žž

EU Authorities Challenge Commission’s Changes To DORA And MiCA Standards

October 18, 2024
Back
The European Commission’s positions on aspects of implementing both the Digital Operational Resilience Act (DORA) and the Markets in Crypto Assets (MiCA) regulation have prompted a backlash from key European regulators.

The European Commission’s positions on aspects of implementing both the Digital Operational Resilience Act (DORA) and the Markets in Crypto Assets (MiCA) regulation have prompted a backlash from key European regulators.

The Commission’s rejection of the proposed Implementing Technical Standards (ITS) under DORAstems from a preference to offer financial entities the option of identifying their third-party ICT service providers registered in the EU by using either the Legal Entity Identifier (LEI) or the European Unique Identifier (EUID).

The European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), have that the decision could introduce unnecessary complexity and hinder the effective implementation of DORA.

This comes at the same time as the ESMA has responded to the Commission taking issue with its regulatory technical standards (RTS) for the EU’s crypto framework, and potential overreaches in regards to both DORA and data minimisation.

The regulators argue that using two separate identifiers may complicate data quality, delay designations of critical third-party service providers (CTPPs) and increase reporting burdens.

The ESAs said “they see the changes as impactful for the implementation of DORA by financial entities, competent authorities and the ESAs also leading to potential increase of the overall reporting burden for financial entities”.

Although the EUID is available for free to EU-registered companies, the ESAs warn that its introduction would require significant, unforeseen implementation and maintenance efforts for financial institutions and authorities alike.

This would limit access to and verification of information, and potentially trigger delays in identifying critical ICT CTPPs.

Why use the LEI?

The LEI was introduced in 2012, following the G20's response to the financial crisis and Lehman Brothers' collapse.

Developed as part of a global system for identifying entities involved in financial transactions, the LEI has since been adopted by nearly 3m organisations across over 200 countries. Its adoption has been widely supported by global authorities, including the Commission and third countries such as the UK and US.

“The EU has significantly contributed to the adoption of the LEI for both financial and non-financial entities involved in the financial sector, especially following the adoption of Union regulations in different sectors,” the response document says.

For example, Michel Barnier, the then European Commissioner and now French prime minister, endorsed the LEI in 2011.

“We must also work together on a common system to identify the market participants. It is an area where the USA has already given [its] input, but which requires global standards,” he said.

According to the ESAs, in the EU, the LEI's use has enhanced authorities' ability to monitor systemic risks and market integrity by enabling the clear identification of parties in financial transactions, and has emerged as a vital method analysing interconnected financial contracts and connecting datasets from various sources.

The LEI’s relatively low cost and its alignment with international data standards make it efficient for financial reporting, particularly in the context of ICT third-party service providers.

The ESAs argue that the mandatory use of LEI for financial entities and their ICT providers under DORA would promote international convergence in cybersecurity and operational resilience.

According to their response, the ESAs have found no viable alternative to the LEI for achieving these goals, as many financial entities already use the LEI in supervisory reporting.

The problem with the EUID

According to the ESAs, the introduction of the EUID will impose new, unanticipated challenges for financial entities.

These include the need to modify their registers of information with additional data fields, to manually collect difficult-to-obtain data, to manage different legal entity identification standards, and potentially to have to resubmit registers due to errors arising from the use of two identifiers (EUID and LEI).

Competent authorities will also face additional burdens from using both, the ESAs caution, including the need to create new processes for data quality checks and to deal with limited automated access to reference data via the business register interconnection system (BRIS).

The ESAs also warn that they themselves, alongside financial entities and national competent authorities, risk losing synergies with other financial reporting systems, requiring extra effort to maintain consistency and perform data quality checks.

In their statement, the ESAs call on the Commission to reconsider the changes or, if the EUID is introduced, ensure further adjustments to the ITS to make the system workable.

“The ESAs call for maintaining simplicity and efficiency in using the LEI as a common identifier,” the statement says.

Here, the regulators have recommended that financial entities be allowed to prioritise the use of LEI where both identifiers are available, particularly for group-level registrations, to maintain consistency.

Further, they have suggested more adjustments to the draft ITS based on feedback from financial institutions that participated in the ESAs voluntary "dry run" of the new reporting standards.

ESMA faces MiCA blow

DORA was also one of the reasons for the Commission rejecting certain regulatory technical standards (RTS) for the MiCA regulation.

In contrast to its intervention on the DORA ITS, the Commission has suggested amendments related to cybersecurity audits, proposing that these audits be optional rather than mandatory, as outlined in DORA.

In response, the ESMA has the legal limitations, but stressed that external cybersecurity audits are crucial for mitigating risks in the crypto sector, and recommended a requirement for cybersecurity audits or, alternatively, to allow national authorities to request them when necessary.

In its response document, the regulator argues that technology (in particular, distributed ledger technology) and IT systems are at the core of crypto-asset service providers’ activities.

It warns that “this issue is of paramount importance and raises substantial risk at the authorisation phase, which would be mitigated by performing an external auditor review, to be included in the authorisation or notification material”.

“The absence of these external audits may also lead to fragmentation across the EU, resulting from differences between NCAs and national legal frameworks,” the ESMA said.

DORA is not the only issue that the Commission has raised here: other changes made by the authority focus on aligning the RTS with the principle of data minimisation, particularly regarding the "personal history" and criminal records of members of crypto-asset service providers’ (CASPs) management bodies.

It proposes an exhaustive list of required information, limiting criminal record checks to areas directly relevant to authorisations, such as commercial law, financial services and anti-money laundering.

The ESMA agrees with these changes, but emphasises the importance of assessing the "good repute" of management members comprehensively, and recommends expanding MiCA to allow for broader checks beyond the current legal limitations.

Next steps

In their response to the Commission, the ESAs have urged the Commission to make a swift decision on the matter, with a final rule needed in time for the designation of CTPPs by 2025.

The ESAs have also used their response to the Commission to encourage financial institutions to ramp up their preparations to meet their reporting obligations under DORA, ensuring readiness by the first half of the year.

Regarding MiCA, the Commission may now adopt the two RTS with the amendments it considers relevant or reject it.

The European Parliament and the European Council also have the ability to object to an RTS adopted by the Commission within a period of three months.







Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
No items found.