Understanding Network and Information Systems: A Key Component of Modern Digital Infrastructure

A "network and information system" is defined in Article 6, point 1, of Directive (EU) 2022/2555. This definition encompasses many components essential for the seamless operation of modern digital environments. These systems include the networks themselves and the information that flows through them, which is crucial in ensuring the reliability, security, and efficiency of data communication and management.

Context and Rationale

The introduction of Regulation (EU) 2021/xx, also known as the Digital Operational Resilience Act (DORA), represents a significant step forward in enhancing the digital operational resilience of financial entities across the European Union. This regulation aims to ensure that financial institutions, including credit rating agencies, have robust systems and procedures in place to manage and mitigate ICT-related risks. The amendment to Regulation (EC) No 1060/2009 reflects this broader regulatory context and aligns the requirements for credit rating agencies with the principles set forth in DORA.

Key Aspects of the Substitution

Here’s a quick overview of the essential elements involved in substitution:

• Administrative and Accounting Procedures: The requirement for sound administrative and accounting procedures emphasizes the need for credit rating agencies to establish and maintain rigorous administrative practices. These procedures must ensure accuracy, accountability, and transparency in financial reporting and management. Effective administrative procedures are critical for preventing errors, fraud, and financial mismanagement, thereby safeguarding the integrity of the agency’s operations.

• Internal Control Mechanisms: The inclusion of internal control mechanisms underscores the importance of having systematic processes in place to monitor and manage internal operations. Internal controls are designed to detect and prevent inaccuracies, fraud, and inefficiencies. They help ensure that the credit rating agency operates in compliance with relevant regulations and standards, and that financial and operational risks are appropriately managed.

• Efficient Risk Assessment Procedures: Efficient risk assessment procedures are crucial for identifying, evaluating, and mitigating potential risks that could impact the credit rating agency’s operations. These procedures must be robust and comprehensive, covering various risk factors including financial, operational, and technological risks. By implementing effective risk assessment practices, credit rating agencies can proactively address potential issues before they escalate into significant problems.

• Control and Safeguard Arrangements for ICT Systems: The emphasis on control and safeguard arrangements for managing ICT systems highlights the need for credit rating agencies to have effective mechanisms in place to protect their information and communication technology infrastructure. This includes implementing measures to prevent unauthorized access, data breaches, and system failures. Ensuring the resilience and security of ICT systems is essential for maintaining the integrity and reliability of the credit rating agency’s operations.

Alignment with DORA

Regulation (EU) 2021/xx (DORA) establishes a comprehensive framework for digital operational resilience across the financial sector. By incorporating the requirements of DORA into Regulation (EC) No 1060/2009, the amendment ensures that credit rating agencies are subject to the same high standards of ICT resilience and risk management as other financial institutions. This alignment is intended to enhance the overall stability and security of the financial system by ensuring that all relevant entities are adequately prepared to handle ICT-related challenges.

Implementation and Compliance

Credit rating agencies must review and update their internal policies and procedures to comply with the new requirements outlined in the substituted text. This may involve revising administrative and accounting practices, strengthening internal controls, enhancing risk assessment procedures, and bolstering ICT safeguards. Agencies should also consider conducting regular audits and assessments to ensure ongoing compliance with both Regulation (EC) No 1060/2009 and Regulation (EU) 2021/xx (DORA).

The substitution of the first subparagraph of point 4 of Section A in Annex I to Regulation (EC) No 1060/2009 aligns with the objectives of Regulation (EU) 2021/xx (DORA) by reinforcing the need for robust administrative, control, and risk management practices within credit rating agencies. This change underscores the commitment to enhancing digital operational resilience and ensuring that credit rating agencies are well-equipped to manage and mitigate ICT-related risks effectively.