You are here

AmCham EU publishes position on Digital Operational Resilience Act (DORA)

8 Mar 2021
Digital Economy
Financial Services

The use of technology in financial services is not new. In fact, the financial services industry has always been at the forefront of testing and adopting new technologies to transform the financial services industry, increase competition and efficiency, as well as offering new solutions to its customers. What is new is the speed of innovation we are seeing in recent years covering all aspects of the financial services sector and leading to the development of new business models, services and products.

Amongst these new developments is the use of information and communications technology (ICT), which finds itself at continuously greater use in the sphere of finance, requiring greater security resilience for firms. The Digital Operational Resilience Act (DORA) represents thus a crucial step towards a harmonized EU framework for digital resilience in financial operations. Due to the unique factors coming together in the financial services sector, given its fast evolution, increased diversification and international nature, additional care needs to be taken into consideration in the adoption of the new proposed regulation. Read our position here.

As the voice of American businesses invested in Europe, AmCham EU emphasises the transatlantic dimension and the need for a coordinated international approach to ICT risk management in this paper. The recommendations contained within this paper therefore focus on building on existing international practices and call for openness to incorporating international best practices into the implementation of the EU’s digital operational resilience.

The issues addressed in this paper include general principles; cloud computing; third-country provisions; intragroup delegation; ICT risk management; legislative consistency; the designation critical third-party providers; testing; incident reporting; EU oversight of critical third-party providers; contractual arrangements; outsourcing and sub-outsourcing; cyber threat information sharing; sanctions and penalties; oversight fees; and the implementation period.