The new DORA regulatory framework will enter into force on 17 January 2025. In addition to the Level I Regulation (Regulation (EU) 2022/2554 of 14 December on digital operational resilience for the financial sector), work is being undertaken on a large number of regulatory developments in two blocks. The first has already been sent to the European Commission; and the second will be before 17 July 2024, after being under consultation until 4 March. This issue was the subject of debate at the 29th FundsPeople Legal Debate.
'The first block of the Level II rules focus on the harmonisation of tools, methods and procedures in ICT risk management; as well as criteria for the classification of incidents, among other issues. This will all contribute to establishing a technical framework that should help the sector', explained José Carlos Sánchez-Vizcaíno, Head of Depositary Supervision at Cecabank. In relation to the second block, the expert highlighted the importance of supervisory convergence. 'And even more so in this area, which is crucial to ensuring common conditions for all institutions within the EU in exercising their financial activity'. In this regard, he believes that the fact that the authorities have a framework for cooperation to share information and harmonise conditions, enabling them to supervise institutions, is very positive.
Ninety-four percent of fund managers in Spain are SMEs
It is clear that, in the financial sector, 'technological risk is a vital risk that needs to be addressed to ensure business continuity, investor protection and the smooth functioning of markets', stated Elisa Ricón, CEO of Inverco. The expert sees two problems: 'All investors are entitled to the same level of protection, regardless of whether their service provider is small, medium or large. But, at the same time, we find that these regulatory frameworks act as a tremendous driver of concentration in the industry', she warned. The fact is that the minimums are so high that, even if there is a principle of proportionality, it is insufficient. 'Reaching the base level of requirements of this regulatory package is very difficult for certain smaller institutions', she warned. According to a study carried out by Inverco, 94% of fund managers in Spain are SMEs, and the situation at European level is not very different.
Outsourcing of functions
Pilar Lluesma, Head of Financial Regulation and Counsel at Ashurst, agreed. 'The banking groups had already partially implemented it and now they have to adapt to the differences introduced by DORA, it will be easier for them. But for small and medium-sized fund managers it is devastating'. Even so, the lawyer warned that, in the case of large groups, there are doubts about the entities within the group that will be directly or indirectly affected. She also pointed out that it would be appropriate to establish a materiality threshold for outsourcing agreements, which does not currently exist. In fact, Inverco stressed that these large financial conglomerates, although they have it easier from the outset, are also now encountering a difficulty. This is because the regulation indicates that what was previously ICT and had been outsourced, must now be subject to controls by the entity itself to supervise it. 'And even if you outsource to external third parties, there is a whole block of regulations for third-party ICT risk management, full of controls and reviews to be performed', stressed Ricón.
In this regard, Bárbara González, counsel at Linklaters, insisted that 'the way in which the principle of proportionality is applied is going to be very important'. And warned of the potential for inflation: 'Ultimately, the adaptation costs may be terribly high', she argued.
In short, the experts concluded that regulatory requirements have moved too fast, as was the case with the sustainability regulation. Although Paula De Biase, Financial Services Regulation and Funds partner at Baker McKenzie, admitted that 'everything is evolving so fast in technology that it is difficult to set standards'.