Article 52 Digital Operational Resilience Act (DORA), Amendments To Regulation (EC) No 1060/2009

Jul 25, 2024by Sneha Naskar

Financial entities must adapt to increasingly complex and pervasive information and communication technology (ICT) risks. The European Union has introduced the Digital Operational Resilience Act (DORA), a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial institutions, including credit rating agencies. In alignment with these latest regulatory developments, a significant amendment has been made to Regulation (EC) No 1060/2009. This amendment mandates that credit rating agencies establish sound administrative and accounting procedures, internal control mechanisms, efficient risk assessment procedures, and robust control and safeguard arrangements for managing ICT systems. The following sections delve into the context, rationale, and key aspects of this regulatory update, highlighting the alignment with DORA and its implications for credit rating agencies.

Article 52 Digital Operational Resilience Act (DORA), Amendments To Regulation (EC) No 1060/2009

Enhancing Digital Operational Resilience For Credit Rating Agencies

In alignment with the latest developments in regulatory frameworks, the following amendment is made to the first subparagraph of point 4 of Section A in Annex I to Regulation (EC) No 1060/2009:

Substitution Text:

"In compliance with Regulation (EU) 2021/xx of the European Parliament and of the Council* [DORA], a credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, efficient risk assessment procedures, and efficient control and safeguard arrangements for managing ICT systems."

  • European Parliament and Council Regulation (EU) 2021/xx [...] (OJ L XX, DD.MM.YYYY, p. X).

Context and Rationale

The introduction of Regulation (EU) 2021/xx, also known as the Digital Operational Resilience Act (DORA), represents a significant step forward in enhancing the digital operational resilience of financial entities across the European Union. This regulation aims to ensure that financial institutions, including credit rating agencies, have robust systems and procedures in place to manage and mitigate ICT-related risks. The amendment to Regulation (EC) No 1060/2009 reflects this broader regulatory context and aligns the requirements for credit rating agencies with the principles set forth in DORA.

Key Aspects Of The Substitution

  • Administrative and Accounting Procedures: The requirement for sound administrative and accounting procedures emphasizes the need for credit rating agencies to establish and maintain rigorous administrative practices. These procedures must ensure accuracy, accountability, and transparency in financial reporting and management. Effective administrative procedures are critical for preventing errors, fraud, and financial mismanagement, thereby safeguarding the integrity of the agency’s operations.
  • Internal Control Mechanisms: The inclusion of internal control mechanisms underscores the importance of having systematic processes in place to monitor and manage internal operations. Internal controls are designed to detect and prevent inaccuracies, fraud, and inefficiencies. They help ensure that the credit rating agency operates in compliance with relevant regulations and standards, and that financial and operational risks are appropriately managed.

DORA Compliance Framework

  • Efficient Risk Assessment Procedures: Efficient risk assessment procedures are crucial for identifying, evaluating, and mitigating potential risks that could impact the credit rating agency’s operations. These procedures must be robust and comprehensive, covering various risk factors including financial, operational, and technological risks. By implementing effective risk assessment practices, credit rating agencies can proactively address potential issues before they escalate into significant problems.
  • Control and Safeguard Arrangements for ICT Systems: The emphasis on control and safeguard arrangements for managing ICT systems highlights the need for credit rating agencies to have effective mechanisms in place to protect their information and communication technology infrastructure. This includes implementing measures to prevent unauthorized access, data breaches, and system failures. Ensuring the resilience and security of ICT systems is essential for maintaining the integrity and reliability of the credit rating agency’s operations.

Alignment With DORA

Regulation (EU) 2021/xx (DORA) establishes a comprehensive framework for digital operational resilience across the financial sector. By incorporating the requirements of DORA into Regulation (EC) No 1060/2009, the amendment ensures that credit rating agencies are subject to the same high standards of ICT resilience and risk management as other financial institutions. This alignment is intended to enhance the overall stability and security of the financial system by ensuring that all relevant entities are adequately prepared to handle ICT-related challenges.

Implementation And Compliance

Credit rating agencies must review and update their internal policies and procedures to comply with the new requirements outlined in the substituted text. This may involve revising administrative and accounting practices, strengthening internal controls, enhancing risk assessment procedures, and bolstering ICT safeguards. Agencies should also consider conducting regular audits and assessments to ensure ongoing compliance with both Regulation (EC) No 1060/2009 and Regulation (EU) 2021/xx (DORA).

The substitution of the first subparagraph of point 4 of Section A in Annex I to Regulation (EC) No 1060/2009 aligns with the objectives of Regulation (EU) 2021/xx (DORA) by reinforcing the need for robust administrative, control, and risk management practices within credit rating agencies. This change underscores the commitment to enhancing digital operational resilience and ensuring that credit rating agencies are well-equipped to manage and mitigate ICT-related risks effectively.

DORA Compliance Framework