How Does the Digital Operational Resilience Act (DORA) Relate to Transaction Reporting?

The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen the cybersecurity and operational resilience of financial entities within European markets. DORA requires financial entities to fortify their IT security, manage information and communication technology (ICT) risks and ensure business continuity in the face of cyber threats and technological disruptions.

DORA was introduced as part of the EU Digital Finance Package and recognises that the financial sector is heavily reliant on digital infrastructure. As financial institutions increasingly rely on technology for transaction reporting and compliance with global financial regulations, DORA ensures that these critical reporting processes remain secure and resilient to operational disruptions.

Why is Operational Resilience Important for Reporting Obligations?

EMIR (European Market Infrastructure Regulation), the US Commodity Futures Trading Commission (CFTC) under the Dodd-Frank Act, the Australian Securities and Investments Commission (ASIC) and the Swiss Financial Market Infrastructure Act (FinfraG) mandate transaction reporting to improve transparency in the OTC derivatives market. Since reporting obligations rely on ICT systems, DORA plays a key role in ensuring these systems can operate uninterrupted.

The clearing obligations for OTC derivatives and transaction reporting requirements are interconnected. Under EMIR:

• • • Clearing obligations require that certain OTC derivatives transactions be cleared through CCPs to reduce counterparty risk
    • Transaction reporting obligations require that all derivatives transactions are reported to trade repositories (TRs)

Both of these functions depend on a robust ICT infrastructure to maintain secure systems that are resilient to disruption. If CCPs, TRs or individual firms face system outages or IT failures, this could lead to regulatory non-compliance which in turn could cause financial losses and potential regulatory penalties.

The Impact of DORA on Transaction Reporting

DORA impacts transaction reporting in 3 key ways:

• • • Incident Reporting Requirements
    • Third-Party ICT Risk Management
    • Resilience Testing for Reporting Systems

Incident Reporting Requirements

DORA mandates that financial entities classify and report all ICT-related incidents by categorising the severity, scope and impact of each event. Key requirements include immediate notification to regulators if reporting structures are compromised and an assessment of the impact on transaction data integrity.

Third-Party ICT Risk Management

Financial institutions increasingly rely on third-party service providers for their core operations such as cloud computing, data storage and reporting software providers. DORA mandates strict oversight of critical third-party ICT vendors and the creation of comprehensive registers of third-party ICT providers to provide full transparency over vendors.

Resilience Testing for Reporting Systems

To prevent disruptions in transaction reporting, DORA requires regular digital operational resilience testing, including Threat-Led Penetration Testing (TLPT) for certain firms based on a local authority-led approach by way of threshold, enhanced backup and recovery procedures and simulated stress tests and scenario analysis to prepare for potential ICT disruptions.

How DORA aligns with other Global Regulators

DORA is an EU regulation, but it also aligns with global regulatory regimes as follows:

EMIR (EU) and FinfraG (Switzerland)

EMIR and FinfraG mandate the reporting of OTC and exchange-traded derivatives to a trade repository (TR) by the end of the next working day (T+1). Although this is not exactly real-time reporting, the margins are very stringent, therefore, ICT resilience is necessary to ensure accurate and timely reporting.

CFTC under Dodd-Frank Act (US)

The Dodd-Frank Wall Street Reform and Consumer Protection Act enhanced the authority of the CFTC to oversee the swaps market. The CFTC has implemented regulations that include requirements for swap dealers to maintain robust cybersecurity measures to protect against operational risk. This emphasis on market stability and the importance of ICT security as part of this aligns with the key aims of DORA.

ASIC (Australia)

ASIC also emphasises the importance of financial market stability and expects financial institutions to manage cyber risks effectively to ensure the integrity of the financial system. This is very much in alignment with the enhanced measures by DORA and the expectations for individual firms to take responsibility for compliance and third-party monitoring.

DORA aims to strengthen the operational resilience of financial entities within the EU by setting comprehensive requirements for ICT risk management, incident reporting and third-party oversight. In doing so, DORA enhances the reliability of the reporting systems of individual firms, which contributes to improved market transparency and protection against cybersecurity threats.

With the strict enforcement and oversight of DORA, financial entities should evaluate their ICT strategies and response plans to align with the new requirements to safeguard the integrity of transaction reporting in global financial markets.