EU Digital Finance Strategy: digital operational resilience - implications for market infrastructure

MIPs are already subject to extensive general governance, reporting and outsourcing requirements under existing EU rules and regulations, such as MiFID II (for certain trading venues), the European Markets Infrastructure Regulation (for CCPs) and the Central Securities Depositaries Regulation (for CSDs). Therefore, in many respects, the requirements proposed by the DOR Regulation will not be entirely new or unfamiliar.

However, the DOR Regulation does impose more specific, enhanced requirements in respect of ICT and cyber-security. These requirements will require MIPs to review and, where appropriate, make changes to, their internal governance and processes. There may also be consequential financial implications, as appropriate budget will be required to be allocated to fulfil digital operational resilience needs. 

The MIP's management body will be required to focus more closely on ICT and ICT risk, including by having overall responsibility for managing ICT risk (including implementing an enhanced ICT risk management framework in some cases) and setting clear roles and responsibilities for all ICT-related functions. There will also be a number of additional areas subject to the management body's review which will need to be built into the management body's processes, such as the review of ICT audits (and related plans) and the ICT business continuity and disaster recovery plans as well as procedures for determining risk tolerance for ICT risks. MIPs might already have implemented some or all of these management functions or processes, but for others enhanced measures may be required.   

Furthermore, MIPs will also need to ensure that they can comply with any additional requirements regarding response and recovery, as well as detailed requirements in respect of the monitoring, testing and assessment of their ICT systems. There will also be a requirement to detect anomalous activities including the monitoring of user activity and to have appropriate arrangements and mechanisms to ensure continuity of critical functions. A number of these measures will likely be familiar to MIPs under their general business continuity obligations, but they will need to review their current processes to ensure that they will continue to comply.

MIPs tend to also make extensive use of third-party ICT service providers. As a result, MIPs will need to ensure that certain obligations under the DOR Regulation are reflected in their contractual arrangements with their own service providers - this may require the review and amendment and/or renegotiation of the relevant contracts. 

For example, MIPs making use of non-EU critical ICT service providers may need to consider terminating such arrangements and finding alternative EU providers in light of the proposed prohibition on the use of non-EU critical ICT service providers.

In relation to ICT service arrangements, although many of the proposed obligations under the DOR Regulation reflect the current outsourcing obligations in relevant legislation, there are additional specific ICT and cyber-security related risk management requirements, focussing, for example, on ICT concentration risk.

MIPs might need to also check their ICT risk-management governance structures, for example, there is a requirement for MIPs to allocate a specific senior-management role to monitor arrangements with ICT third-party service providers.

In terms of monitoring compliance, a new annual reporting obligation to the relevant competent authorities on ICT service arrangements will also apply.

If you would like further information or assistance in understanding the proposals and their potential impact, please speak to your usual Travers Smith contact or any of the partners or senior counsel below.