Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. Yesterday evening the Council presidency and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.
DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.
Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.
Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.
Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
As regards the oversight framework, the co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.
Under the provisional agreement, penetration tests shall be carried out in functioning mode, and it will be possible to include several member states’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.
As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption.
The provisional agreement reached yesterday evening is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.
Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.
The Commission came forward with the DORA proposal on 24 September 2020. It is part of the larger digital finance package, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).
This package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU. Thus, the package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.
The Council adopted its negotiating mandate on DORA on 24 November 2021. Trilogues between the co-legislators started on 25 January 2022 and ended in the provisional agreement reached yesterday.