ESMA’s Communications on DORA, MiCA, and EU-SCICF

Alberto Borri – Lexify 21.08.2024

Connect with the Author

Email: [email protected] LinkedIn: LinkedIn Profile

Introduction

The July 2024 newsletter issued by the European Securities and Markets Authority (“ESMA”)[1] highlights significant updates regarding regulatory frameworks affecting the financial and crypto-asset sectors. This analysis focuses on three key regulatory initiatives: the Digital Operational Resilience Act (“DORA”), the Markets in Crypto Assets Regulation (“MiCA”), and the newly established EU Systemic Cyber Incident Coordination Framework (“EU-SCICF”). These frameworks introduce stringent requirements for operational resilience, consumer protection, and the management of systemic risks across financial markets. The objective of this article is to explore the implications of these updates and assess the necessary compliance measures for entities operating within these regulatory environments.

1. MiCA and Global Crypto Firms’ Use of Non-EU Execution Venues

The newsletter outlines ESMA’s concerns regarding global crypto firms seeking authorization under MiCA while retaining substantial parts of their activities outside EU regulatory oversight. This issue primarily involves crypto brokers routing orders through non-EU intra-group execution venues. Such practices present risks, including diminished consumer protection, regulatory arbitrage, and an unlevel playing field compared to fully regulated EU execution venues.

1.1. Regulatory Arbitrage and Market Integrity:

MiCA establishes a comprehensive framework for regulating crypto-asset service providers (“CASPs”) within the EU. The partial integration of global crypto firms into this regulatory environment while maintaining non-EU operations creates challenges in ensuring market integrity. The use of non-EU execution venues that operate outside the EU regulatory perimeter may result in inconsistent application of MiCA’s obligations, undermining regulatory objectives.

1.2. Consumer Protection and Best Execution:

MiCA’s framework emphasizes protecting consumers through stringent requirements for best execution and transparency. Routing orders to non-EU venues introduces risks where those venues are not subject to the same regulatory standards as EU-based entities, potentially exposing investors to reduced protections. Such practices may conflict with MiCA’s goals of ensuring fair treatment and transparency for consumers.

1.3. Governance and Conflicts of Interest:

MiCA includes robust governance obligations to manage conflicts of interest, particularly in complex group structures. The involvement of non-EU entities in execution activities raises questions about whether these structures prioritize group interests over client interests. ESMA’s recommendation for case-by-case assessments by National Competent Authorities (“NCAs”) is intended to ensure that such structures comply with MiCA’s requirements.

1.4. Structural Reviews of Intra-Group Operations:

Crypto firms should conduct detailed reviews of their intra-group structures to ensure that routing mechanisms and execution activities do not circumvent MiCA’s obligations. These reviews should assess the regulatory status of non-EU entities and determine whether they align with MiCA’s standards.

1.5. Strengthened Governance Mechanisms:

Organizations must implement governance frameworks that provide clear oversight of intra-group activities. Such frameworks should include mechanisms for managing conflicts of interest and ensuring that all execution venues, whether EU-based or not, adhere to MiCA’s transparency and consumer protection requirements.

1.6. Proactive Engagement with NCAs:

Given the complexities involved, early engagement with NCAs is recommended to clarify regulatory expectations and demonstrate adherence to MiCA’s principles. Such engagement can help mitigate potential compliance risks and align firm practices with the evolving regulatory landscape.

2. Digital Operational Resilience Act and Policy Updates

ESMA, in collaboration with the European Supervisory Authorities (“ESAs”), has published a second batch of policy products under DORA. These updates aim to bolster digital operational resilience across the EU financial sector by introducing standardized requirements for ICT incident reporting, threat-led penetration testing (“TLPT”), and subcontracting of critical ICT services. DORA’s overarching objective is to ensure the continuous operation of financial services amid growing digital threats.

2.1. ICT Incident Reporting and Regulatory Compliance:

DORA establishes detailed requirements for the reporting of ICT-related incidents, including the format, content, and timelines for such reports. Financial institutions must have robust systems in place to detect, manage, and report incidents in accordance with these standards. Failure to meet reporting obligations could lead to regulatory scrutiny, penalties, and operational risks.

2.2. Threat-Led Penetration Testing (TLPT):

DORA mandates the implementation of TLPT to simulate advanced cyber threats and assess the resilience of ICT systems. The framework includes specific requirements for conducting these tests, including the involvement of joint examination teams (JETs) and detailed guidelines on testing criteria. TLPT is an essential element in ensuring that financial entities can identify and mitigate cybersecurity vulnerabilities.

2.3. Subcontracting and Third-Party Risk Management:

The updated regulatory technical standards (“RTS”) under DORA introduce stringent conditions for subcontracting critical ICT services. Financial entities must carefully assess third-party risks, maintain control over outsourced services, and ensure compliance with DORA’s obligations throughout the lifecycle of contractual arrangements. Effective management of these risks is crucial to maintaining operational resilience and protecting sensitive data.

2.4. Establishing Incident Reporting Protocols:

Organizations should update their internal reporting frameworks to comply with DORA’s ICT incident reporting standards. This includes automating reporting mechanisms to ensure timely submissions and developing protocols for escalating incidents to relevant authorities. Legal and compliance teams should work closely with IT departments to establish seamless reporting processes.

2.5. Implementing TLPT Programs:

Firms should prioritize the development and execution of TLPT programs that align with DORA’s requirements. These programs should be regularly tested, and results documented in a manner that satisfies regulatory expectations. Engaging with NCAs and participating in joint examinations are essential steps in ensuring compliance.

2.6. Strengthening Subcontracting Controls:

Financial institutions must reassess their third-party vendor relationships to ensure that subcontracting arrangements comply with DORA. This involves revising contracts to include specific provisions on risk management, monitoring, and exit strategies. Continuous oversight of third-party performance is critical for maintaining control over outsourced services and ensuring compliance with DORA’s requirements.

3. EU Systemic Cyber Incident Coordination Framework (EU-SCICF)

The introduction of the EU Systemic Cyber Incident Coordination Framework (“EU-SCICF”) is a key development highlighted in ESMA’s July 2024 newsletter. The EU-SCICF, established under DORA, is designed to enhance coordination among financial authorities, stakeholders, and international bodies during systemic cyber incidents. This framework addresses gaps in existing crisis management strategies and aims to ensure a coordinated response to cyber threats that pose risks to financial stability.

3.1. Coordinated Response to Systemic Cyber Incidents:

The EU-SCICF seeks to harmonize crisis management approaches across the EU by establishing a framework for coordinating responses to large-scale cyber incidents. This initiative involves the creation of a Secretariat, a Crisis Coordination Unit, and a Forum for testing and refining the framework’s operational readiness. Financial institutions are expected to align their internal crisis management strategies with the EU-SCICF’s protocols.

3.2. Legal and Operational Hurdles:

Implementing the EU-SCICF involves overcoming various legal and operational challenges, particularly those related to cross-border coordination and jurisdictional authority. Data-sharing agreements, communication protocols, and decision-making processes must be aligned across jurisdictions to facilitate effective coordination during crises.

3.3. Enhanced Incident Reporting and Crisis Management:

DORA’s integration with the EU-SCICF reinforces the importance of standardized incident reporting and crisis management practices. Firms must ensure that their reporting mechanisms are compatible with the EU-SCICF and that they are prepared to participate in coordinated response efforts during a systemic cyber incident.

3.4. Aligning Internal Crisis Management Protocols:

Organizations should update their internal crisis management frameworks to reflect the protocols established under the EU-SCICF. This includes training personnel on the framework’s procedures, ensuring that internal processes are consistent with the EU-SCICF’s requirements, and preparing for coordinated actions during major cyber incidents.

3.5. Participating in EU-SCICF Initiatives:

Firms should actively engage with the EU-SCICF Secretariat and participate in forums and testing exercises. Such involvement is critical for aligning internal processes with the broader European coordination efforts and for staying informed of evolving best practices.

3.6. Enhancing Cross-Border Coordination Mechanisms:

Given the cross-border nature of systemic cyber risks, organizations must strengthen their ability to coordinate with entities across multiple jurisdictions. This involves improving data-sharing capabilities, establishing clear communication channels, and ensuring that crisis management strategies are compatible with both EU and international standards.

Conclusion

The updates from ESMA underline the increasing complexity of the regulatory environment for financial institutions and crypto firms operating within the EU. MiCA and DORA introduce rigorous requirements aimed at enhancing consumer protection, market integrity, and operational resilience. The establishment of the EU-SCICF further underscores the need for coordinated responses to systemic cyber risks.

Entities must adapt quickly to these evolving regulatory demands by implementing proactive compliance strategies, conducting regular audits, and engaging with relevant authorities. Compliance with MiCA, DORA is not only necessary for mitigating legal risks but also critical for ensuring stability and trust in the European financial ecosystem. Continuous monitoring of regulatory developments and prompt alignment of internal practices will be essential for long-term success in this dynamic environment.


[1] ESMA, Spotlight on Markets – July 2024, “What’s next for MiCA and Dora?” see https://www.esma.europa.eu/contact-help/newsletter


Connect with Us

Thank you for taking the time to read our article. We hope you found it informative and engaging. If you have any questions, feedback, or would like to explore our services further, we’re here to assist you.

Contact Information

For inquiries about our legal assistance, please contact us:

  • Phone: +41 77 461 38 47

Follow Us

Stay updated and connected with us on social media for the latest news, insights, and updates:

Nach oben scrollen