ESAs publish consultation on technical standards for joint examination teams under DORA
RegCORE Client Alert | EU Digital Single Market
QuickTake
On 18 April 2024, the European Supervisory Authorities (ESAs), comprised of the European Securities and Markets Authority (ESMA) along with the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) published a consultation on regulatory technical standards (RTS) for the composition and operation of joint examination teams (JETs) for purposes of the EU Regulation known as the Digital Operational Resilience Act (DORA). Consultation paper and draft RTS available here.Show Footnote
DORA and its related RTS will become applicable from 17 January 2025. The consultation remains open for comments until 18 May 2024. This consultation paper is relevant for information communication and technology firms (ICT), including specifically those designated as critical third-party service providers (CTPPs) to financial services firms. The consultation paper is also relevant for national competent authorities (NCAs) and respective “Lead Overseers” (LOs) across the EU-27 tasked with building JETs as well as supervising ICT (primarily CTPPs) plus financial services firms’ interactions and reliance upon ICT firms and particular those designated as CTPPs.
Art. 41(1) DORA mandates the ESAs to draft RTS to harmonise conditions enabling the conduct of oversight activities. This includes RTS detailing (i) information to be provided by an ICT third party service provider to voluntarily request being designated as critical under Art. 31(11) DORA; (ii) the content, structure and format of information to be submitted, disclosed or reported by the ICT third-party service provider to the LO according to Art. 35(1) including the template for providing information on subcontracting arrangements; (iii) the criteria for determining the composition of the JETs, as well as the designation of the members, their tasks and working arrangements i.e., the scope of this consultation paper; and (iv) the details of the NCAs assessment of the measures taken by CTPPs based on the recommendations from the LO. Further RTS on points (i), (ii) and (iv) are expected and will be subject to further analysis from PwC Legal’s dedicated EU Regulatory Compliance Operations, Risk and Engagement (EU RegCORE) centre.
Key takeaways from the draft RTS
When conducting oversight activities, a LO is assisted by a JET. The JET is composed of staff members from (a) the ESAs, (b) the relevant NCAs and other competent authorities supervising the financial entities to which the CTPP provides ICT services; (c) the NCA designated by or established in accordance with the NIS2 Directive responsible or the supervision of an essential or important entity subject to that Directive, which has been designated as a CTPP on a voluntary basis; and (d) one NCA from the Member State where the CTPP is established.
JETs are called into existence immediately following the first-time an ICT firm has been designated a CTPP or when material changes regarding the CTPP occur. “Material changes” are defined in Art. 2 of the draft RTS as “significant changes” to:
- Services provided by the CTPP;
- Activities performed by financial entities using ICT services of the CTPP; and/or
- The list of CTPP at EU level referred in Art. 31(9) DORA.
Composition of the JETs must take into account commitments and planned levels of intensity across the annual oversight plans for all CTPPs. The ESAs note that “Particularly, since the joint examination team is the structure involved on the daily oversight of the CTPPs, given the high technical complexity of the oversight activities and the scarce availability of the expertise needed to perform them, it is crucial for the ESAs and the entire supervisory community to ensure the maximum efficiency and effectiveness of the joint examination teams.”
Accordingly, members of a JET need to have expertise in ICT matters, in operational risk and relevant skills (communication, collaboration, supervisory experience). If an authority lacks the necessary technical expertise for JETs, the LO may revoke their obligation to nominate staff members. If expertise is lacking, the authority should make an effort to correct it and improve its ability to participate to JET in the next exercise. Unless otherwise agreed upon by the nominating authority and LO, JET members should remain employees of the nominating authority, subject to their employment contracts’ working hours and location.
The LO should use a mix of criteria and principles to determine the number and makeup of staff members in each JET. Criteria for oversight should consider technical tasks, financial entity dependency on third-party ICT services, geographical distribution, number of reliant entities and cross-sectoral representation. The LO should use information from competent authorities to designate critical CTPP, including sub-criteria calculations. The LO should also evaluate the criticality of these providers for providing specific financial services at both Member State and EU levels. The LO and JET members should regularly evaluate team achievements to ensure proper structure and composition and enhance the efficiency and effectiveness of the Oversight Framework. The LO and authorities should reassess JET membership using these evaluations when necessary.
In furtherance of the above, ESAs are expected to provide supervision protocols for JET members and the LO coordinator to follow in their roles. These protocols also contain conflicts of interests rules applicable to JET members while performing their tasks. The LO is expected to grant the JET members access to confidential information and IT/non-IT resources on a need-to-know basis to assist in fulfilling their tasks with minimal delays.
Tasks of JETs
Article 1 of the RTS sets out the tasks of JETs when assisting the LO and the LO coordinator in the conduct of oversight activities, including the annual individual oversight plan adopted according to Art. 33(4) DORA. In case the individual annual oversight plan is significantly revised during the year by the LO, the LO must involve the JET in the process of the revision and execution of the individual annual oversight plan.
These on-going supervisory tasks of the JET include any of the following:
- assisting the LO in the preparation and drafting of the individual annual oversight plan describing the annual oversight objectives and the main oversight activities planned for each critical ICT third-party service provider that are to be carried out by the Lead Overseer and the joint examination team;
- assisting the LO in performing the assessment referred to in Article 33(2) DORA;
- collecting and assessing the information submitted by the critical CTPP according to Article 37 DORA and Chapter II of the Commission Delegated Regulation on oversight harmonisation;
- conducting general investigations on the CTPP according to Article 38 of DORA;
- conducting inspections of the CTPP according to Article 39 DORA;
- drafting the recommendations addressed to the CTPP as defined in Article 35(1), point (d) DORA;
- assessing the remediation plan and the progress reports as defined in Article 4 of the Commission Delegated Regulation on harmonisation of the conditions of oversight conduct;
- preparing and drafting the requests and decisions to the CTPP referred to in Article 35(6), Article 37(1), Article 38(4), Article 39(6) DORA;
- assisting the LO in its contribution to horizontal oversight activities, including in the development of benchmarking, as referred to in Article 32(3) DORA;
- ensuring that the relevant information relating to financial entities making use of the services provided by the CTPP are shared with the LO; and
- assisting the LO in unplanned ad hoc activities deemed necessary by the LO for the purpose of oversight.
As noted in Recital 3 to the draft RTS, JETs should reflect the ability to maximise synergies among resources and ensure the most effective execution of oversight activities. JETs should be able to oversee multiple CTPPs. Groupings of CTPPs should take into account the risk profile of CTPPs, anticipated level of intensity of oversight activities. This should result in setting of a strategic multi-annual oversight plan, annually updated by the Lead Overseer to the extent necessary and reflected into the individual annual oversight plan. To ensure the reliability of the planned and ongoing commitment of resource staffing of the joint examination team by the authorities, the Lead Overseer should consult both the joint oversight network and the Oversight Forum. The above is certainly welcome in providing clarification but it does raise the potential for a number of practical considerations for NCAs but also CTPPs and thus financial services firms.
Key considerations for financial services firms
DORA’s Oversight Framework for CTPPs is a novel and ambitious initiative that aims to enhance the ICT security and resilience of the financial sector. Achieving the aims set by DORA may however require significant investment and coordination of human resources and expertise across the EU both amongst DORA relevant firms but equally the (national) competent authorities tasked with supervising both financial services firms as well as jumping on a JET (including physically for on-site visits) in supervision of CTPPs.
DORA’s oversight framework also poses some key challenges and considerations for the financial entities that use or intend to use the services of the CTPPs. One of the main challenges is the potential lack of suitably qualified talent that will join to form JETs across the NCAs, ESAs and other authorities. The oversight activities of the JETs require a high level of technical expertise and knowledge of the ICT services provided by the CTPPs, as well as the ability to assess their compliance with the DORA requirements and standards. Given the high technical complexity and the possible scarce availability of the expertise needed to perform the tasks, it is crucial for the ESAs and the entire supervisory community to ensure the maximum efficiency and effectiveness of the JETs. Competition for (supervisory) talent between NCAs, ICT and financial services firms may well further intensify.
The current and future demand for ICT skills and competencies may exceed the supply and availability of qualified staff members among the NCAs, ESAs and other authorities. This may create a war of talent and a competition for the best ICT experts and professionals, who may also be sought after by the CTPPs and the financial entities themselves. Moreover, the distribution and allocation of the staff members in the JETs may not reflect the geographical and cross-sectoral diversity and representation of the CTPPs and the financial entities that use their services. This may create imbalances and gaps in the oversight capacity and quality across the EU.
The lack of suitably qualified talent available for relevant JETs may have significant implications for the financial entities that rely on the CTPPs. For instance, it may affect the timeliness, consistency and accuracy of the oversight activities and the recommendations issued by the LO and the JETs. It may also affect the communication and cooperation between the JETs and the financial entities, as well as the information sharing and reporting obligations of the CTPPs. Furthermore, it may affect the ability of the financial entities to monitor and manage the operational risks and performance of the CTPPs, as well as to comply with their own DORA obligations and expectations.
Therefore, financial entities should be aware of and prepared for the potential challenges and impacts of the oversight framework and the lack of suitably qualified talent in the JETs. They should also engage and cooperate with the LO and the JETs, as well as with the CTPPs, to ensure a smooth and effective oversight process and to address any issues or concerns that may arise. Moreover, they should invest in their own ICT capabilities and resilience, as well as in the training and development of their staff, to cope with the increasing demand and complexity of the ICT services and the DORA requirements and standards.
Outlook
DORA’s Oversight Framework introduces a tiering system that classifies the ICT firms according to their systemic importance for the EU financial system and subjects them to different levels of supervision and requirements. CTPPs are subject to the highest level of scrutiny and the supervisory findings addressed to them could have significant implications for their but also business models and operations of the market overall. Moreover, the Oversight Framework grants the ESAs and the European Commission the power to impose sanctions, fines, and remedial measures on ICT and financial sector entities that do not comply with the EU standards and expectations. These measures could disrupt the provision and continuity of the services and affect the interests and rights of the EU market participants overall.
DORA’s Oversight Framework, provided there are well functioning JETS, also offers opportunities for the financial services firms and market participants to benefit from the enhanced supervision and oversight of ICT overall and CTPPs specifically. The Oversight Framework aims to ensure a level playing field and fair competition among the entities that provide services to the EU financial markets, regardless of their location and origin. It also aims to promote the convergence and harmonisation of the supervisory practices and standards on ICT across the EU and with the third countries. JETs play an important role in such harmonisation efforts, in particular as their examinations will have implications of a global nature.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.
Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.