Article 54 Digital Operational Resilience Act (DORA), Amendments To Regulation (EU) No 909/2014

Article 45 of Regulation (EU) No 909/2014, which governs the operations of Central Securities Depositories (CSDs), has been revised to address various aspects of operational risk management, with a specific focus on ICT-related issues. The amendments are designed to enhance the operational resilience of CSDs, ensuring they can effectively manage risks and maintain continuity of services. Here is a detailed overview of the changes.

Amendment to Paragraph 1

The revised Paragraph 1 now requires CSDs to identify and mitigate operational risks, both internal and external, including those related to ICT. This obligation must be met using appropriate tools, processes, and policies managed in accordance with Regulation (EU) 2021/xx (DORA). This provision emphasizes the importance of integrating ICT risk management into the broader framework of operational risk management for securities settlement systems operated by the CSD. By aligning with DORA, CSDs are expected to adopt robust ICT practices and controls to mitigate potential risks that could affect their operations.

Deletion of Paragraph 2

Paragraph 2 has been removed from the regulation. While the specifics of Paragraph 2 are not detailed, its removal suggests a simplification or consolidation of regulatory requirements. This may indicate a shift in focus or the removal of provisions deemed redundant or outdated.

Amendments to Paragraphs 3 and 4

Paragraphs 3 and 4 have been updated to mandate that CSDs establish, implement, and maintain robust business continuity and disaster recovery plans. These plans must include specific provisions for ICT under Regulation (EU) 2021/xx (DORA). The updated requirements aim to ensure that CSDs can continue providing services and recover operations promptly in the event of significant disruptions. The inclusion of ICT-specific plans underscores the need for comprehensive strategies that address potential ICT-related disruptions, ensuring that CSDs are prepared for a wide range of operational challenges.

Amendment to Paragraph 6

Paragraph 6 has been revised to require CSDs to identify, monitor, and manage risks posed by key participants in their securities settlement systems, as well as by service providers, other CSDs, or market infrastructures. The amendment also mandates that CSDs provide relevant authorities with information upon request and promptly inform competent authorities of operational incidents. Notably, this provision excludes ICT-related risks, indicating that ICT risk management is covered separately, in alignment with Regulation (EU) 2021/xx (DORA). This change highlights the importance of a broad approach to risk management while distinguishing ICT risks for specialized treatment.

Amendment to Paragraph 7

The updated Paragraph 7 requires ESMA (European Securities and Markets Authority), in collaboration with ESCB (European System of Central Banks) members, to develop technical standards specifying the operational risks outlined in paragraphs 1 and 6. Importantly, these standards will exclude ICT risks, which are addressed under DORA. The technical standards will include methods for testing, addressing, or minimizing operational risks, as well as assessing business continuity policies, disaster recovery plans, and related procedures. This amendment reflects a focus on creating clear and practical guidelines for managing operational risks while ensuring that ICT risks are managed according to specialized standards.

The amendments to Article 45 of Regulation (EU) No 909/2014 reflect a strengthened approach to managing operational risks for Central Securities Depositories (CSDs). By integrating requirements from Regulation (EU) 2021/xx (DORA), the changes emphasize the importance of robust ICT risk management and business continuity planning. The removal of certain paragraphs and the exclusion of ICT risks from specific technical standards indicate a streamlined regulatory framework designed to enhance the resilience and effectiveness of CSD operations. These revisions are intended to ensure that CSDs are well-prepared to handle a range of operational challenges, including those related to ICT, and maintain their critical functions in the face of disruptions.