Digital operational resilience for crowdfunding service providers to further professionalise the sector as of 2025
On 16 January 2023 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) entered into force and will be applicable as of 2025 to all ECSPR licensed crowdfunding service providers (CSP). EUROCROWD has been monitoring the developments of the regulation and welcomes its stringent focus on professional conduct within the financial sector.
The regulation creates a harmonised framework for digital operational resilience for European financial institutions across different licensing regimes, including ECSPR, regarding information and communication technologies. Its application will cover all authorised European financial entities and be applicable to core third-party technology service providers.
With regard to the emerging professional crowdfunding sector, we welcome the included principle of proportionality under which compliance with DORA is related to the size and overall risk profile of the CSP, as well as the nature, scale and complexity of their services, activities and operations.
Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into account the significant differences between financial entities in terms of their size and overall risk profile. As a general principle, when distributing resources and capabilities for the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations, while competent authorities should continue to assess and review the approach of such distribution.Recitals (36) REGULATION (EU) 2022/2554
DORA includes detailed rules for all EU-licensed financial entities and critical third-party ICT service providers. Regarding crowdfunding, this will especially be relevant for white-label or other critical ICT infrastructure providers. Overall, DORA should notably impact CSPs' governance structures and processes, including integrating management bodies into ICT risk management. EUROCROWD advises its members to take note of the implementation timeframe for revising internal procedures to ensure appropriate compliance.
DORA will become fully applicable across the EU on 17 January 2025. Until then, relevant secondary legislation will be published specifying key provisions of DORA by the European Supervisory Authorities. In this regard, the European Commission already clarified the scope of its Call for Technical Advice for two delegated acts.
CSPs should prepare to monitor the implementation of their digital resilience strategy, bespoke crisis communications plans and internal and external communication policies.
Key areas covered by DORA include:
- Management, classification and reporting
- Risk management and internal governance arrangements
- Digital operational resilience testing
- Management of third-party risks and oversight
- Information sharing arrangements, supervision and enforcement
- Supervision and enforcement
If you are a CSP seeking to improve your professional standards, become a EUROCROWD member and access key insights and knowledge on the industry.