Article 59, Amendments To Regulation (EC) No 1060/2009, Digital Operational Resilience Act (DORA)

Overview

Regulation (EC) No 1060/2009 is amended as follows:

(1) in Annex I, Section A, point 4, the first subparagraph is replaced by the following:

‘A credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*1).

(*1) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;"

(2) in Annex III, point 12 is replaced by the following:

‘12. The credit rating agency infringes Article 6(2), in conjunction with point 4 of Section A of Annex I, by not having sound administrative or accounting procedures, internal control mechanisms, effective procedures for risk assessment, or effective control or safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554; or by not implementing or maintaining decision-making procedures or organisational structures as required by that point.’

Summary Of Article 59

Article 59 of the Digital Operational Resilience Act (DORA) amends Regulation (EC) No 1060/2009, which governs credit rating agencies. The amendments align the regulation with the standards set by Regulation (EU) 2022/2554, which focuses on digital operational resilience for the financial sector.

The first change requires credit rating agencies to implement sound administrative and accounting procedures, internal control mechanisms, and effective risk management and safeguard arrangements for their ICT systems, in line with Regulation (EU) 2022/2554. This ensures that agencies are well-equipped to manage and secure their digital operations.

The second amendment updates Annex III, point 12, to include provisions for non-compliance. If a credit rating agency fails to meet the ICT management and control requirements specified in Annex I, it would be considered an infringement. This includes failing to maintain effective risk assessment procedures or appropriate decision-making processes.

The amendments aim to enhance the resilience of credit rating agencies in managing ICT systems, ensuring that they follow established protocols for digital operational resilience, thereby contributing to the overall stability and security of the financial sector.