Provisional Agreement reached on the EU’s Digital Operational Resilience Act
- Published: Thursday, 12 May 2022 08:07
On May 10th the European Council presidency and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.
DORA will establish uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties that provide ICT-related services to them, such as cloud platforms or data analytics services.
DORA creates a regulatory framework on digital operational resilience where all regulated firms will need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
Key points under the provisional agreement include:
- The efforts asked from financial entities will be proportional to the potential risks.
- Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.
- Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
- The co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.
- Under the provisional agreement, penetration tests shall be carried out in functioning mode, and it will be possible to include several member states’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.
- As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU.
The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure. Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.