In a critical response to the European Commission’s recent rejection of technical standards for financial services registers, the European Supervisory Authorities (ESAs) expressed deep concerns over the growing uncertainty surrounding the implementation of the Digital Operational Resilience Act (DORA).
In its response to the Commission, the trio emphasises the potential regulatory and compliance challenges that institutional investors and financial entities will face as a result of this decision.
The ESAs – comprising the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA) – have jointly called on the Commission to reconsider its stance, following the Commission’s rejection of the draft implementing technical standards (ITS) for information registers, which were designed to bring greater transparency and operational clarity to the financial sector under DORA.
DORA and ICT service definition
At the heart of the issue is the ambiguity surrounding the definition of ICT (Information and Communication Technology) services, as highlighted by PensionsEurope this week.
PensionsEurope is urging the Commission to provide clear guidance on this matter. The concern revolves around whether regulated financial services, which are already subject to stringent supervisory controls, should be classified as ICT services under DORA’s scope.
PensionsEurope has argued that including such services under the ICT umbrella would create unnecessary regulatory overlaps and increase administrative burdens, potentially hindering financial entities’ operational efficiency.
As the implementation deadline for DORA approaches in January 2025, the lack of clear definitions could exacerbate compliance risks, particularly for institutional investors managing outsourced services, according to PensionsEurope.
Broader implications for financial entities
The rejection of the ITS has significant implications for financial entities, particularly those heavily reliant on ICT systems for day-to-day operations. The ESAs stressed that the draft ITS were crucial for ensuring a smooth reporting process under DORA, which mandates stringent requirements for managing ICT-related risks, including cyber threats.
The ESAs’ response underscores the need for consistency in how ICT services are regulated across the European Union. They argue that by rejecting the ITS, the European Commission risks creating fragmentation in how financial entities handle ICT risks.
This could have a detrimental effect on the overall resilience of the financial system, particularly given the increasing reliance on third-party service providers.
Calls for immediate action
Both PensionsEurope and the ESAs are urging the Commission to take swift action to resolve the regulatory uncertainty.
PensionsEurope has recommended that the Commission issue a formal clarification distinguishing regulated financial services from ICT services in its forthcoming FAQ on DORA. Similarly, the ESAs are pressing for a reconsideration of the rejected technical standards, highlighting the potential risks of delays in their adoption.
For institutional investors, these developments signal a period of heightened regulatory scrutiny. Navigating the complexities of DORA’s requirements will be essential to ensuring operational resilience and compliance in an increasingly digitised financial landscape.
As the January 2025 deadline looms, the financial sector awaits further guidance from the European Commission on how to reconcile these conflicting regulatory priorities.
Read the digital edition of IPE’s latest magazine
No comments yet