RegCORE – Client Alert | EU Digital Single Market
QuickTake
As evidenced on 19 July 2024 major IT outages, including those caused by a simple yet apparently defective "content update", can quickly cascade into systemic cyber incidents. The Crowdstrike "Blue Screen of Death" outage that rapidly hit industries across the world, affecting everything from cancelled flights through to a breadth of delays and disruptions across banking, payments, healthcare and shopping, has highlighted the fragility that regulatory reforms focusing on digital operational resilience aim to fix. The outage also sharpened awareness on the importance of having strong coordination on responses.
As coincidence would have it, the Joint Committee of the European Supervisory Authorities (ESAs), representing the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) announced on 17 July 2024 that they will establish the EU Systemic Cyber Incident Coordination Framework (EU-SCICF). This new framework for cooperation aims to support the operationalisation of the EU's Digital Operational Resilience Act (DORA) regulatory and oversight framework.1
The EU-SCICIF will bring together the ESAs, along with (national) competent authorities ((N)CAs) from supervisory authorities through to macroprudential authorities and resolution authorities and thus include the European Central Bank (ECB), the Single Resolution Board, the European Systemic Risk Board (ESRB) and the EU Agency for Cybersecurity (ENISA) as well as the European Commission (collectively theparticipating authorities).
In its announcement the ESAs have confirmed that they "will kickstart the implementation of the framework by setting up":
- the EU-SCICF Secretariat, supporting the functioning of the framework;
- the EU-SCICF Forum, working on testing and maturing of the functioning; and
- the EU-SCICF Crisis Coordination, facilitating the coordination of actions by the participating authorities during a crisis.
The ESAs will identify legal and other operational hurdles encountered during the initial set up and report these to the European Commission. The further development of the EU-SCICF will be subject to the availability of resources and other measures taken by the European Commission.
This Client Alert assesses the operations of the EU-SCICF and should be read in conjunction with a further Client Alert analysing the "ESA's Final Report and Joint Guidelines on exchange of supervisory information in the context of DORA" (herein theJoint Guidelines).
Key takeaways from the announcement on the EU-SCICF
DORA introduced a pan-European oversight framework (the Oversight Framework) that applies to (i)financial sector entities'2 dealings with as well as (ii) the activities of information and communication technology (ICT) third-party service providers designated as critical (CTPP).3 Each of the ESAs and ((N)CAs) have received new roles and supervisory responsibilities under DORA. For the ESAs, specifically when acting as Lead Overseer (LO), they are responsible to exercise oversight activities in respect of CTPPs, issue recommendations and follow-up with CTPPs on these recommendations. For NCAs, these participate in the LO's oversight of CTPPs as part of Joint Examination Teams (JETs)4 and follow up with financial sector entities concerning the risks identified in the respective recommendations.
After identifying a shortfall in crisis management frameworks that could lead to a lack of financial sector coordination in the event of a significant cross-border ICT incident, the ESRB published Recommendations.5 In that publication the ESRB encouraged the ESAs to build on the role foreseen in DORA and gradually develop a pan-European systemic cyber incident coordination framework which now is set to take the form of the EU-SCICF.
As a first step towards putting the Recommendation into practice, the ESAs, the ECB and the Member States, from their relevant NCAs, during July 2023 were required to designate a main point of contact for the EU-SCICF and inform the Secretariat of the ESAs of this designation. This point of contact is to facilitate the development of the framework and will be involved in the systemic ICT crisis management process of the EU-SCICF.
On 5 June 2024, the ESAs and ENISA signed a multilateral Memorandum of Understanding6 to strengthen cooperation and information exchange. This MoU also commits the parties to develop the EU-SCICF as well as formalises the ongoing discussions to strengthen their already close cooperation as part of shared goals and supervisory mandates including specifically under DORA and equally on cybersecurity (including as part of the NIS2 Directive). While non-binding the MoU does establish consistency and thus offers certainty for financial services firms in meeting their respective legislative obligations and supervisory expectations in what is becoming an increasingly complex cyber-environment subject to more intensive scrutiny.
In many ways the MoU, while quite brief in content, may serve as one bedrock of how the EU-SCICF is built. The MoU covers cooperation principles as they relate to:
- reporting of significant ICT-related incidents;
- creation of draft technical standards
- platforms for cross-sector sharing of best practices; and
- the exchange of technical knowledge and "hands on" experience regarding oversight tasks.
To work together on the implementation of effective instant reporting procedures for the EU financial sector, ENISA aims to enable the involvement of the various supervisory bodies in this regard. In order to facilitate instantaneous reporting, ENISA will assist with the implementation of an IT solution that is based on the agency's cyber incident reporting and analysis system (CIRAS) tool.
To fulfil these responsibilities, coordination, uniform capability development among the participating authorities and information and opinion sharing on cyber risk, developing technologies involving consent and shared strategic objectives are all necessary. Although AI is not mentioned specifically in ICT risks it is implicitly covered and further guidelines may well be published out of the work in the context of the MoU and/or the EU-SCICF.
Under the MoU the parties have committed to setting a single point of contact for the purpose of overseeing the MOU. This contact point will include a work plan that outlines the initiatives, actions and proper distribution of responsibilities among the parties and will be reported on at least once a year. It is anticipated that this will support the efforts on the EU-SCICF. A similar expectation is also applicable in respect of the MoU's commitments of the parties to create cooperative or bilateral service level agreements on prompt reporting, cyber security audits, trainings, or other subjects within their areas of expertise.
Key considerations and challenges for firms
DORA's regulatory requirements and the expectations set in the Oversight Framework, the Joint Guidelines and the MoU as well as the SCICF have wide-reaching implications for both financial sector entities and CTPPs. The advent of the EU-SCICF, as the new operational forum for participating authorities when focusing on tackling systemic ICT risks is certainly timely and welcome.
The EU-SCICF also entails a number of challenges and uncertainties for the financial sector entities and their ICT third-party service providers that will be subject to its scrutiny. The EU-SCICF will need to ensure a high level of alignment and cooperation with other existing or emerging cyber resilience frameworks or initiatives at the national, regional, or global level so as to avoid duplication, fragmentation or inconsistency in the approach to systemic cyber incidents.
The EU-SCICF will also need to consider the specificities and diversity of the financial sector entities and their ICT third-party service providers, as well as the evolving nature and sophistication of the cyber threats and vulnerabilities that they face. More importantly, financial sector entities and their ICT third-party service providers will need to closely monitor the development and implementation of the EU-SCICF and its interaction with other DORA requirements, as well as with other relevant cyber resilience frameworks or initiatives.
For financial sector entities the EU-SCICF's introduction, as well as its future evolution of its mandate may prompt a need for some DORA-relevant firms that are of interest to the EU-SCICF to forward-plan for increased:
- coordination and response capabilities but also demands on firms as well as for overall sector resilience: in planning for as well as mitigating and managing major cyber incidents;
- collaboration in incident reaction situations: prompting for closer exchanges with participating authorities and other stakeholders with a view to coordinated action;
- alignment of incident response plans and procedures: to meet the emerging expectations of the EU-SCICF in particular on cyber-incident coordination; and
- reporting and information sharing protocols: that may be introduced as a part of the EU-SCICF's mandates and overall focus on systemic risk.
One thing that is not yet as fully clear as it could possibly be in the current announcements of the EU-SCICF is which one of the participating authorities would take the lead in a coordinated response. As the events of 19 July 2024 as well as previous digital operational resilience disruptions have proven, firms, whether directly subject to DORA and the Oversight Framework or not, will want to review their respective rights under force majeure clauses as well as definitions of liability and damages in their relevant contractual relationships. Moreover, some firms may also want to review their insurance cover in their cyber-risk as well as business interruption insurance policies.
Outlook and next steps
The announcement of both the MoU and the move to building of the EU-SCICF marks a further significant step in the implementation of DORA, which will have a profound impact on the digital operational resilience of financial sector entities and their ICT third-party service providers. The EU-SCICF aims to ensure a consistent and effective application of DORA's Oversight Framework across the EU during ICT systemic crises.
What certainly remains to be seen is how the EU-SCICF will perform and evolve through actual firefighting and lessons learned, including when interoperating with other regulatory frameworks and fora. It is quite possible that the design, operation and possibly the EU-SCICF's overall mandate may change from inception through to its further steady state maturity.
In light of these challenges, it is essential for CTPPs and financial sector entities to prepare for the entry into force of the EU-SCICF and the further operationalisation of DORA and the general Oversight Framework and to anticipate and mitigate the potential risks and impacts on their business operations and relationships.
Footnotes
1. Details on the announcement are available here along with the accompanying factsheet.
2. Financial sector entities are those entities that fall within the scope of DORA, as defined in Article 2 of the DORA and that use the ICT services provided by the CTPPs. They have to comply with DORA and the relevant financial regulations, manage their ICT third-party risk and take into account the recommendations issued by the LO.
3. CTPPs are those ICT service providers that have been designated as critical by the ESAs or have requested to be designated as such and that provide ICT services that support the supply of financial services by financial sector entities. They are subject to the oversight of the LO and have to cooperate in good faith, provide information and follow the recommendations issued by the LO.
4. See Client Alert on the composition of JETs available here.
5. Available here.
6. Details available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.