Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial institutions such as banks, insurance companies and investment companies. Last night, the President of the Council and the European Parliament reached a preliminary agreement on provisions on digital operational stability (DORA Regulation), which should allow the European financial sector to maintain the stability of operations in the event of serious operational failures.
The DORA Regulation sets uniform requirements for the security of networks and information systems of companies and organizations operating in the financial sector, as well as critical third parties that provide them with information and communication technology (ICT) services, such as cloud computing platforms. or data analysis services. The DORA Regulation establishes the regulatory framework for digital operational stability, according to which all enterprises must ensure that they can withstand, respond to all kinds of failures and threats related to ICT. These requirements are the same for all EU member states. The main goal is to prevent and mitigate cyber threats.
According to the interim agreement, the new rules are a very strong structure that will promote IT security in the financial sector. The efforts required by financial entities will be proportionate to the potential risks.
The new rules are subject to almost all financial structures. According to the interim agreement, c listeners will not be subject to the DORA rules, but will be part of a future rule revision during which a possible rule revision could be considered.
Critical third-country providers providing IT services to EU financial institutions will have to set up a subsidiary in the EUthat supervision is properly implemented.
As for the framework supervisionthe co-legislators agreed to choose an additional joint oversight network that would strengthen coordination between European oversight bodies on this cross-cutting issue.
According to the interim agreement, penetration testing will be operational and it will be possible to involve the authorities of several Member States in testing procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to protective conditions.
As for the interaction of the DORA regulations with Network and Information Systems Security Directive (NIS Directive), under the Interim Agreement, financial institutions will have a very clear understanding of the different rules they have to follow in terms of digital operational resilience, especially for multi-licensed financial institutions operating in different markets within the EU. The NIS Directive remains in force. The DORA Regulation is based on the NIS Directive and eliminates any discrepancies through the so-called lex specialis exemption.
The interim agreement reached last night must be approved by the Council and the European Parliament before the formal adoption procedure.
Once the proposed regulation is formally adopted, it will become part of the legislation of each EU member state. Relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions. . will have to comply, regardless of whether they are engaged in banking, insurance products or asset management. The competent national authorities will be responsible for monitoring compliance and compliance if necessary.
The Commission presented the proposed DORA Regulation on 24 September 2020. It is part of a broader digital finance package aimed at developing a European approach that promotes technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, this package includes a digital financing strategy, a proposal for cryptocurrency markets (MiCA) and a proposal for distributed book technology (DLT).
It fills a gap in current EU legislation by ensuring that the current legal framework does not prevent the use of new digital financial instruments. This means that these new technologies and new products fall within the scope of financial regulation and operational risk management mechanisms of companies operating in the EU. Thus, the package is aimed at supporting innovation and the introduction of new financial technologies, ensuring an appropriate level of protection for consumers and investors.
The Council adopted its mandate to negotiate the DORA Regulation on 24 November 2021. The trilogues between the co-legislators began on January 25, 2022 and ended with a preliminary agreement reached yesterday.