The technology reaches banking and financial players in several ways: either suffered, she is more often than not a opportunity Enter artificial intelligence, blockchain, digitization growing, the " tokenization "or even the metaverse are the most recent components ofa long evolution ofu sector. At the same time, this interdependence with technology can affect their resilience, leading to often serious knock-on consequences for the customers: fuite and data deletion, lack of access to basic banking services, etc.

Regulatory response

The RDORA regulation (1) offers an answer to regulatory to this risk, reinforced by the rise of digitalization, from online product offers and - above all - the cyber-attacks are becoming more "sophisticated". Given these systemic risks, it was essential to harmonize member state requirements - some of which are subject to national rules, such as those from the AMF General Regulation - and provide transparent information on the threats cyber.

Over twenty thousand institutions (banks, insurers, payment institutions, etc.). shave concerned by this text! Then come the join a great many information and communication technology (ICT) service providers. These includeront visit " ICT reviews " identified and supervised as such, whereas they were not through the prism of outsourcing. The number of establishments, or groups of establishments, that are both customers of service providers and themselves ICTs, check out both categories.

Very broad obligations

Obligations imposed on establishments are very larges. So.., the cyber threat leads to a regime reporting major technology-related incidents. Likewise, from operational resilience testing or even penetration informatics are planned. One part of the Regulations specifically cover management and follow-up the risk of service providers third party requiring a supervision more granular than with outsourcing. This is followed by a corollary review of risk mapping and all risk management procedures. different risk classes.

Risk management from technology requires the implementation of a large number of measures between now and the text's effective entry into force in 2025. setting up a register listing the various providers and contracts falling within the scope of the Regulation, distinguishing critical services from others, alongside the current register of outsourced activities. Similarly, the establishment of a contractual framework forces players to must adjust their models and à negotiate the relevant clauses, which could potentially overlap with outsourcing clauses.

Framework for information sharing

One of the most noticeds of the Regulations home however the development of a framework for information sharing between financial institutions on cyber threats. This project, for which precise implementation measures are awaited, is designed to improve detection, anticipation and from defend themselves against such threats. Incident reports l'accompany them.

DORA integrates in reality in thea strategy even of the plant. The company's management approves the business continuity and recovery plan, the contractual policy and lRISKS inducedthe incident monitoring, approving and adjusting budgetary requirements, implementation systematic lessons from the incidentsthe training obligations including, of course, management itself, management of the impact on equity capital (particularly in relation to operational risk reduction measures), etc..

Precautionary principle

We canon the other hand, more conventionally, perceive in DORA a new manifestation of the rise of the principle precautionary in our law. Implementing the obligations arising from this regulation, whose violation is sanctionede disciplinary and civilly under national civil liability regimes, requires for the plants concerned adjust on the water thes activities and products at their level knowledge of technological risks. You will find however the related question of the insurability of technological risks, whose chronically elevated cost raises the question of the final burden of proof for damage.. The real challenge of resilience nhenbut it's not there?

(1) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector ("Digital Operational Resilience"). DORA "Digital Operational Resilience Act).