Operational Resilience in the Financial Sector Under the EU’s Digital Operational Resilience Act

By Suyash Paliwal, Advisor and Former Director, Office of International Affairs, US Commodity Futures Trading Commission (CFTC)

In January 2025, the European Union’s (EU’s) Digital Operational Resilience Act (DORA) went into application. The European Supervisory Authorities (ESAs)—the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)—will ably take on the daunting task of surveying financial institutions to better understand the third-party landscape to which these institutions outsource tasks. This is an important step towards the overarching goal of further strengthening the financial sector’s operational resilience.

Operational resilience—encompassing safeguards such as business continuity as well as disaster recovery, cybersecurity, information and technology (IT) security and risk management for services outsourced to or obtained from third parties—continues to be a top-of-mind goal for financial institutions and their regulators. We have seen the risks front and center in recent years. For example, in the derivatives-clearing ecosystem, which is a key focus of the US Commodity Futures Trading Commission (CFTC), we witnessed the impacts of a 2023 ransomware attack on a company that provided data-processing services to members of derivatives clearinghouses. In 2024, a key provider’s software update and resultant outage affected banks and other financial institutions that were using the provider’s technology.

The more prepared we are for 2025 and beyond, the better.

A common theme in dialogues accompanying DORA’s development—some that occurred bilaterally between the US and EU and some at the international level through forums and standard-setters—has been cross-border cooperation. Regulatory authorities globally are like-minded in seeking to avoid duplication—deferring to one another when appropriate, cooperating to make the best and most proportional use of tools, resources and information, and minimizing regulatory burdens. Industry thrives and innovation flourishes when we strike that balance right. The level playing field we achieve creates a rising tide that lifts our collective competitiveness.

A tricky issue with which the EU recently had to grapple concerned the high degree of interaction between data services (under DORA, information and communication technology [ICT] services) and financial services. Financial-services institutions are often data-rich and provide services involving data. This should almost be expected. We, as regulators, require financial institutions to report regulatory data to us and engage in public reporting to provide transparency to the markets and financial sector.

Within the CFTC’s remit, we see our regulated institutions—including clearinghouses (or central counterparties [CCPs]), exchanges, trade repositories and other market participants—providing their clients with data-related services. Operational resilience is a core part of our supervision—addressing risks to and upholding the resilience of our regulated institutions’ financial services. Depending on the institution and its structure, this can be at the level of the entity or of the enterprise (where the firm’s policies and procedures are in place). For our supervised institutions, data services intertwined with financial services may be part and parcel.

As DORA’s application is being rolled out, the European Commission (EC) and ESAs have helpfully dispelled some confusion that had emerged on this score. As the ESAs prepared to take on their important roles under DORA, they produced guidance that addressed some of the practical aspects of fulfilling their responsibilities. Among them was clarity that the data services provided by regulated financial entities would be better treated as regulated financial services rather than ICT services. Initially, there was confusion about whether this proportional treatment applied outside of the EU. Since then, it has been clarified that financial entities regulated under the laws of a non-EU jurisdiction, including the United States, will also benefit from this treatment.

This clarification is positive and speaks well to our continued shared commitment to international comity. It avoids duplication of efforts and naturally streamlines regulatory burdens. If the financial regulator in the institution’s home country is already regulating and supervising operational resilience, it would seem disproportionate to layer on the supervision of the host country’s financial regulator.

Indeed, this is how the CFTC has approached substituted compliance in an array of settings. This aspect of our regulation and supervision allows foreign-regulated firms registered with us—and there are hundreds worldwide—to comply with the specifics and minutiae of their home countries’ laws and rules and, thereby, be treated as compliant with comparable CFTC regulations. In this way, these firms need not comply with every detail of our regulations in the United States as long as the same regulatory outcome is reached through compliance with their home countries’ rules. Our substituted-compliance framework allows us to show deference to our counterparts—our regulator peers—across the globe. We have adopted this approach towards authorities in the EU, United Kingdom, Asia-Pacific (APAC) and the Americas to address topics that include capital requirements for swap dealers, financial reporting, non-cleared swap margins and requirements for trading platforms and clearinghouses. Dovetailing with this, we have executed memoranda of understanding (MoUs) with more than 60 jurisdictions around the world, covering areas such as supervision, enforcement and fintech (financial technology).

The EU’s clarified application of DORA also coheres with the mechanics of how financial institutions provide services. Institutions’ policies and procedures are frequently applied to govern aspects of operational resilience, such as cybersecurity, third-party relationships, business continuity and disaster recovery across their suites of services. And these policies and procedures face supervisory reviews. Institutions use common technology platforms, as well as common data sources and elements, to undergird multiple service offerings—from financial services and services supporting financial services to data and data-related services.

The most recent articulation of the EU’s approach to dealing with financial entities that provide both financial and data services came around the time DORA went into application. Starting from the baseline position of data (ICT) services being construed to have a broad scope, the EU’s guidance recognizes that data services may be part of a financial service’s offering. If a regulated financial entity (whether regulated by an EU or non-EU authority) provides a data service in connection to its financial services, this data service would not be an “ICT service”—in other words, it would not be the basis for the designation of critical third-party provider (TPP) or trigger a receiving EU financial entity’s obligations under DORA.

This clarification is welcome and a forward step in an ever-strengthening path of US/EU collaboration. Our markets are deeply interconnected, and regulated financial entities on both sides of the Atlantic are among the best and most resilient in the world. A mutually beneficial outcome would be for a regulated financial entity to remain regulated with its home-country financial regulator retaining primacy. Surely, the supervision of financial entities from America should come under regulators from America first. Duplication of regulatory reach or disproportionate regulatory burdens can be problematic, particularly in achieving a regulatory objective that US financial regulators already have well in hand.

As EU and US authorities and market participants step into the post-DORA-launch landscape, there will undoubtedly be more questions to answer. How connected are a regulated financial entity’s data services and core financial services? When is a data service so far afield from the core financial service that it seems unrelated? How widely are other services’ remits viewed fairly as preparatory to the financial service? And more broadly, how small or large a net will be cast to catch third-party providers deemed critical?

A pragmatic approach, one that avoids regulatory duplication and market fragmentation, may prove optimal as we look to DORA’s torchbearers for cues. We must remain cognizant of the regulatory approaches that advance, not stifle, the creativity, ingenuity and alacrity shown by financial enterprises on both sides of the Atlantic in responsible innovation.

Operational resilience in financial markets is a shared goal. It calls for a collaborative approach. It is important for a financial regulator engaged in this space to consider how each authority’s rules work together in practice with the other regulators’ rules at home and abroad. Such an approach, grounded in comity and regulatory cooperation, serves not only the shared goal of operational resilience but also the broader shared goals of addressing systemic risk and fostering financial stability.