Edward Roozenburg: Exceptions to under-spenders registration in DORA?
This column was originally written in Dutch. This is an English translation.
By Edward Roozenburg, Risk Management Consultant at Probability & Partners
Has your financial institution already determined which processes are important or critical?
By now, most of you will know that this must be determined to comply with the Digital Operational Resilience Act (DORA) that all European financial institutions must comply with from 17 January 2025. You probably also know that choosing which processes are critical or important is not optional. Because DORA specifies that for those suppliers providing services for critical or important processes, the subcontractors must also be identified.
In the Information Register, the financial institution must include all ICT suppliers including the subcontractors in case of outsourcing for critical or important processes. DNB has said it will request this register from all institutions in the second quarter 2025. AFM is already doing this at the end of the first quarter.
Setting up the Information Register and especially identifying subcontractors can be quite a job. Large parties that provide services for critical or important processes at financial institutions sometimes do not even have insight themselves into exactly which subcontractors they have. Let alone let their clients know. When the pension funds where I work ask their ICT suppliers for the list of subcontractors, they regularly encounter incomprehension, astonishment and sometimes even something resembling evasion.
Sector-wide insight
But collecting all this information is not for nothing. The Information Register gives the regulator sector-wide insight into the financial sector's suppliers. With that insight, it will be possible to determine which of these suppliers are essential for financial institutions to continue providing their services. Or in other words, which suppliers are essential for the digital operational resilience of us all.
With the understanding of the most essential suppliers for the financial sector, the regulator can place certain emphasis in supervision and apply pressure to ensure that additional control measures are put in place by financial institutions where necessary.
As mentioned, it is quite a job for the funds I work for to get the overview of subcontractors complete. Just imagine: as a small pension fund, asking Microsoft which subcontractors they all have.
Exception
Recently, a possible exception to the inventory of subcontractors caught my eye. This was in a presentation by DNB. It concerned a proposal before the European Commission. Suppliers who provide a service that requires a licence (think of a bank or an asset manager, for example) could start to be exempt from the obligation to register their subcontractors in the Information Register. So that would apply to all those service providers under supervision.
It seemed like a very nice proposal to me. Providers of licensed services are already under strict supervision and must already meet high standards of security and reliability. Registration of these subcontractors would therefore also be superfluous as far as I am concerned. We can better use the time to work on other things to strengthen digital resilience.
Outside European supervision
My joy only lasted a short while. Almost immediately, a colleague asked me what exactly was the situation with suppliers supervised by non-European authorities. Because that was the case with one of the funds where I work.
Of course, the question is whether supervisors in, say, the United States have the same strict standards as European supervisors with the DORA in hand. Did we then have to go country by country to see if there were differences in the standards that regulators apply to all our services we take outside Europe? That's going to take a lot of time. I didn't have an answer for a while.
But not only my colleague had some scepticism. European regulators (EBA, EIOPA and ESMA) have also made their objections to this exception clear. Their main arguments focus on the detriment to the transparency intended by the Information Register. If the register is not complete, you cannot properly determine which suppliers are truly critical. And this undermines good risk management.
Moreover, excluding licensed services could create an uneven playing field between licensed and non-licensed service providers. Indeed, financial institutions could then easily favour the licensed service.
While I think the arguments for the exception are understandable, as far as I am concerned, the regulators' objections outweigh it. Transparency and consistency are incredibly important for the stability of the financial system in this case. These exceptions could lead to a gap in information. And with that, it is no longer possible to properly determine which service providers have an essential role in the financial sector.
Therefore, it is important to stick to the original requirements of DORA, including the registration of subcontractors. For all relevant parties irrespective of authorisation. Because that protects the financial sector, and therefore all of us, from the threats in the digital world. There is every reason to do so. Even given the geopolitical situation, we must be prepared for war. A cyberwar could cripple financial institutions. Digital stress tests at banks earlier this year also showed that there is some room for improvement. So we will really have to get it right.