October 2024 Highlights: Key UK and EU Operational Resilience Updates

Europe

As the landscape of operational resilience continues to evolve, this past month has been particularly eventful, marked by significant developments in both the UK and EU. With the impending deadline for compliance with the Digital Operational Resilience Act (DORA) on January 17, 2025, institutions are racing to meet stringent requirements designed to enhance their resilience to digital threats. In the UK, the anticipation builds as regulators are due to publish the finalised Critical Third Parties Regime Rules by the end of 2024, which will further shape the operational resilience framework. Additionally, regulatory bodies are unveiling their work programmes for the upcoming year, underscoring a clear and focused commitment to operational resilience.

To assist firms in keeping pace with these developments, we have highlighted the key developments in the table below.

DateUpdateLink

23 September

 

Verena Ross, ESMA Chair, spoke at the AFME’s Annual Conference in London on ESMA’s work on securitisation and the importance of operational resilience. Great to get a regulator’s acknowledgement of the difficulty in achieving DORA compliance before the looming January 2025 deadline.Speech

24 September

 

BCBS published a note on its recent meeting and noted how a series of operational disruptions in July highlighted the importance of the banks’ operation resilience, including third-party risk management. BCBS’s consultation on its proposed new principles for the sound management of third-party risk just closed on 9 October.Press release
26 SeptemberECB published a paper on how the TIBER-EU framework will help financial entities and their competent authorities in fulfilling the TLPT requirements of DORA. The paper argues that TIBER-EU could operate as (welcomed) detailed guidance on how to comply with DORA’s TLPT requirements. We wonder if this is a move toward standardising the threat-led penetration testing across the EU financial system?Paper
1 OctoberESAs appointed Marc Andries to lead the implementation of the ‘Oversight Framework’ and oversight of the CTTPs designated under DORA. Will be interesting to watch how this novel development of EU financial services regulation overseeing tech companies will play out!Press release
2 OctoberEBA published its work programme for 2025, and not surprising to see that implement DORA oversight is a key EBA priority for the upcoming year.Work programme
2 OctoberThe Bank of England published a press release announcing the completion of its latest UK market wide simulation exercise, SIMEX 24. The exercise, performed in partnership with the HM Treasury and the FCA, tested the UK financial sector’s resilience to a major operational disruption requiring a total shutdown and restart of the sector at large. The testing report has not been published, but the exercise reinforced the importance of preparedness and collection action in maintaining the resilience of the financial sector.Press release
15 OctoberThe ESAs published their Opinion on the European Commission’s reject of the draft ITS on the registers of information under DORA. The Commission had proposed the use of either an LEI or the EUID in identifying the ICT TPPs in the registers, but the ESAs opinion is that this would cause unnecessary complexity. The ESA’s opinion also makes some amendments to the daft ITS. See below on how the ITS were adopted by the European Commission and published in the Official Journal promptly.ESA Opinion
17 OctoberElizabeth McCaul of the ECB delivered a speech on the supervisory expectations on cloud outsourcing, emphasising the importance of rigorous testing regimes, thorough oversight and robust exit strategies when outsourcing to CSPs - looking forward to reviewing the ECB’s guide on cloud outsourcing at the end of this year!Speech
17 OctoberFSB launched a consultation on a common format for the reporting of operational incidents to promote convergence in reporting practices.Consultation
17 OctoberG7 Cyber Expert Group published its public statement on the cybersecurity risks involved in quantum computing. Helpfully, the statement includes some recommended steps for financial entities to take now to prepare themselves to handle impending threats as soon as possible.Statement
18 OctoberESMA launched a survey on LEIs, looking to gather evidence on the impacts of the use of alternative identifiers for legal entities, including for reporting under DORA. Feedback to the survey is due by 12 November 2024.Survey
18 OctoberECB published a revised version of the Eurosystem cyber resilience strategy, which applies to FMIs and the new addition of those entities overseen under the Eurosystem oversight framework for electronic payment instruments, schemes and arrangements (PISA). The objective of the strategy is to enhance the security of the financial system in the face of emerging cyber threats, and it ties in with DORA.Strategy
23 OctoberFollowing the ESAs Opinion on the European Commission’s reject of the draft ITS on the registers of information under DORA , the Commission swiftly adopted the DORA RTS and ITS on notifications and reports of major ICT-related incidents and cyber threats under DORA.

RTS

ITS

25 October

 

European Commission adopted a Delegated Regulation on the harmonisation conditions enabling the conduct of oversight activities in the EU, another puzzle piece in the new Oversight Framework.

 

Delegated Regulation

 

25 OctoberThe FCA published portfolio letters to non-bank lenders, retail banks and lending societies, and lifetime mortgage providers, setting out its concerns and priorities for 2025. Unsurprisingly, operational resilience is a key priority for the FCA in the coming year and firms are reminded of their obligations under existing guidance, including PS21/3.

Portfolio letter for building societies

 

Portfolio letter for Retail Banks

 

Portfolio letter for lifetime mortgage providers

 

Portfolio Letter for non-bank mortgage lenders and mortgage third party administrators

As we navigate this rapidly changing environment, staying informed and proactive is essential for organizations striving to achieve operational resilience. The convergence of regulatory updates in both the UK and EU signals a heightened emphasis on robust risk management strategies in the face of increasing digital vulnerabilities. With the DORA compliance deadline approaching and the forthcoming CTP Regime Rules on the horizon, organizations must prioritise their preparedness to align with these evolving standards. By leveraging the insights from regulatory work programmes and fostering a culture of resilience, businesses can better position themselves to thrive in an increasingly complex landscape. If your firm needs any assistance in its operational resilience compliance, please do contact Angela Greenough and Joy Davey.