BRUSSELS, 9 April 2021 – Banks have been among the first companies to install computers and create large datacentres. This has contributed to the efficiency of their role of financing the economic activity and intermediating between savers and borrowers. As IT architecture has become essential for economic activity, the risk of disruption of this architecture and its consequences for the banks and their clients are of paramount importance. Consider for example the damage done by data breaches, ransomware or service outage of cloud service providers.
The European Savings and Retail Banking Group (ESBG) is aligned with the goal pursued by the Digital Operational Resilience Act (DORA) to create a comprehensive framework for the digital operational resilience of the financial sector in the EU. We welcome the initiative to bring together ICT risks in finance in this legislative proposal that advocates for a level playing field approach. Since the implementation of this framework implies a lot of policy work for the European Supervisory Authorities, we suggest however that the entry into force would be 30 months after the publication of the act.
As for the content of the act, ESBG thinks rules should be adjustable to the different business models in our membership. Smaller financial institutions should be excluded from the framework. We believe that the direct supervision of critical ICT service providers by the ESAs should cover only large, internationally active service providers. Predominantly nationally active critical ICT service providers should be supervised at the national level to avoid incompatibilities with national security laws. We advocate for the creation of a reporting hub at the national level and that the reporting at the EU level is done by the National Competent Authorities. We do not oppose to the creation of an EU hub receiving all reporting but if it is finally set up, it must replace all pre-existing reporting and risks should be properly assessed to ensure the highest levels of cybersecurity.
Finally, the cost of supervising the ICT-providers should not be on the banks or even less on the bank customers' shoulders. Just as banks rightfully support the cost of financial supervision, ICT providers should bear the cost of their supervision.