Contributing Firms:
Regulation - Europe
The EU’s proposed Digital Operational Resilience Act (DORA) will apply to a wide range of financial entities including investment firms and for the first time will bring major ICT service providers within the scope of European Supervisory Authorities. While not yet finalised, the rules could come into force in the second half of 2024. How significant could these changes be for investment firms and service providers?

David Petiteville, Director, Regulatory Solutions, Product, Office of the COO, RBC Investor & Treasury Services: The European Commission, in its strategy for Digital Finance, has, with the development of DORA, set the requirements of a wide range of financial entities. While certain firms already met some criteria due to existing regulations, others will be challenged, specifically for companies that were not in scope previously.
David Petiteville
David Petiteville

For example, a comprehensive ICT risk management framework will be required. Investment firms must define their risk strategies and implement adequate policies and tools. Another requirement is linked to the information they must maintain in dedicated registers on their third-party ICT service providers (SP). Ultimately they must conduct proper oversight of their SPs and implement efficient protocols to perform their duty. Incident events will need to follow new protocols of escalation and communication that firms will have to put in place and consider a tight regulatory timeline.

The service providers designated “critical” will now be subject to European Supervisory Authorities supervision, drastically increasing their obligations. While they must comply with the highest standard of regulatory requirements, they will also have to adjust to the regulator’s demands for information and impromptu meetings.

The non-respect of the rules may have significant consequences for companies in scope as substantial fines could apply.