EU Consultation on Financial services – Improving resilience against cyberattacks

FAA for SMEs responds to the consultation underlining that auditors should not be covered by the Regulation

15 February 2021 – EFAA for SMEs welcomes the Commission’s Proposal for a Regulation on Digital Operational Resilience for the Financial Sector

The proposal is timely and particularly relevant. Cyber breaches have become increasingly common threats for businesses in all sectors. The COVID-19 pandemic accelerated the digitalization of many businesses and a shift to remote working. This has significantly increased cybercrime and imposed significant new costs, in time and money, on businesses. Furthermore, financial entities and SMEs appear even more vulnerable to cyberattacks. The proposal is also highly relevant in the context of the EU’s vision, as articulated in the EU Green Deal, to build back the EU economy, as we emerge from the pandemic, based on a bedrock of digital and sustainable transition. 

Accountants help clients build their resilience to cyber-attacks. EFAA for SMEs underlines the key advisory role that small- and medium-sized accountancy practices (SMPs) play in guiding and serving their SME clients. This role often extends to advising them on their digitalization, and thus contributes to the resilience and stability of SMEs. SMPs are key advisors of SMEs and their advice is trusted and respected. 

While we welcome the proposed regulation, we do have some concerns.

Firstly, we believe that the proposed regulation should not cover auditors, at least not all of them. Auditors are quite different from traditional financial entities and provide very different services. For example, they provide services to their clients but have no direct involvement with their activities or processes. They simply provide assurance on a client’s financial statements and other assurance services as required by laws and regulation. Auditors are also already subject to extensive quality control and management requirements. These requirements are subject to internationally established standards which currently are in the process of being made even more robust, as explained here. If the Commission is adamant on including auditors, then we strongly recommend that this be limited to those auditors auditing financial service providers who fall within the scope of DORA. We fail to understand the need to include SMPs that provide voluntary audit to non-financial SMEs.

Secondly, if auditors are to be covered by the proposed regulation, then more work is needed to ensure that the proposed regulation is sufficiently scalable and proportionate. While we recognize the efforts made to bake proportionality into DORA, we are concerned that the proposed regulation may impose a disproportionate burden on smaller financial entities, and consequently on SMPs that perform statutory audits. We urge the Commission  to ensure that the proposed regulation is not too burdensome for these entities. It is important to always keep in mind the “think-small first” principle and the need for “smart regulation”. 

Thirdly, EFAA for SMEs invites the European Commission to recognise the key role which the accountancy profession plays in business and society through the professional services it delivers to SMEs. This role, and the quality of these services, are the result of regulated, high-quality, and continuous professional education and training together with adherence to high ethical standards. Furthermore, we strongly believe that, given the invaluable insights accountants gain into the internal control and cyber risk of their clients as well the they play in helping the digitalisation of clients, accountants and their representatives, in particular EFAA for SMEs, are uniquely placed to contribute to the development of a well-balanced DORA as well as to help build the digital resilience of SMEs. We encourage Member States to actively engage in strengthening education and training with respect to digitalisation and digital resilience and to entrust Professional Accountancy Organisations with achieving these objectives. SME access to high-quality and trusted professional advisors should also be ensured.