European CCP group warns on DORA’s cloud outsourcing restrictions
The European Association of CCP Clearing Houses (EACH) outlined its position on the European Commission’s proposal on Digital Operational Resilience for the financial sector (DORA).
“EACH welcomes the European Commission’s proposal’s aim to further harmonize operational resilience rules and extend them to other financial entities and third-party providers. We particularly appreciate the broad principles established in this proposal including those of proportionality and lex specialis, as well as the European Commission’s intention to streamline reporting requirements and avoid overlaps.
“Overall, we find that the present proposal strikes the right balance between the necessity to preserve financial stability and financial innovation, and have made some further suggestions to support this goal.”
- Harmonization of Digital Operational Testing: the European Commission should clarify that the DORA testing regime does not come in addition to and is not independent from the requirements on advanced testing included in the existing frameworks such as the TIBER-EU framework. This would help avoiding any additional compliance costs that firms would incur as a consequence of having to fulfil duplicative requirements on testing. In addition, we also encourage cooperation with international regulatory authorities on harmonising requirements and guidance on advanced testing frameworks, which would enable a smooth implementation for firms that operate different entities across borders and in different jurisdictions.
- Scope of the proposal – intra-group relationships should not be classified as third-party relationships for the purpose of the DORA requirements. In an intra-group relationship, the economic interests are aligned and managed at group level; ultimately the shareholders are the same, thereby mitigating many risks that arise out of traditionally outsourcing relationship.
- Conditions on sub-sourcing in third countries – conditions on third-country service provisions, including sub-outsourcing to CSPs (cloud service providers) established in third-countries, are disproportionate and could hinder global operations. A strict reading of Article 31(1)(iv) would mean financial entities cannot outsource any critical or important functions to ICT providers if they cannot ensure that the sub-contractor is not an ICT third-party service provider or an ICT sub-contractor established in a third-country. This is not proportional and would effectively rule out use of certain ICT service providers, including CSPs, for critical functions.
- Flexibility on termination of contractual arrangements – EACH would recommend providing some flexibility to the regulated financial entities instead of mandating the termination requirements, as well as harmonizing such requirements with the existing EBA Outsourcing Guidelines.
January 9, 2019
March 25, 2020
April 6, 2019