AUSTRIA trends and deve LoPments

Contributed by: Markus Fellner, Florian Kranebitter and Florian Henöckl, Fellner Wratzfeld & Partners

management and ICT-related incident reporting that are more stringent than those laid down in current European Union financial services legislation. The framework aims at establishing uniform requirements in relation to the security of network and information systems with regard to:

• financial entities and their ICT risk management, major incident reporting, digital operational resilience testing, information and intelligence sharing of cyber threats and vulnerabilities;

• contractual arrangements between ICT thirdparty service providers and financial entities;

• an oversight framework for critical ICT third-party service providers when providing services to financial entities; and

• rules on co-operation among competent authorities and rules on supervision and enforcement by competent authorities (Article 1 of DORA).

The regulation defines digital operational resilience as the ability of a financial entity to build, assure and review its operational integrity from a technological perspective (Article 3 paragraph 1 of DORA) and requires financial entities to have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks (Article 4 and 5 of DORA). Financial entities should be able to identify all ICT-related business functions (Article 7 of DORA), protect their ICT systems and – in particular – prevent a leakage of information (Article 8 of DORA), detect anomalous activities (Article 9 of DORA) and establish suitable ICT-related governance (Articles 11 to 15 of DORA).

The regulatory framework establishes a comprehensive and detailed system for financial entities to mitigate digital operational risk. The framework prescribes adequate ICT risk management tools, methods, processes and policies. The regulation clearly suggests that the management of financial entities invest in operational resilience and increase the size of their risk management divisions to comply with the act. In addition, there is a comprehensive reporting, information sharing and supervision requirement vis-à-vis the competent authorities in place. Whether such detailed rules will be sufficient to mitigate ICT risks shall be seen.

The Austrian Financial Market Authority (FMA) established, in September 2020, a regulatory sandbox for fintech models. Through this, the FMA is attempting to simplify the pathway to becoming a supervised entity for young fintechs as well as incumbent players that, together with an unlicensed entity, operate fintech business models and co-operations. This is to be achieved by supporting the business model in question with close supervision and allowing its operation in a test phase. However, there is currently no specific regulation with regard to DLT or crypto-assets in place; these are now part of the new regulatory approach of the European Parliament with MiCA, DORA and the DLT-Pilot regime.

The European Parliament is attempting to tackle possible risks of digital innovation with a comprehensive and detailed set of rules. In alignment with previous European legislation, the proposed acts provide a detailed set of governance and supervision rules. Instead of creating a minimum standard to protect consumers and other market participants and allow business opportunities to thrive, regulatory authorities are prescribing in detail the requirements on specific topics, and monitor and supervise the activities of supervised entities.