(BRUSSELS) – The EU Parliament and Council provisionally agreed Tuesday to strengthen the IT security of Europe’s financial sector, to ensure it can maintain resilient operations in any severe operational disruption.
The Digital Operational Resilience Act (DORA) sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.
DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.
Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.
Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.
Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
As regards the oversight framework, the co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.
Under the provisional agreement, penetration tests shall be carried out in functioning mode, and it will be possible to include several member states’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.
As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption.
The provisional agreement reached yesterday evening is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.
Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.
Commission proposal for a Regulation on Digital Operational Resilience