DORA Draft ITS: Risk Based Taxonomy

DORA's draft Implementing Technical Standard (ITS) on ICT services has stirred debate. AFME highlights concerns over proportionality, fearing data overload and heightened operational risks.

DORA Draft ITS: Risk Based Taxonomy
EU Risk Management in ICT Services

The Impact of DORA Draft ITS on the Register of Information and the Need for a Risk-Based Taxonomy

Association for Financial Markets in Europe Keywords Risk Management DORA

The draft Implementing Technical Standard (ITS) under the Digital Operational Resilience Act (DORA) has recently been subject to a response by the Association for Financial Markets in Europe (AFME). The ITS is designed to establish templates for a register of information about all contractual arrangements for the use of ICT services provided by third parties. The AFME, which represents a wide range of European and global participants in the wholesale financial markets, raises three main concerns.

Firstly, they argue that the principle of proportionality hasn't been adequately applied across the register, particularly in terms of the level of information required. Secondly, they express frustration that the new standalone register has not been proposed for consolidation with existing registers, thereby creating unnecessary complexity. They also believe that the proposed 'proportionate' application of the register needs recalibration as it overlooks essential risk factors.

Finally, the AFME criticizes the proposed taxonomy of ICT services. They argue that it captures an overly broad scope of ICT services and isn't risk-based. The AFME calls for a deliberate and comprehensive integration of proportionality in the application of the register requirements and for financial entities to have the flexibility to determine where and how the Register of Information should be used for internal risk management purposes.

ICT Services Regulation: The Call for Proportionality in DORA's Implementing Technical Standard

In the rapidly evolving digital landscape of the financial sector, regulations such as the Digital Operational Resilience Act (DORA) have been instrumental in setting the course. Recently, the draft Implementing Technical Standard (ITS) under DORA has sparked deliberations, especially given its focus on establishing a comprehensive register of contractual arrangements for ICT services provided by third parties. But like any transformative initiative, it hasn't been without its critics, notably the Association for Financial Markets in Europe (AFME).

At the core of the debate lies the principle of proportionality. AFME, representing a vast tapestry of participants in the European and global wholesale financial markets, contends that the draft ITS might have missed the mark here. Their concern isn't unwarranted. A misstep in applying proportionality could lead to data overload, which in turn could complicate the ICT service management landscape for financial entities. An overwhelmed register could not only accentuate operational risks but also tread into the territory of financial risks.

The conversation becomes even more intricate when we broach the topic of consolidation. In an age where streamlining and digitalization are buzzwords, the proposal to have a standalone register separate from existing ones seems counterintuitive. Multiple overlapping registers can be a breeding ground for inefficiencies, confusion, and even cost escalations. It seems we might be sidelining an opportunity to simplify regulatory reporting.

Lastly, the broad net cast by the proposed taxonomy of ICT services has also garnered scrutiny. A taxonomy that isn't rooted in a risk-based approach might end up diluting focus. By capturing an extensive range of ICT services, we risk overlooking those that truly matter, inadvertently expanding the purview of the enhanced register requirements.

In this digital age, it's essential for regulations to be both robust and agile. AFME's concerns underscore the need for a more risk-centric approach. To strike a balance, we must envision a taxonomy that hones in on high-risk ICT services, a register that harmoniously integrates with existing ones, and an application that's genuinely proportionate. As the financial sector continues to digitize, it's imperative to craft regulations that are both protective and practical. Only then can we foster a system that's streamlined, efficient, and effective in its oversight of ICT services.

Read More

European Union: DORA Update – ESAs consult on first batch of standards
The EU’s Digital Operational Resilience Act (DORA) aims to promote, improve and ensure operational resilience within the financial services sector. It comes into effect on 17 January 2025. Last month, six months into the two-year implementation period, the European Supervisory Authorities published…

Grand is Live

Check out our GPT4 powered GRC Platform

Sign up Free

Reduce your
compliance risks