EU Digital Finance Strategy: digital operational resilience - implications for ICT service providers

Financial entities are integral to the functioning and health of the economy and, as with all industries, have grown increasingly reliant on third party technology platforms and providers to operate. Over the last decade, the EU has piecemeal built a network of regulations to mitigate and address risks posed by reliance on ICT in various sectors, including financial services.  However, existing principles-based and sector-limited legislation has led to a patchwork across the EU, limiting efficacy, increasing costs, creating a compliance headache and resulting in inconsistent supervisory and regulatory approaches.

Recently the European Commission has attempted to consolidate and upgrade this patchwork (as it relates to financial entities) into the new DOR Regulation and, more broadly, the Digital Finance Strategy. The DOR Regulation recognises "ICT risks… pose a challenge to the operational resilience, performance and stability of the EU financial system", and will form part of the fourth pillar of the EU's data strategy, combining and providing for information exchange with other EU cybersecurity initiatives, such as the Network and Information Systems Directive.

The DOR Regulation widely defines ICT third-party service providers (ICT service providers) as any "undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, [and] data centres…" but excluding "providers of hardware components" and those already authorised under EU law and which provide electronic communications services (as defined in the European Electronic Communications Code). (There are also some very limited exceptions for micro-enterprises and entities already subject to EU-wide supervision.)

The DOR Regulation provides for additional oversight of "critical" ICT service providers. These are designated by the European Supervisory Authorities ("ESAs"), being the European Banking Authority ("EBA"), the European Insurance and Occupational Pensions Authority ("EIOPA") and the European Securities and Markets Authority ("ESMA"). Each year, the ESAs will update and publish the pan-EU list of critical ICT service providers.

An ICT service provider will be designated as "critical" by the ESAs by reference to five overarching criteria:

1. the systemic impact that its failure could have on the stability, continuity or quality of the provision of financial services;
   
   
2. the importance of financial entities reliant on it, including the numbers of global systemically important institutions ("G-SIIs") and other systemically important institutions ("O-SIIs"), their interdependence and whether any of those institutions provide financial infrastructure services to other financial entities (i.e. the risk of a domino effect);
   
   
3. the extent of financial entities' reliance on it (whether directly or indirectly through the supply chain);
   
   
4. the number and availability of alternative providers and barriers to migration; and
   
   
5. the number of Member States in which (i) it provides services and (ii) its financial entity customers are operating.
   
   

(Further clarification of the criteria will be set out in further legislation following consultation.)

The broad impact on ICT service providers is as follows (further detail is set out in the sections below):

Critical EU ICT Service Providers – direct supervision and oversight by the ESAs.

Critical ICT Service Providers based in the EU will be subject to direct supervision and oversight by their "Lead Overseer" ESA, which will have investigatory and information-gathering powers, be able to issue specific recommendations and impose fines. This pan-EU regulation may be preferable for some ICT service providers, who would otherwise have to deal piecemeal with local regulators in each member state in which they or their financial entity customers operate.

Critical EU ICT Service Providers will also need to impose further obligations on their service providers so as to meet their own regulatory requirements.

It may well be that being labelled as a "critical" ICT service provider and the direct supervision and oversight that this comes with, proves attractive to those financial entities which are more risk averse, when deciding who to appoint to provide their ICT services, as between a "critical" ICT service provider and one which is not regarded as such. This may well mean that some ICT providers feel obliged to opt into the regime where they think they meet the criteria but have not otherwise been designated as "critical" by an ESA.

Non-critical ICT service provider?

EU financial entities and critical ICT service providers are also likely to trickle down their obligations through their ICT service provider chains. These are likely to include increased contractual protections and oversight and reporting requirements, heightened due diligence of security practices and subcontractors, simplification of service provider chains and additional implications for non-EU subcontractors.

Non-EU ICT service providers? …and what about Brexit?

The DOR Regulation prohibits use of critical ICT service providers that neither are incorporated in nor have set up business or a presence in the EU. There are also some obligations on non-critical third country ICT service providers. Providers may need to move certain of their operations to establish a presence in the EU or incorporate a subsidiary in the EU. Following the end of the transition period, this now includes UK ICT service providers.

The requirements imposed on financial entities will trickle down to ICT service providers as:

Contractual provisions

The DOR Regulation requires EU financial entities to incorporate certain key provisions into their contractual arrangements with ICT service providers. Perhaps most surprisingly, the DOR Regulation requires that the contract is set out in one written document, including all service level agreements. The contents of that contract must include provisions on the following (amongst others). Many of these may already be familiar as they draw on the EBA Guidelines on outsourcing arrangements.

1. The functions and services to be provided, the extent to which these may be sub-contracted and where they will be carried out (and the obligation to notify if the provider "envisages" that changing).
   
   
2. Full service level descriptions and guarantees on the accessibility, availability and security of personal and non-personal data, including for business continuity (whether through insolvency, resolution or discontinuation).
   
   
3. Notice periods and reporting obligations, including notification of any matter which may materially impact critical or important functions in line with service levels.
   
   
4. Any cost associated with assisting in the event of an ICT incident (otherwise assistance must be provided without cost).
   
   
5. Obligations to pen-test and implement and test business continuity plans to adequately guarantee secure provision of services by the financial entity in accordance with the financial entity's regulatory framework.
   
   
6. Ongoing monitoring and audit requirements, including rights of access, inspection and audit by the financial entity or its appointed third-party and the right to agree alternative assurance levels, and an obligation to co-operate during inspections.
   
   
7. Obligations to cooperate with regulators.
   
   
8. Clear termination rights/periods, including for breach of law, regulations or contractual terms, material adverse changes, identified weaknesses in ICT risk management (e.g. security arrangements) and in the event that the arrangement obstructs adequate monitoring of the financial entity by its regulators.
   
   
9. Dedicated and stress-tested exit strategies and mandatory adequate transition periods.

Increased customer oversight and reporting and internal investment

The DOR Regulation's audit and transparency obligations on EU financial entities in respect of their management of ICT risks are likely to result in enhanced due diligence and disclosure. ICT service providers may undertake pen-testing or other third party verification of their practices so as to be able to produce independent reports as part of customer due diligence, or otherwise undertake further internal investment to enhance the resilience of their systems, ascribe to accreditation programmes (e.g. ISO27001) and improve their incident detection/reporting.

It is also worth noting that, in the event of a cyber-threat, the DOR Regulation provides for certain of this information to be shared between EU financial entities and institutions, including the ESAs and other third parties (e.g. EuroPol).

Use of subcontractors and third country subcontractors

ICT service providers may also look to simplify their supply chains as EU financial entities are obliged to consider whether long or complex chains of sub-contracting affect their ability to effectively monitor them, particularly where an ICT service provider is established in a third-country (see below).

As set out in our other briefings, the DOR Regulation will see the introduction of an oversight mechanism for critical ICT service providers (see section 3 above).

Which ESA?

Each critical ICT service provider is subject to direct oversight by an ESA which is designated as Lead Overseer. As currently drafted, the designated ESA of any critical ICT service provider broadly depends on which ESA regulates the largest proportion of the total value of assets of financial entities making use of the services of that critical ICT service provider. This would mean that, by way of an example, if more than half of the value of the critical ICT service provider's financial entity customers' assets are regulated by the EBA, then the EBA would be designated the critical ICT service provider's Lead Overseer.

What oversight powers?

The Lead Overseer can request information and carry out inspections and investigations to assess whether the critical ICT service provider has in place effective arrangements to manage ICT risks to its financial entity customers and ultimately the financial system. The Lead Overseer may then submit recommendations on risk and remedies, including to oppose certain contractual provisions or the appointment of third country sub-contractors, which it considers may increase the risks to financial entities. The ESA can also impose steep fines on the critical ICT service provider if it does not comply with information requests or requests to conduct inspections, or fails to provide updates on whether it has taken adequate steps to follow recommendations: a daily penalty of 1% of the average daily worldwide turnover of the critical ICT service provider in the preceding business year, for up to six months.

Third country (e.g. UK) ICT service providers

As stated above, the DOR Regulation prohibits use of critical ICT service providers that neither are incorporated in the EU nor have set up business or a presence in the EU.

In addition to the above prohibition on critical third country ICT service providers, when considering whether to appoint, or continue using, a non-critical third country ICT service provider, financial entities are obliged to consider whether the location of the service provider could affect the financial entity's ICT-risks. The financial entity must take into account the relevant third country in which the ICT service provider is located, and consider factors such as: (a) the respect of data protection in that country; (b) the effective enforcement of the law in that country; (c) insolvency law provisions that would apply in the event of the ICT service provider’s insolvency; and (d) any constraints that may arise in respect to the urgent recovery of the financial entity’s data.

For non-UK ICT service providers (including EU ICT service providers) serving UK financial entities, it is possible that the UK may also bring in a similar regime for UK financial entities and non-UK ICT service providers. We will be keeping an eye on any such developments, so watch this space.

If you are incorporated in the UK or supply ICT services into the EU, there are some steps you can start taking now:

• Consider which EU financial entities you serve, whether you are likely to be designated "critical", and how critical your services are to their operation.
  
  
• If you do not have an EU-based presence, how easy would it be to establish an EU subsidiary or other EU presence?
  
  
• Review your supply chain – are there any easy "wins" to simplify it or make it easier to audit? Do you have any ICT suppliers who offer services from an alternative EU based location?
  
  
• Undertake a review of your security arrangements to assess whether there are any quick "wins" or large investment projects you would need to undertake that need to be started now to prepare.
  
  
• Even if you aren't likely to be a critical ICT service provider, EU financial entities are likely to require amendments to your arrangements and additional audit and reporting requirements. Consider whether there are any systems and documentation you can put in place to evidence your ability to service such requirements.

If you would like further information or assistance in understanding the proposals and their potential impact, please speak to your usual Travers Smith contact or any of the individuals below.

Please see here further information about how the Digital Operational Resilience Regulation affects market infrastructure providers.

Please see here for an overview of the EU Digital Finance Strategy.