BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP
In addition, financial entities will have to inform the FSMA of any new or planned agreements on the use of ICT services that support critical or important functions. Contractual provisions on the use of ICT services should include at least the following elements: • a description of the services provided; • a description of the locations where the ser - vices will be provided; • the availability, confidentiality and security of the data; • access to and return of the data; • the relevant service levels; • a contractual obligation to assist the custom - er/financial entity; • a contractual obligation to co-operate with the FSMA; • a contractual obligation to contribute to cus - tomer/financial entity awareness and educa - tion; and • a right of termination and cancellation. 3.3 Key Operational Resilience Obligations DORA aims to strengthen the digital operational resilience of the financial sector in the EU by imposing additional (cybersecurity) requirements on financial entities such as crypto-asset service providers, credit institutions and e-money pro - viders (referred to as “financial entities” under DORA). Sector-specific requirements under DORA include obligations to design ICT risk manage - ment frameworks, report major ICT-related inci - dents and perform digital operational resilience testing. DORA also requires financial entities to address and manage external sources of ICT risks that may result from their use of ICT TPSPs. To this end, financial entities are required
to undertake due diligence on prospective ICT TPSPs, enter into specific contractual arrange - ments with ICT TPSPs and maintain and update a register with information on their relationships with ICT TPSPs. After collecting and analysing all relevant infor - mation, financial entities must report serious ICT- related incidents to the FSMA. This information enables the FSMA to determine the scope of the incident and its possible cross-border effects, and to communicate it to other supervisors and authorities concerned. The reporting of serious ICT-related incidents involves different steps, including the submis - sion of an initial report, an interim report and a final report. Financial entities must submit an interim report if the status or handling of the inci - dent has changed significantly, or at the request of the FSMA. The final report contains the analy - sis of the underlying causes of the incident, as well as information about to the actual impact of the incident. When a serious ICT-related incident affects the financial interests of their clients, financial enti - ties must inform them of the incident and the measures taken to mitigate any negative impact thereof. DORA also includes a (voluntary) notifica - tion regime for significant cyberthreats – ie, cyberthreats that could result in a major ICT- related incident or a major operational or secu - rity payment-related incident. Financial entities may, on a voluntary basis, notify significant cyberthreats to the FSMA when they consider the threat to be of relevance to the financial sys - tem, service users or clients. Where appropri - ate, the FSMA may report that information to the other authorities and bodies concerned.
47
CHAMBERS.COM
Powered by FlippingBook