London partner Nathaniel Lalone, Financial Markets and Funds, was quoted in a Risk.net article about an EU consultation that set out criteria for identifying a critical third-party technology vendor under the Digital Operational Resilience Act (Dora). A Dora systemic determination under these criteria, which could catch cloud services, data vendors and software providers alike, "could result in direct supervision of such tech firms by financial regulators," with cloud-based systems as the most likely target.
Any vendor designated as critical would also be subject to the European Supervisory Authorities' "power to ask vendors for information, assess their security and resiliency, seek remedies for any deficiencies, and ultimately penalize them if they do not comply," as noted in the article.
"The uncomfortable truth is that an evaluation of service providers along these lines has never been done before, meaning that neither regulators nor market participants themselves can comfortably claim they have the full picture of the market's reliance on any given set of providers," Nathaniel said. "Everyone is operating based on anecdotal evidence or surmise, so the proposed framework is an important step in plugging that gap in our knowledge." He added that the framework is still "preliminary," with more details to come on how criticality will be determined.
"Dora 'critical tech vendor' designation could cast a wide net" *Risk.net, June 12, 2023
*Subscription may be required for article access.
London
