Account information service providers face EU operational resilience laws

The proposals outlined by EU law makers, which concern a new Digital Operational Resilience Act (DORA), are not yet finalised but would impact account information service providers (AISPs).

The latest DORA proposals, published by the Council of Ministers – the law-making body that comprises representatives of the national governments of the 27 countries that make up the EU – differ from the European Commission’s original DORA proposals published in September 2020. The Council’s plans will now be debated in trilogue negotiations with the Commission and European Parliament in an effort to finalise the wording of the legislation.

Luke Scanlon, a specialist in financial technology law and contracts at Pinsent Masons, queried whether the plans to bring AISPs within the scope of DORA are proportionate.

Scanlon said: “Under the Council’s proposals, AISPs – many of which are small fintech companies – would face the same set of requirements as major financial institutions. This includes requirements around business continuity and disaster recovery; the reporting of major ICT incidents; and digital operational testing; and around management of third-party ICT risk. It also includes requirements concerning the contractual arrangements AISPs agree with ICT third-party service providers.”

“There are exceptions for microenterprises – those with fewer than 10 employees and an annual turnover or balance sheet of no more than €2 million – and proportionality is baked into some of the requirements, but there is no doubt that AISPs would face significant additional regulatory burdens as a result of these proposals,” he said.

Scanlon, however, welcomed plans outlined by the Council to address potential duplication and complexity of incident reporting for financial entities.

Firstly, the Council has said it is keen to ensure that financial entities only have to notify one regulator where they experience an ICT-related incident or cyber threat. With this measure, the Council is seeking to anticipate the outcome of ongoing negotiations relating to proposed new EU cybersecurity laws which would replace and expand on the existing Network and Information Security Directive.

The Council further proposed amendments on incident reporting that would impact businesses that are subject to the second Payment Services Directive (PSD2) – including AISPs. Those businesses “should report under [DORA] all operational or security payment-related incidents previously reported under [PSD2], irrespective of whether such incidents are ICT-related or not”, according to the Council’s draft.

Under the Council’s revised DORA proposals, “mature” financial institutions like large banks, stock exchanges and central counterparties, would be expected to engage in “advanced testing” of their resilience to cyber attacks, such as by conducting threat-led penetration tests (TLPTs). Where those financial institutions rely on third party IT, the IT providers would be required to “cooperate in the conduct of TLPTs and to provide information on the recommendations addressed to it”.

Another significant amendment made by the Council to the DORA proposals could impact non-EU ICT service providers. In cases where they are designated as “critical” providers under DORA, those businesses would have a year to undertake to establish an EU-based subsidiary to ensure continuity of services to EU financial entities. Financial entities would be prohibited from continuing existing or commencing new agreements with ‘critical’ non-EU providers that fail to meet the subsidiary requirement.