DORA for Credit Rating Agencies: The Resilience Requirements Nobody Is Talking About
The Overlooked Entities
In the extensive discourse on DORA implementation, certain entity categories receive disproportionate attention: banks, payment institutions, and insurance companies dominate the conversation. Credit rating agencies — entities whose outputs directly influence trillions of euros in investment decisions, determine the cost of sovereign borrowing, and shape the regulatory capital requirements of every rated institution — have been largely absent from the discussion.
This absence is not because CRAs are unimportant. It is because the CRA industry is small in headcount, concentrated in a few entities, and already subject to a demanding supervisory regime under the CRA Regulation (Regulation 1060/2009). ESMA directly supervises all EU-registered CRAs. The assumption — implicit but widespread — is that ESMA's existing supervision adequately covers operational resilience.
DORA challenges this assumption. Article 2(1)(m) explicitly includes "credit rating agencies" in scope. The regulation's requirements — ICT asset registers, formal incident reporting, resilience testing programmes, third-party governance, and board reporting — add specific, structured obligations that the CRA Regulation addresses only in general terms.
The CRA Risk Profile
CRAs have a distinctive operational risk profile that shapes how DORA applies to them:
| Risk dimension | CRA-specific characteristic | DORA relevance |
|---|---|---|
| Data integrity | Ratings must be accurate, consistent, and free from manipulation — a corrupted rating can distort billions in market pricing | Art. 9 (protection), Art. 10 (detection) |
| Intellectual property | Rating methodologies, models, and analytical tools are core IP requiring exceptional protection | Art. 9 (protection), Art. 12 (backup) |
| Timeliness | Ratings must be published according to schedule; delayed rating actions can signal unintended market information | Art. 11 (business continuity) |
| Confidentiality | Pre-publication ratings are market-moving inside information; any leak is a market abuse event | Art. 9 (protection), data classification |
| Availability | Rating platforms must be accessible to issuers, investors, and regulators continuously | Art. 11 (business continuity), Art. 12 (recovery) |
| Third-party dependency | CRAs depend on data providers (financial data, market data, issuer filings) and technology infrastructure | Art. 28-30 (third-party risk) |
DORA Requirements Applied to CRAs
ICT Risk Management Framework (Art. 5-16)
CRAs must maintain a board-approved ICT risk management framework. For the Big Three (S&P Global Ratings, Moody's Ratings, Fitch Ratings), this means integrating DORA requirements into existing global risk management frameworks — a complexity challenge given that these are global entities with EU-registered subsidiaries.
For smaller European CRAs (Scope Group, DBRS Morningstar Europe, Cerved Rating Agency, BCRA, and others registered with ESMA), the framework must be proportionate to their size but must still cover all Art. 5-16 requirements.
The ICT asset register for a CRA must include:
| Asset category | Examples | Criticality |
|---|---|---|
| Rating production systems | Analytical platforms, model execution engines, rating databases | CRITICAL |
| Data acquisition infrastructure | Market data feeds, financial data APIs, issuer portals | HIGH |
| Dissemination platforms | Rating publication websites, client APIs, data distribution | CRITICAL |
| Regulatory reporting systems | ESMA CEREP reporting, transparency platform integration | HIGH |
| Methodology management | Version-controlled methodology documents, model validation tools | HIGH |
| Communication systems | Issuer communication platforms, committee scheduling | MEDIUM |
Incident Management (Art. 17-23)
A CRA ICT incident has market integrity implications that differ from a banking incident. The key scenarios:
Rating publication failure. If the rating publication platform is unavailable, scheduled rating actions cannot be disseminated. Market participants who rely on timely rating information are affected. Depending on the timing (e.g., during a sovereign debt crisis), the delay itself can be market-moving.
Data feed disruption. If financial data feeds are disrupted, analytical models cannot be updated, and surveillance processes (ongoing monitoring of rated entities) are degraded. This may delay rating actions that would otherwise be triggered by data changes.
Pre-publication rating leak. If pre-publication rating data is exposed through a system breach, the leaked information is inside information under the Market Abuse Regulation. This is simultaneously an ICT security incident and a market abuse event.
The incident reporting pipeline for CRAs must route to ESMA as the direct supervisor, with consideration for whether the incident also requires notification under the Market Abuse Regulation or the CRA Regulation's own incident provisions.
Resilience Testing (Art. 24-27)
CRAs must implement a resilience testing programme. Whether CRAs will be designated for mandatory TLPT depends on ESMA's assessment of their systemic importance. Given the market impact of CRA disruptions, designation is plausible for at least the Big Three's EU entities.
Testing must cover:
- Rating production systems: Can ratings be produced and published if the primary platform fails?
- Data feed resilience: What happens when a critical data provider is unavailable?
- Publication redundancy: Can ratings be disseminated through alternative channels if the primary platform is disrupted?
- Backup and recovery: Can the rating database be restored with zero data loss?
- Security testing: Can the systems that hold pre-publication rating data withstand targeted attack?
Third-Party Risk (Art. 28-30)
CRAs depend on data providers (Bloomberg, Refinitiv, S&P Capital IQ, Moody's Analytics, public filing databases), technology infrastructure providers (cloud, data centers), and communication platforms. The register of information must document these dependencies.
The concentration risk analysis is particularly relevant: CRAs often depend on data providers owned by or affiliated with competing CRAs (S&P Global Ratings uses S&P Capital IQ; Moody's Ratings uses Moody's Analytics). This creates a unique form of concentration risk where the data provider and the rating entity are related parties, and where a disruption at the parent company can simultaneously affect the data provider and the CRA.
| CRA third-party category | Key providers | Art. 29 concentration concern |
|---|---|---|
| Financial data | Bloomberg, Refinitiv, S&P Capital IQ | High concentration in 3 providers |
| Market data | Stock exchanges, index providers | Moderate — multiple sources available |
| Technology infrastructure | Cloud providers, data centers | Standard cloud concentration risk |
| Regulatory reporting | ESMA platforms, data standards bodies | Single provider (ESMA) — inherent |
| Communication | Issuer portals, email, conferencing | Low concentration |
Board Reporting (Art. 14)
CRA boards must receive Art. 14 compliant reporting on ICT risk. For EU-registered CRA subsidiaries of global groups, this means the local EU board must receive specific ICT risk reporting — not just a summary extracted from the global parent's reporting.
ESMA's Supervisory Position
ESMA directly supervises all EU-registered CRAs. DORA's requirements will be assessed through ESMA's existing supervisory engagement, supplemented by the ESA coordination mechanisms under DORA.
ESMA's supervisory focus for CRA operational resilience is likely to include:
| Focus area | Supervisory approach | CRA preparation required |
|---|---|---|
| Pre-publication data protection | Security assessment of rating confidentiality controls | Demonstrate RESTRICTED classification and corresponding controls |
| Publication continuity | Business continuity testing for rating dissemination | Tested failover for publication platforms |
| Data feed resilience | Assessment of alternative data source arrangements | Documented contingency for critical data disruptions |
| Methodology integrity | Protection of analytical models and methodology documents | IP protection controls, version management, backup |
| Incident reporting | Timeliness and quality of ESMA notifications | Established reporting procedure with templates |
Use the DORA readiness assessment to evaluate your CRA's compliance posture, consult the glossary for regulatory definitions, and review the RTS/ITS reference for technical standards. The ESMA website provides CRA-specific supervisory communications and guidance.
The Big Three vs. Smaller CRAs
The DORA compliance challenge differs significantly between the Big Three and smaller European CRAs:
Big Three (S&P, Moody's, Fitch): Global entities with extensive existing ICT risk frameworks, dedicated security teams, and significant technology investment. The challenge is adapting global frameworks to DORA's specific EU requirements and ensuring that the EU-registered entity has locally accountable governance. DORA compliance is a calibration exercise, not a greenfield build.
Smaller European CRAs: Entities with smaller teams, more limited technology budgets, and less developed ICT risk management frameworks. The proportionality argument under Art. 4 is relevant but does not eliminate the substance of the requirements. These CRAs must build DORA compliance frameworks that are proportionate but genuine — covering all five pillars with documentation, testing, and evidence appropriate to their scale.
Conclusion
Credit rating agencies are the market integrity infrastructure that investors, regulators, and issuers rely on for consistent, timely, and accurate credit assessments. Their operational resilience is not an internal matter — it is a market functioning concern. DORA's explicit inclusion of CRAs in scope recognizes this, requiring structured ICT risk management, incident reporting, resilience testing, and third-party governance that the existing CRA Regulation addresses only in general terms. The CRAs that implement DORA as a substantive capability enhancement will strengthen their market position. Those that treat it as a compliance overlay will find that ESMA's supervisory expectations have materially increased.
Resume en francais
Les agences de notation de credit sont explicitement dans le perimetre de DORA (Art. 2(1)(m)), mais le discours sur l'implementation s'est largement concentre sur les banques et les assureurs. Cet article analyse le profil de risque operationnel unique des agences de notation (integrite des donnees de notation, protection de la propriete intellectuelle des methodologies, confidentialite des notations pre-publication comme information privilegiee, disponibilite des plateformes de publication) et cartographie les exigences DORA vers leurs operations specifiques. Les scenarios d'incidents cles incluent la defaillance de publication de notations, la perturbation des flux de donnees et la fuite de notations pre-publication (evenement de marche). L'article couvre la supervision par l'ESMA comme superviseur direct, le risque de concentration des fournisseurs de donnees (souvent affilies a des agences concurrentes), les differences entre les Big Three et les petites agences europeennes, et les attentes de supervision d'ESMA en matiere de protection des donnees pre-publication, de continuite de publication et de resilience des flux de donnees.