Nos derniers articles

The paper 𝙏𝙝𝙚 𝙍𝙚𝙜𝙪𝙡𝙖𝙩𝙞𝙤𝙣 𝙤𝙛 𝘿𝙖𝙩𝙖 𝙋𝙧𝙞𝙫𝙖𝙘𝙮 𝙖𝙣𝙙 𝘾𝙮𝙗𝙚𝙧𝙨𝙚𝙘𝙪𝙧𝙞𝙩𝙮 by Jasmin Gider (Tilburg University - Tilburg University School of Economics and Management), Luc Renneboog (Tilburg University - Department of Finance), and Tal Strauss (European Central Bank ECB) compares and contrasts the regulatory landscapes of data privacy and cybersecurity in the EU and the US. It outlines the fragmented nature of US regulations, often relying on state-specific laws and sectoral approaches, in contrast to the EU's more unified framework like 𝗚𝗗𝗣𝗥 and 𝗡𝗜𝗦 Directives. The text details the increasing costs and frequency of cyber incidents, emphasizing the insufficient mandatory disclosure requirements in both regions. Furthermore, it identifies gaps in current legislation and ongoing efforts, such as the 𝗘𝗨'𝘀 𝗖𝘆𝗯𝗲𝗿 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 𝗔𝗰𝘁 and the US.'s 𝗖𝗜𝗥𝗖𝗜𝗔, to enhance 𝗱𝗶𝗴𝗶𝘁𝗮𝗹 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 and address underinvestment in 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆.

The ESAs DORA guide explains the framework's objectives, principles, structure, activities, processes, and expected outcomes. It covers CTPP designation based on criticality, risk assessment, and detailed oversight activities including ongoing monitoring, requests for information, general investigations, and inspections. The document also outlines the issuance of non-binding recommendations for identified deficiencies and subsequent follow-up procedures to ensure compliance, ultimately aiming to enhance digital operational resilience and financial system stability across the EU.

These proposed guidelines update the 2019 EBA Guidelines on Outsourcing to align with the Digital Operational Resilience Act (DORA). Key aspects include:
◾ 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸: Financial entities must assess, monitor and mitigate risks throughout the third-party arrangement lifecycle, including due diligence, contractual phases and exit strategies.
◾ 𝗣𝗿𝗼𝗽𝗼𝗿𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲: The guidelines provide specific criteria for applying proportionality, limiting documentation burdens on financial entities and authorities.
◾ 𝗖𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝘆 𝘄𝗶𝘁𝗵 𝗗𝗢𝗥𝗔: A single register can be used for both ICT and non-ICT services, streamlining information storage and reducing administrative burdens.
◾ 𝗧𝗿𝗮𝗻𝘀𝗶𝘁𝗶𝗼𝗻 𝗣𝗲𝗿𝗶𝗼𝗱: Financial entities have two years to review and amend existing arrangements and update their registers.

The consultation runs until October 8, 2025, allowing stakeholders to provide feedback on the draft guidelines.

Cette cartographie annuelle des risques, souligne la résilience des marchés financiers malgré un contexte mondial incertain marqué par des tensions géopolitiques et commerciales. L'AMF constate une volatilité accrue sur toutes les classes d'actifs qui devrait persister. Les prévisions de croissance mondiale ont été revues à la baisse. Bien que les marchés aient fait preuve de résilience face aux ajustements récents, des risques de correction futurs subsistent. La gestion d'actifs française a bien résisté, mais l'AMF reste vigilante sur les fonds immobiliers commerciaux et les actifs illiquides. Les cyberattaques sont en hausse, et l'entrée en vigueur du règlement DORA vise à renforcer la résilience opérationnelle.

Insurance Europe advocates for simplifying EU digital regulations, including the Cybersecurity Act and upcoming digital omnibus initiatives, to alleviate compliance burdens. The organization seeks to reduce overlaps and duplications in cybersecurity reporting, particularly under DORA, GDPR, and other horizontal legislations. They propose aligning cyber reporting mechanisms and centralizing notifications to multiple national agencies. Additionally, Insurance Europe supports stakeholder involvement in cybersecurity certification development, emphasizing that certification should remain voluntary. Concerns have been raised regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS), specifically regarding a lack of transparency and the inclusion of sovereignty requirements that could limit service provider choice and increase costs for insurers.

The German and European banking sector is undergoing rapid transformation due to digitalization, ESG integration, regulatory changes, demographic shifts, and increased competition from FinTechs. Key challenges include managing complexity, leveraging AI and data, optimizing business models, and ensuring resilience and security. Banks must adapt quickly to survive, with successful integration of AI and ESG being crucial. Consolidation and evolution towards technology-driven or platform-based approaches are likely. Banks face a "transformation trilemma" of managing digital, regulatory, and ESG changes while maintaining profitability.
THE PAPER IS IN GERMAN

« Dans le contexte de la mise en œuvre de DORA, l’ACPR vient, à travers la mise à jour de sa FAQ, préciser certaines informations relatives aux nouvelles obligations qui s’appliquent aux entités financières concernant notamment : les modalités de remise du registre d’information, la réalisation de tests d’intrusion ou le champ d’application de cette nouvelle règlementation. »

« Le règlement européen sur la résilience opérationnelle numérique du secteur financier (DORA) établit un cadre commun pour la gestion des risques liés aux technologies de l'information et de la communication (TIC). Il définit des règles en matière de cyber-sécurité et de gestion des risques informatiques qui s’appliquent à un grand nombre d’entités financières. »

The EBA amended its ICT and security risk management guidelines due to DORA. The guidelines now apply only to entities covered by DORA (credit institutions, payment institutions, etc.) and focus solely on payment service user relationship management. PSD2 security and operational risk requirements still apply to other payment service providers not under DORA.

The ESAs report explores centralizing ICT incident reporting for the financial sector under DORA. Three models are considered: baseline, enhanced sharing, and full centralization. The report, developed with input from various stakeholders, aims to inform future decisions on incident reporting centralization.