.svg)
In its first Q&A on the Digital Operational Resilience Act (DORA), the European Banking Authority (EBA) has made clear that third-country branches of credit institutions are not covered by the regulation.
The question, initially submitted by a competent authority on September 4, 2023, asked whether DORA's requirements apply to third-country branches licensed as credit institutions within an EU member state.
This decision is particularly relevant to competent authorities overseeing these entities.
“It is our understanding that Credit Institutions that are third-country branches licensed in an EU country would be included in scope of the DORA Regulation and, thus, so would the requirements of the Regulation apply,” the submission says.
“We have encountered a particular situation where we have a third-country branch licensed as Credit Institutions in our EU jurisdiction,” it continues. “However, from a financial perspective, this particular branch has very limited operations in our country and the EU as a whole.”
According to the final answer published on June 28, DORA applies strictly to EU-licensed credit institutions as per Article 3(31) of DORA, which references the definition of credit institutions in the Capital Requirements Regulation. This defines "credit institutions" as those licensed within the EU.
Although the Capital Requirements Directive includes provisions for third-country branches, DORA does not specifically mention third-country branches within its scope.
Therefore, the requirements of DORA do not extend to these branches, focusing only on institutions licensed within the EU.
This clarification underscores the regulatory boundaries and ensures that third-country branches operating in the EU are not subject to the operational resilience requirements laid out in DORA.
The response, which the EBA says was penned by the European Commission, as the overseer of EU law, aims to prevent any overextension of DORA's provisions beyond its intended scope.
For EU competent authorities and third-country branches, this clarification should provide legal certainty regarding regulatory compliance, and will allow third-country branches to operate within the EU without the additional burden of adhering to DORA.
The European Commission's final answer will be instrumental in guiding competent authorities and financial institutions to navigate the incoming regulation.
Achieving robust digital infrastructure
DORA aims to establish a comprehensive framework for digital operational resilience, ensuring that all participants in the financial system can withstand, respond to and recover from all types of ICT-related disruptions and threats.
The regulation is part of the EU's broader strategy to strengthen the digital infrastructure of its financial sector, and despite the increased compliance requirements, has been largely welcomed by financial market participants across the board.
In recent months, several actions have been taken at EU level and in member states and beyond in the European Economic Area (EEA) to prepare for the regulation.
In June, the Netherlands amended the Financial Supervision Act to implement DORA, Austria introduced a draft law to implement Regulation (EU) 2022/2554 (DORA) and amend several financial acts, and the Liechtenstein Financial Market Authority published guidance for financial intermediaries on implementing DORA.
At EU level, the European Commission has published three new regulations to supplement DORA, detailing policies for third-party ICT services, outlining ICT risk management tools and specifying criteria for classifying and reporting major ICT-related incidents and cyber threats.
