. These standards will specify operational risks (excluding ICT risks) and the methods for testing, addressing, and minimizing these risks. The standards will cover business continuity policies, disaster recovery plans, and the methods for assessing these measures. The aim is to provide a standardized approach for managing operational risks and ensuring resilience across the financial market infrastructure.

Conclusion

The amendments introduced by Article 54 of DORA significantly enhance the regulatory framework for central securities depositories (CSDs) by integrating stringent requirements for operational risk management, business continuity, and disaster recovery. These changes ensure that CSDs align with the broader objectives of DORA, promoting greater stability and resilience within the financial market infrastructure.