DORA: Why it is relevant & why is it relevant to you?
The Digital Operational Resilience Act (DORA) is a significant development in EU regulation, compelling financial entities to ensure consistent cybersecurity and operational resilience maturity levels across all their operations within the EU. With a two-year preparatory phase, organizations face a significant task of implementation and demonstration of compliance.
To navigate this transition effectively, financial institutions must conduct comprehensive gap assessments to gauge their readiness vis-à-vis DORA, identifying areas necessitating further investment and prioritization. Proactively addressing these gaps positions businesses to meet more complex requirements such as supply risk management, threat intelligence, and advanced security testing, thus gaining a competitive edge in the market.
DORA marks a substantial shift for entities under ESMA or EIOPA supervision and banks already subject to existing EBA guidelines on banking supervision. Moreover, it extends its scope to encompass previously less regulated stakeholders in the financial sector, including crypto-asset service providers, intermediaries managing alternative investment funds, crowdfunding service providers, cloud-service providers, and ICT third-party service providers.
One of DORA’s key focuses is on third-party risk management, necessitating entities to ensure the resilience of their critical ICT third-party service providers. This requires close collaboration and joint efforts to satisfy regulatory expectations, particularly in supporting the delivery of essential business services.
DORA officially entered into force at the beginning of 2023, initiating a two-year implementation period. Financial entities are thus expected to achieve compliance with the regulation by early 2025. As this deadline approaches, proactive engagement with DORA compliance becomes essential to avoid penalties and maintain operational continuity.
In light of these developments, Andria Papageorgiou Law Firm is committed to assisting organizations in navigating the complexities of DORA compliance. With our outsourced DPO services and regulatory compliance consulting, tailored to address the specific requirements of DORA, we ensure that businesses are well-equipped to meet regulatory obligations and uphold operational resilience in an evolving digital landscape.
Contact us today at info@apapageorgiou.com to learn more about how we can support your journey toward DORA compliance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Supervisory priorities for 2024, targets CIFs providing services on a cross border basis
In a recent announcement, the Cyprus Securities and Exchange Commission (CySEC) has outlined its focus areas for 2024, intending to guide and support regulated entities amidst evolving regulatory landscapes. As trusted advisors, we aim to elucidate these priorities for our esteemed clients, including Cyprus Investment Firms (CIFs) and asset managers, providing clear guidance and actionable insights.
CySEC’s objectives for 2024 revolve around preserving market integrity and safeguarding investor interests. Informed by ongoing market evaluations and regulatory updates, these priorities serve as a compass for regulated entities, steering them towards excellence in compliance amid shifting regulatory dynamics.
A. Key Highlights:
Enhanced Supervision: CySEC stresses the significance of vigilant oversight, particularly for firms involved in cross-border activities with intricate financial products such as Contracts for Difference (CFDs). This heightened scrutiny is designed to mitigate risks and uphold market stability.
Promoting Compliance Culture: Nurturing a culture of compliance is imperative. CySEC urges firms to reinforce governance structures and control functions, fostering a sustainable approach to regulatory adherence.
Proactive Risk Management: Prompt identification and mitigation of risks are paramount. Regulated entities are encouraged to proactively address emerging threats, ensuring business resilience and investor protection.
B. Focus Areas for Regulated Entities:
Investment Services: CIFs are required to adhere to professional conduct rules, enhance organizational arrangements, and embrace technological advancements. Additionally, robust governance frameworks and proactive risk management are emphasized.
Asset Management: Asset managers should prioritize compliance with regulatory mandates, including sustainability requirements and effective asset valuation procedures. Thorough data analysis and oversight of derivative contracts are vital for maintaining financial stability.
C. What Firms Need To Do:
- Review policies, procedures and internal controls arrangements put in place to ensure compliance with the regulatory requirements.
- Implement effective and prudent management practices, with active oversight from the management body.
- Evaluate the adequacy of governance structures and the effectiveness of control functions such as compliance, internal audit and risk management.
- Improve monitoring of marketing communications.
- Implement measures to address risks in the field of ICT and prepare for compliance with DORA.
- Consider investing in technology solutions/tools that complement firms’ efforts to ensure business resilience and regulatory compliance.
D. Next Steps: Firms should expect ongoing engagement from supervisory teams on the areas mentioned above as well as specific feedback, including communication with the board of directors. CySEC aims to take in a timely way, actions commensurate to the problems and shortcomings identified, to effectively prevent, mitigate or bring them to an end, considering repetition or continuation over time as aggravating factors.
Andria Papageorgiou Law Frim is a reputable Firm specializing in regulatory compliance and risk management solutions. With a dedication to empowering clients through tailored strategies and innovative tools, we are poised to support our clients’ journey toward compliance excellence.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Updates surrounding Markets in Crypto-Assets Regulation (MiCA)
Following the recent approval of the Markets in Crypto Assets Regulation (the “MiCA”) in June 2023 and the corresponding implementing measures that needs to be prepared, we would like to draw your attention on the following news and press releases published by the European Banking Authority (the “EBA”) and the European Securities and Markets Authority (the “ESMA”) on the 12th of July 2023:
A. EBA’s publications:
- Consultation Paper on Complaints handling procedures for issuers of asset-referenced tokens (EBA/CP/2023/13);
- Consultation Paper on information for the assessment of a proposed acquisition of qualifying holdings in issuers of asset-referenced tokens under MiCA (EBA/CP/2023/14);
- Consultation Paper on EU market access of issuers of asset-referenced tokens (EBA/CP/2023/15); and
- Statement on timely preparatory steps towards the application of MiCA to asset-referenced and e-money tokens.
B. ESMA’s Consultation Paper:
- Consultation Paper on Technical Standards specifying certain requirements of MiCA (ESMA74-449133380-425)
In brief, allow us to summarise the following:
A. EBA’s News and Press:
1. Consultation Paper on Complaints handling procedures for issuers of asset-referenced tokens (EBA/CP/2023/13):
- Scope: To ensure prompt, fair and consistent handling of complaints by holders of asset-referenced tokens (the “ARTs”) and other interested parties.
- Main Provisions: It sets out definitions of complaints and complainants, requirements related to the complaints management policy and function, provision of information to holders of ARTs and on templates and recording. They then proceed with requirements about the procedure to investigate complaints and to communicate the outcome of the investigations to complainants and specific provisions for complaints handling involving third-party entities.
- Next Steps: Comments to the Consultation Paper EBA/CP/2023/13 can be sent by clicking on the “send your comments” button on the EBA’s consultation page. The deadline for the submission of comments is on the 12th of October 2023.
2. Consultation Paper on information for the assessment of a proposed acquisition of qualifying holdings in issuers of asset-referenced tokens under MiCA (EBA/CP/2023/14):
- Scope: To regulate access to the EU market of ARTs by applicant issuers and persons intending to exercise significant influence on these undertakings via the acquisition of qualifying holdings.
- Main Provisions:
-
- Under MiCAR, the offer to the public or the admission to the trading of an ART is reserved for legal persons or other undertakings established in the EU subject to the authorisation and approval of the publication of a white paper. The draft RTS on information for authorisation lay down the information requirements to be included when applying for such an authorisation. The information requirements cover the business model, and internal governance, including ICT risk management, liquidity, the reserve of assets, sufficiently good repute of the members of the management body, and of shareholders with qualifying holdings.
- The draft ITS set out the standard application letter, and the application template and clarify the process relating to the assessment of completeness of the application by the competent authority. As credit institutions are only required to receive approval to publish a white paper, the draft RTS and ITS do not apply to credit institutions.
- Consistent with the general regime applicable in the financial sector, MiCAR envisages a prudential assessment by competent authorities for the acquisition of qualifying holdings in issuers of ARTs that are not credit institutions. The draft RTS on the detailed content of the information to be included in the notification for the proposed acquisition clarifies the information requirements that are necessary for such an assessment.
- This information covers five criteria relating to (a) the reputation of the proposed acquirer, (b) the suitability of any person who will direct the target undertaking, (c) the financial soundness of the proposed acquirer, (d) the sound and prudent management of the target undertaking following the acquisition and (e) suspicion that money laundering or terrorist financing is committed or attempted or that it may increase following the acquisition.
- Next Steps: Comments to the consultation paper can be sent by clicking on the “send your comments” button on the EBA’s consultation page. The deadline for the submission of comments is 12 October 2023.
3. Statement on timely preparatory steps towards the application of MICA to ART and e-money tokens (the “EMT”):
- Scope: To encourage timely preparatory actions to MiCA application, with the objectives to reduce the risks of potentially disruptive and sharp business model adjustments at a later stage, to foster supervisory convergence, and to facilitate the protection of consumers.
- Content:
- The Statement includes ‘guiding principles’ to which financial institutions (and other undertakings) carrying out ART/EMT activities are encouraged to have regard until the application date (disclosures to, and fair treatment of, potential acquirers and holders of ARTs and EMTs, the business model, sound governance, including effective risk management, reserve, recovery and redemption arrangements, and communications with the relevant competent authority).
- The Statement is accompanied by a template that financial institutions (and other undertakings) intending to carry out, or carrying out, ART/EMT activities, are encouraged to communicate, on a timely basis, to the relevant competent authority.
B. ESMA’s Consultation Papers:
Same-day press release publication by ESMA, in relation to the lunch of the first of three consultation packages (the “ESMA’s Consultation Paper”), on the technical standards specifying certain requirements.
- Scope: Through the aforesaid consultation paper, ESMA is seeking input on proposed rules for CASPs related with their authorization, identification and management of conflicts of interest as well as the procedures on how CASPs should address complaints. The ESMA’s Consultation Paper‘s aim is to collect views, comments and opinions from stakeholders and market participants in regard to the appropriate implementation of MiCA.
- Main Provisions:
-
- Provision of crypto-asset services by certain financial entities – Article 60
Specifies the notification requirements, that certain financial entities intended to provide crypto-asset service and for which they shall take into account when submitting the notification to the NCA of their home Member State (e.g. program of operations, description of the internal control mechanisms relating to AML/CFT obligations, description of the procedure for the segregation of clients’ crypto-assets and funds, etc.)
-
- Content of templates for the application for authorisation – Article 62
Sets out the requirements related to the application for the authorisation as a CASP as well as the information to be provided with the application that shall be submitted to the NCA of their home Member State. (i.e. program of operations, description of CASP’s governance arrangements, description of the procedure for the segregation of clients’ crypto-assets and funds, etc.).
-
- Complaints-handling procedures of CASPs – Article 71
Provides the requirements that CASPs shall follow when establishing and maintaining effective and transparent procedures for the prompt, fair, and consistent handling of complaints received from clients (i.e. filing a free-of-charge complaint by the client).
-
- Identification, prevention, management, and disclosure of conflicts of interest by CASPs – Article 72
Clarifies the policies and procedures that CASPs shall implement and maintain so as to be able to identify, prevent, manage and disclose any conflict of interest and disclose to their clients the general nature and sources of conflicts of interest as well as the steps that shall be taken to mitigate them.
-
- Assessment of intended acquisition of a qualifying holding in a CASP under Article 83(4)
Natural/Legal person who intends to acquire or increase a qualifying holding in a CASP shall notify the respective NCA through an assessment with the specific information in order for the relevant NCA to assess the proposed acquisition or increase the existing qualifying holding.
- Next Steps: Comments to the ESMA’s Consultation Paper can be sent by clicking the heading ‘Your input – Consultations’. The deadline of the submission of the responses/comments is on the 20th of September 2023.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
ESAs public consultation on DORA
We would like to draw your attention that the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) launched yesterday, 19th of June 2023, a public consultation on the first batch of policy products under the DORA.
This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). These technical standards aim to ensure a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.
DORA entered into force on the 16th of January 2023 and will apply from the 17th of January 2025 aiming to enhance the digital operational resilience of entities across the EU sector and to further harmonize key digital operational resilience requirements for all EU financial entities.
This regulatory framework covers key areas such as:
- ICT risk management,
- ICT-related incident management and reporting,
- digital operational resilience testing and
- management of ICT third-party risk.
DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. The first batch of technical standards, are the following:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024.
Comments to this consultation can be sent to the ESAS by the 11th of September 2023.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.