Following an uptick in market outages and cyber attacks, and given the broader impact such incidents have in a highly connected ecosystem, European regulators are tightening their oversight of third-party IT service providers.
In line with the EU’s Digital Operational Resilience Act (DORA), which comes into force from 17 January, the European Supervisory Authorities (ESAs) have decreed that national regulators must report registers of information on firms’ contractual arrangements with critical IT third-party service providers (CTPPs) from 30 April 2025.
Equity trading venues and exchanges are in the regulators’ sights as they seek to strengthen market resilience, but will be disinclined to share their third-party reliance further. Both Euronext and Deutsche Börse declined to comment on which IT providers they have critical dependence on.
“Since these registers contain confidential information, financial entities are unlikely to disclose them,” an ESMA representative told Global Trading. “As a result, the authorities with access to this data will treat it as confidential and will not make it public.”
In their reporting framework, the ESAs state that firms must annually provide regularly-maintained registers of information on their contractual arrangements with CTPPs, covering timelines, frequency and reference dates and quality assurance.
The publication follows the ESAs’ final report on draft implementing technical standards for the register reporting template, issued in January this year. In the paper, the ESAs stated that “all financial entities are required to maintain and update at entity level, at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT CTPPs”.
DORA-equivalent regulations are expected to be launched by UK regulators, as concerns around the risks that reliance on third-party providers brings increase. Earlier this month, the FCA, Bank of England and Prudential Regulation Authority confirmed that enhanced oversight would come into play from 1 January, with critical third-party services rather than the critical third parties themselves being monitored by regulators.
Under the new rules, critical third parties must provide regular assurance, information and notifications to regulators regarding their services, undergo resilience and scenario-based testing, and report any incidents that could impact its reputation or ability to provide services.
Nikhil Rathi, CEO of the FCA, commented: “The UK is not alone in addressing the risks posed by CTPPs. We have designed the CTPP oversight regime to be compatible with similar approaches in other jurisdictions where appropriate and will continue our dialogue with international counterparts to strengthen cross-border cooperation.”
©Markets Media Europe 2024
