'Discuss purpose and elaboration of regulations sooner'

11/07/22

EU Digital Operational Resilience Act

Regulators should consult market participants on new regulations sooner, so that there is more clarity about the interpretation of regulations and their public interest at an earlier stage. So says Anthony Kruizinga, PwC specialist in risk management and regulations. 'I think regulations can serve a very legitimate purpose to protect a public interest. However, the elaboration and implementation of rules could use improvement.' Following the publication 'Shining a spotlight on DORA', in this article Kruizinga analyses the forthcoming EU Digital Operational Resilience Act (DORA) using a framework to assess the purpose, effectiveness and efficiency of regulations.

Elaboration and implementation of regulations could use improvement

Kruizinga says he is not necessarily arguing for less regulation. 'The word lobbying has a negative connotation for some people and is often associated with attempts to weaken regulations or get them taken off the table altogether, in favour of market participants. I think regulations can in fact serve a very legitimate purpose to protect a public interest. However, the elaboration and implementation of rules could use improvement. As could its coherence with other regulations. If regulators and 'users' were to sit down together during the draft phase, this could increase efficiency and effectiveness. I think regulation is not always the right answer. Especially in situations where the market itself can also take action to protect the public interest from risks. This would make rules less necessary.'

Look at legislation in a different way

According to Kruizinga, in the course of 2022 or early 2023 at the latest, DORA will provide EU rules aimed at improved risk management in new technology, cyber attacks and dependencies of IT service providers in the financial sector. 'It is useful for everyone to look at legislation in a different way. Perhaps this will change one's opinion of that legislation. Let's face it: Most institutions are not keen on new legislation, because it often has a big impact. The cost of compliance, for instance. And regulators are sometimes too quick to resort to new rules as a tool. The framework we have developed essentially offers a different perspective; an excellent reference for a conversation between - in this case - financial institutions and regulators. Hopefully, a conversation with a better outcome.'

DORA extends supervision beyond financial sector

DORA focuses mainly on the financial sector and aims to harmonise the rules on digital resilience in the European Union. The new regulation, which may be introduced at the end of this year, also imposes requirements on 'critical third parties' that provide digital information systems and services to institutions. This means that supervision is extended beyond the financial sector. Kruizinga is in favour of this development. 'Legislation is now strongly focused on the financial sector. This is potentially a first step towards more ecosystem-based thinking and it promotes a level playing field for the various parties active in the financial ecosystem.'

Protection of public interest

Anthony Kruizinga is positive about DORA in terms of protecting the public interest (steps one and two of the framework). 'Financial institutions are closely linked and of great public interest. Ensuring consumer and investor confidence in the sector is extremely important. The risk of technological disruptions resulting in the discontinuity of financial services is too great to be left entirely to the initiative of market participants.'

Digital resilience of financial organisations

Kruizinga is less positive about the intended effectiveness and efficiency of DORA. 'One of the goals of the act should be to create clarity and consistency, but I don't know if that will be achieved, because there are already many other rules that touch on the digital resilience of financial organisations. I therefore expect that there will be some confusion about what is and what is not covered by DORA. For instance about the relationship between the requirements of DORA and other regulations, and about what parties must do exactly to comply. It would be more effective and efficient to have a single, comprehensible, coherent and overarching regulatory framework for digital activities at EU level, and preferably not specifically for the financial sector but across all sectors.'