SAFE Finance Blog
31 Jul 2024

The SAFE Regulatory Radar in July

Updated technical standards under the Digital Operational Resilience Act and detailed integration of EBA modifications into the Banking Package

At the end of each month, the SAFE Regulatory Radar highlights a selection of important news and developments on financial regulation at the national and EU level.

DORA: Updated technical standards

On 17 July 2024, the three European Supervisory Authorities EBA, EIOPA, and ESMA (ESAs) published the second package of policy products under the Digital Operational Resilience Act (DORA), following the first package in January 2024. The package consists of four Regulatory Technical Standards (RTS), one Implementing Technical Standards (ITS) and two policy guidelines aimed at promoting digital operational resilience. The publication follows a targeted stakeholder consultation for all standards and guidelines. Specifically, the package consists of the following draft sets of standards:

  • The RTS for Threat-Led-Penetration-Testing (TLPT): TLPT is a type of cybersecurity assessment to evaluate the security resilience of financial entities by simulating cyber-attacks. The RTS specify TLPT requirements (e.g., frequency of at least once every three years, sufficient scope and coverage, independence of test providers) as well as standardized testing methodology and reporting.
  • RTS and ITS for Information and Communication Technology (ICT), i.e. Internet, wireless networks, cell phones, with the aim to harmonize and improve reporting of ICT-related incidents across financial entities: Financial entities shall report ICT-related incidents such as cyber-attacks, data breaches, or system failures, to responsible supervisory authorities within specified timeframes: initial notifications within 4 hours of classification, intermediate reports within 24 hours, and final reports within one month. The documents also establish rules for feedback, implementation and compliance for financial entities.
  • RTS on the conduct of oversight activities and RTS on conduct of oversight activities under Art. 41(1) (c) DORA: harmonizes the obligations of critical third-party service providers, such as cloud service providers, payment processors or IT service providers, vis-à-vis the respective supervisory authorities. They must comply with transparency and information sharing obligations, grant supervisory authorities unrestricted access to premises, systems, and data, must report ICT-related incidents in accordance with the respective standards and must designate specific contact points liaise with supervisory authorities. The RTS on Art. 41(1) (c) DORA specify the criteria for determining the composition of Joint Examination Teams (JET) for ICT third-party service providers set up by the European Supervisory Authorities (ESAs) and competent authorities.

While the guidelines have been adopted by the Boards of Supervisors of the ESAs, all draft technical standards are now submitted to the European Commission, which will review them before publishing them after a maximum period of three months.

Banking Package: Detailed integration of EBA updates

The European Banking Authority (EBA) has published the Banking Package with three detailed amendments to regulatory Technical Standards and a framework. Specifically, it contains updates to the

  • Materiality of Market Risk Model: The final Regulatory Technical Standards (RTS) assess the materiality of extensions and to change internal models for market risk. These standards, which are part of the Fundamental Review of the Trading Book (FRTB) framework, differentiate between material and non-material changes, requiring approval for the former and notification for the latter. The RTS include qualitative and quantitative conditions to ensure rigorous regulatory oversight and consistency in risk management practices.
  • Extraordinary Circumstances for Internal Models: The final draft Regulatory Technical Standards (RTS) aim at identifying extraordinary circumstances for continuing the use of internal models for market risk. These standards provide guidelines for when banks can deviate from standard requirements during significant disruptions, ensuring stability and compliance with the Capital Requirements Regulation (CRR).
  • Counterparty Credit Risk Standards: EBA has issued amendments to the Regulatory Technical Standards (RTS) on the standardized approach for counterparty credit risk (SA-CCR). These amendments introduce specific formulas for the calculation of the supervisory delta of options and address issues related to negative interest rates and commodity prices.
  • Supervisory Reporting Framework Updates: EBA has updated its supervisory reporting framework to align with the latest Capital Requirements Regulation (CRR3) and Basel III reforms. These updates include changes to the reporting requirements for the output floor, credit risk, market risk, Credit Valuation Adjustment (CVA) risk, leverage ratio, and the transitional treatment of crypto assets. The aim is to improve the consistency and effectiveness of supervision across EU financial institutions.

Each update aligns with the Basel III standards and the CRR, supporting the overarching goals of the EU Banking Package to strengthen financial stability. The Banking Package has been evaluated in a SAFE Finance Blog.

Public consultations

  • European Securities and Markets Authority (ESMA): Consultation on Liquidity Management Tools for funds. The deadline is 8 October 2024.
  • ESMAConsultation on reporting requirements and governance expectations for some supervised entities. The deadline is 18 October 2024.
  • ESMAConsultation on rules to recalibrate and further clarify the Central Securities Depositories Regulation (CSDR) Refit framework. The deadline is 9 September 2024.
  • ESMA: Consultation package with the objective of increasing transparency and system resilience in financial markets. The deadlines are 15 September 2024 and 15 October 2024.
  • ESMA: Consultation on firms’ order execution policies under MiFID II. The deadline is 16 October 2024.
  • European Banking Authority (EBA)Consultation to assess the materiality of CVA risk exposures arising from securities financing transactions. The deadline is 8 October 2024.
  • EBAConsultation on draft Guidelines on reporting requirements to assist competent authorities in their supervisory duties and significance assessment under MiCAR. The deadline is 15 October 2024.
  • EBAConsultation on amending its technical standards on the joint decision process for internal model authorisation. The deadline is 16 October 2024.
  • EBAConsultation on the Handbook on independent valuers for resolution purposes. The deadline is 19 September 2024.
  • European Supervisory Authorities (ESAs): Consultation on Guidelines under the Markets in Crypto-Assets Regulation. The deadline is 12 October 2024.

Vincent Lindner is Co-Head of the SAFE Policy Center.

Jonas Schlegel is Co-Head of the SAFE Policy Center.

Back
In this Section: