Proposal for a Regulation on digital operational resilience for the financial sector (DORA) aims to improve and harmonise ICT risk requirements in the financial sector. To ensure the proper application of DORA, competent authorities will possess supervisory, investigative and sanctioning powers. This article focuses on the possible sanctions and remedial measures entities could face when compliance with DORA is not met. DORA contains certain sanctions and remedial measures that could be applied generally to all entities governed by DORA, as well as specific sanctions and measures that can be applied only to, e.g., critical ICT third-party service providers (CTTPs). This article starts with an overview of sanctions and remedial measures and ends with some suggestions proposing modifications to DORA introduced by European Supervisory Authorities (ESAs).
Current version of DORA
According to the current proposal, member states will have to lay down rules establishing appropriate administrative penalties and remedial measures for respective breaches, but they can decide to impose criminal penalties for breaches of DORA instead of administrative penalties or remedial measures. Member states will have to prepare a legal framework to ensure that local competent authorities can apply at least subsequent administrative penalties or remedial measures for breaches:
- issue an order requiring the natural or legal person to cease the conduct and to desist from a repetition of that conduct;
- require the temporary or permanent cessation of any practice or conduct that the competent authority considers to be contrary to the provisions of DORA and prevent repetition of that practice or conduct;
- adopt any type of measure, including of a pecuniary nature, to ensure that financial entities continue to comply with legal requirements;
- require, in so far as permitted by national law, existing data traffic records held by a telecommunication operator, where there is a reasonable suspicion of a breach of DORA and where such records may be relevant to an investigation into breaches of DORA; and
- issue public notices, including public statements indicating the identity of the natural or legal person and the nature of the breach.
Competent authorities should always take into consideration at least the gravity and duration of the breach, the degree of responsibility of the natural or legal person, financial strength, losses for third parties caused by the breach or records of previous breaches.
Moreover, competent authorities will usually publish final decisions on their official websites regarding administrative penalties containing the breach, the identity of the responsible persons and the imposed penalty. ESAs and competent authorities have separated powers when dealing with CTPPs. ESA, as Lead Overseer, can refrain from entering into a further subcontracting arrangement when the subcontractor is an ICT third-party service provider or a subcontractor established in a third country and the subcontracting concerns a critical or important function of the financial entity. The Lead Overseer can also impose periodic penalty payment to compel the CTPPs to comply with DORA requirements. The penalty will be 1% of the average daily worldwide turnover of the CTPP in the preceding business year. The periodic daily penalty will be imposed until compliance is achieved and the period cannot be longer than 6 months following a notification to the CTPP.
Competent authorities are essential in the follow-up process. They are, for example, eligible to suspend, either in part or completely, the use or deployment of a service provided by CTPPs when a risk is identified by the Lead Overseer and the financial entity is not addressing the risk. Also, if the CTPP is not compliant, the competent authority can terminate the contractual arrangements concluded between a relevant financial entity and relevant CTPP.
Possible alterations to DORA
On 9 February 2021, the ESAs published a letter designated for the European Parliament, Council of the European Union and European Commission. The letter concerns the current version of the proposal for DORA and obstacles to the successful functioning of the proposal. The view of ESAs is that there is a need for more streamlined and effective governance, a need for coherence between oversight recommendations and any follow-up, a need for adequate resources and, finally, a need for a more proportionate DORA. ESAs raise questions regarding the practical functioning of the oversight framework for CTPPs. They will be governed by many competent authorities depending on the number of member states CTPPs are operating in. As was stated above, the main powers that will enforce compliance with DORA have competent authorities. That is why ESAs propose the creation of a new joint-ESAs executive body with the necessary powers to ensure a unified and harmonised approach.
The main proposed changes could be seen in the oversight framework where coordination between ESAs and competent authorities, as is currently set in DORA, could create problems in the follow-up process. We can expect changes that give ESAs a better decision-making role to unify and harmonise their approach and allow ESAs greater involvement in the enforcement of DORA. ESAs emphasise the importance of DORA due to the increased dependency of the financial sector on the digital environment. It seems that the publication of DORA is inevitable. That is why financial entities that, according to DORA, also include auditors should be well prepared in advance to mitigate the risk of facing possible sanctions and, primarily, to protect your business and financial sector in general.
Radek Buršík
PwC Legal