.svg)
The European Parliament and European Council have reached a political agreement on the Digital Operational Resilience Act (DORA), meaning that one of the key covenants of the EU’s digital finance plans comes a step closer to being signed into law.
Parliamentarians and member state politicians have provisionally negotiated a position on new uniform rules for information communication technology (ICT) risk management, reporting major ICT-related incidents, resilience testing and sound monitoring of ICT third-party risk.
The new rules, which payments institutions and crypto-asset service providers are directly in the scope of, primarily aim to harmonise and strengthen digital operational resilience requirements across the financial services sector.
This includes requirements to protect against, detect, contain, recover from and repair ICT-related incidents.
These would be paired with reporting and digital testing capabilities.
Negotiators agreed that the rules should apply 24 months after they enter into force. In the meantime, they will carry on with technical work on amendments that bring legal clarity and consistency to existing EU financial services rules, and to ensure that the rules in the regulation and the directive are aligned with each other.
Commenting on the agreement being reached, Billy Kelleher, the European Parliament’s lead negotiator, said: “This is the first step in building up the EU’s cyber resilience at the point where financial services and ICT interact.”
“The agreement provides for robust ICT risk management, testing and reporting requirements while at the same time future-proofing the legislation, adhering to the principle of proportionality and protecting competition,” he said, adding that the compromise reached between the two co-legislators will protect the financial services industry and ensure firms can compete on the global stage.
What’s in store for operational resilience?
Co-legislators have provisionally agreed that the inclusion of statutory auditors and audit firms in the scope of the regulation will be subject to review within three years.
Among the issues negotiated, parliamentarians said that they ensured that the ICT risk management framework will take into account significant differences between financial entities in terms of size, nature, complexity and risk profile.
This will mean more proportionately, which was one of the key bugbears for the industry at the time the regulation was proposed in Autumn 2020.
Negotiators also agreed that ICT risk management requirements should not hamper financial entities from being innovative when they have to deal with digital operational resilience issues.
To ensure cybersecurity preparedness of financial entities, negotiators said that advance testing should be done both internally and externally, and that one in three tests should be done by an external provider.
Meanwhile, to instil a robust ICT-related-incident reporting regime for financial entities with less administrative burden and no reporting overlaps, negotiators agreed that they should report to their competent authorities in a centralised and harmonised manner.
They argued for flexible timelines on ICT-related incident reporting, provided there is a justification for deviating from the timeline.
MEPs did, however, successfully push to establish that a single EU hub for the reporting of major ICT-related incidents will be explored within two years.
In respect of the oversight of third-party risk, under the provisional agreement, financial entities may only enter into a contract with ICT service providers that have appropriate and up-to-date security standards.
Brussels’ lawmakers stressed that ICT third-party service providers are crucial to the functioning of the financial sector and should therefore be properly overseen at the EU level.
Negotiators agreed that critical ICT third-party service providers established in a third country should have a subsidiary in the EU and the European supervisory authorities should be informed of any change of management structure.
DORA makes the EU one of the first-movers in this space, and a global leader, said Kelleher.
“During our negotiations, we were conscious that the same requirements should not apply to small, micro and inter-connected entities that apply to large, multinational financial and IT companies. This has been achieved.
“The co-legislators agreed that we must not over-regulate these crucial drivers of the European economy so much so that they would become uncompetitive against competitors in other jurisdictions.”
