European fund and asset management association Efama has raised significant concerns over the proposed regulatory technical standards and implementing technical standards for the Digital Operational Resilience Act, the cybersecurity plan known as Dora, criticising the measures as excessively broad and disproportionate.
In a response to the public consultation launched by the European supervisory authorities Efama takes issue with Dora’s failure to adequately incorporate the principle of proportionality. The scope of the entities subject to Dora is vast, ranging from credit and payment institutions to insurance companies and asset managers, each with differing structures, sizes, and business models.
Efama, whose Luxembourg member is Alfi, the Association of the Luxembourg Fund Industry, argues that a “one size fits all” approach will be inordinately burdensome, particularly for asset management companies.
‘Nuanced approach’ needed
“We advocate for a nuanced approach that considers an entity’s size, complexity, and criticality of systems and functions,” said Zuzanna Bogusz, regulatory policy advisor at Efama, in a statement. “Especially in ICT risk management, different entities have different risk appetites and capacities.”
Efama also criticised the complexity of the proposed templates for contractual arrangements for ICT services. They claim that the obligation to maintain these registers at both entity and consolidated levels will be an unnecessary duplication, contradicting basic standards of accountability. Efama also questioned the rationale behind keeping information on terminated contracts for a five-year period, and the inclusion of sensitive, contractual data.
“Information on ICT third-party service providers could be more efficiently provided by the service providers themselves, rather than burdening financial entities,” said Bogusz.
ICT-related Incidents
While Efama appreciates the attempt to bring clarity to the classification of ICT-related incidents, it points out flaws in the proposed methodology. The draft mandates constant monitoring across various criteria, a practice that may not effectively detect major incidents and could instead dilute the focus by increasing the number of identified incidents.
“Having a high proportion of incidents classified as ‘major’ would dilute the focus on truly harmful threats,” added Bogusz. “The high degree of bureaucracy in the proposed standards undermines the goal of operational resilience.”
More consultations coming months
Further technical consultations on Dora are expected to be launched by the supervisory authorities in the coming months. Efama argues that the consultation is an opportunity to shift focus from bureaucratic procedures to effective risk prevention and quick response mechanisms.
“In the asset management industry, our attention should be focused on prevention, detection, and swift reaction to threats, rather than being overwhelmed by administrative tasks,” said Bogusz.
For financial professionals, the criticisms by Efama signal key concerns that could impact not only asset managers but a broader range of entities in the financial sector if the current Dora proposal moves forward without significant revisions.