Article 39 Digital Operational Resilience Act (DORA), International Cooperation

In the digital age, ensuring the operational resilience of ICT systems within the financial sector is crucial. The Digital Operational Resilience Act (DORA) is a significant legislative framework designed to enhance the ability of financial institutions and their critical ICT third-party service providers to withstand and recover from operational disruptions. Article 39 of DORA is a vital component of this framework, focusing on fostering international cooperation to manage ICT third-party risks across different financial sectors.

Enhancing International Cooperation

1. Collaborative Administrative Arrangements

Article 39 empowers the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA)—collectively known as the ESAs—to engage in administrative arrangements with regulatory and supervisory authorities from outside the European Union. This collaboration is governed by Article 33 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010.

The primary objective of these arrangements is to enhance international cooperation on managing ICT third-party risks. This is achieved through several key activities:

• Developing Best Practices: The ESAs and third-country authorities work together to develop and implement best practices for reviewing and managing ICT risks. This collaborative effort aims to create standardized approaches and protocols that can be adopted globally to strengthen ICT risk management.

• Improving Risk Management Practices: By sharing knowledge and experiences, the ESAs and their international counterparts can enhance their understanding of ICT risk management. This includes refining risk-management practices, control measures, and mitigation strategies to address emerging threats and vulnerabilities effectively.

• Coordinating Incident Response: International cooperation also focuses on improving incident response strategies. By aligning procedures and response mechanisms, the ESAs and third-country authorities can ensure a more coordinated and effective reaction to ICT-related incidents, minimizing potential disruptions and damages.

2. Enhancing Global ICT Risk Management

The collaboration facilitated by Article 39 extends beyond mere information exchange. It aims to establish a robust framework for addressing ICT risks on a global scale. The ESAs work closely with third-country regulators to ensure that their practices and controls align with those in the EU, promoting consistency and reliability across international borders.

This approach helps mitigate risks associated with ICT third-party services that span multiple jurisdictions. For instance, when a critical ICT service provider operates in both the EU and other countries, harmonized practices ensure that risk management and response strategies are coherent and effective worldwide.

3. Implications for Financial Stability

The international cooperation outlined in Article 39 has significant implications for financial stability, market integrity, and investor protection. By fostering a unified approach to ICT risk management, the ESAs and third-country authorities can collectively enhance the resilience of the global financial system.

The joint efforts in developing best practices and coordinating responses help to prevent and address systemic risks that could otherwise impact the stability of financial markets. This cooperative framework ensures that ICT-related disruptions are managed effectively, protecting the integrity of financial systems and safeguarding investor interests.

4. Reporting Requirements

To maintain transparency and accountability, the ESAs are required to submit a joint confidential report to the European Parliament, the Council, and the Commission every five years. This report summarizes the findings of discussions held with third-country authorities, focusing on the evolution of ICT third-party risks and their implications for financial stability.

The report provides a comprehensive overview of how international cooperation has influenced ICT risk management practices and highlights any emerging trends or challenges. This information is crucial for informing policy decisions and enhancing the overall resilience of the financial sector.

Article 39 of the Digital Operational Resilience Act (DORA) underscores the importance of international collaboration in managing ICT third-party risks. By fostering administrative arrangements and developing best practices with third-country regulators, the ESAs contribute to a more resilient and stable global financial system. The cooperative approach outlined in Article 39 not only strengthens ICT risk management but also ensures that the financial sector remains robust and secure in the face of evolving digital threats.