Art. 61 Amendments to Regulation (EU) No 909/2014 | DORA regulation | DORA

This article is an amending provision, modifying Article 45 of Regulation (EU) No 909/2014, which governs Central Securities Depositories (CSDs).

The amendments integrate DORA's ICT requirements into the existing CSD framework, essentially carving out ICT risk management from the general operational risk provisions of the CSD regulation and redirecting it to DORA.

CSDs must now identify and minimise operational risks using ICT tools managed in accordance with DORA, and their business continuity and disaster recovery plans must explicitly include ICT-specific continuity and recovery plans as required by DORA.

Notably, ESMA is tasked with developing technical standards covering non-ICT operational risks only, with ICT risk now firmly within DORA's domain.

Important points:

As a CSD, identify sources of operational risk and minimise their impact through ICT tools, processes and policies managed in accordance with DORA.
Establish, implement and maintain a business continuity policy and disaster recovery plan — including ICT-specific plans under DORA — covering all securities settlement systems you operate, ensuring full recovery of transactions and participants' positions.
ESMA is required to develop regulatory technical standards covering operational risks other than ICT risk, reflecting the clean separation between DORA and the CSD regulation.

Article 45 of Regulation (EU) No 909/2014 is amended as follows:

paragraph 1 is replaced by the following:
A CSD shall identify sources of operational risk, both internal and external, and minimise their impact also through the deployment of appropriate ICT tools, processes and policies set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(⁴²), as well as through any other relevant appropriate tools, controls and procedures for other types of operational risk, including for all the securities settlement systems it operates.
paragraph 2 is deleted;
paragraphs 3 and 4 are replaced by the following:
For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554, to ensure the preservation of its services, the timely recovery of operations and the fulfilment of the CSD’s obligations in the case of events that pose a significant risk to disrupting operations.
The plan referred to in paragraph 3 shall provide for the recovery of all transactions and participants’ positions at the time of disruption to allow the participants of a CSD to continue to operate with certainty and to complete settlement on the scheduled date, including by ensuring that critical IT systems can resume operations from the time of disruption as provided for in Article 12(5) and (7) of Regulation (EU) 2022/2554.’;
paragraph 6 is replaced by the following:
A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operates, as well as service and utility providers, and other CSDs or other market infrastructures might pose to its operations. It shall, upon request, provide competent and relevant authorities with information on any such risk identified. It shall also inform the competent authority and relevant authorities without delay of any operational incidents, other than in relation to ICT risk, resulting from such risks.’;
in paragraph 7, the first subparagraph is replaced by the following:
ESMA shall, in close cooperation with the members of the ESCB, develop draft regulatory technical standards to specify the operational risks referred to in paragraphs 1 and 6, other than ICT risk, and the methods to test, to address or to minimise those risks, including the business continuity policies and disaster recovery plans referred to in paragraphs 3 and 4 and the methods of assessment thereof.’.