Taking into account the ever-increasing risks in relation to cyberattacks, the European Union is reinforcing IT security in various sectors, in particular financial institutions such as banks, insurance companies and investment firms.
The European Council and Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will ensure that Europe’s financial sector is prepared in the event of a severe operational disruption.
DORA establishes uniform security requirements for the network and information systems of companies and organizations operating in the financial sector. These also apply to third parties providing ICT (information and communication technology) related services, such as cloud platforms or data analysis services.
According to the regulatory framework on digital operational resilience that DORA has created, all companies have to ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are the same for all EU member states. The main objective is to prevent and mitigate cyber threats.
Under the provisional agreement, the new rules will provide a very robust framework for enhancing IT security in the financial sector. The extent financial institutions must go to in order to protect their information will be proportional to the potential risks.
Critical third country providers of ICT services to EU financial institutions will have to establish a subsidiary within the EU so that supervision can be properly implemented.
Regarding the supervision framework, the co-legislators agreed upon an additional joint supervision network that will strengthen coordination between European authorities on this cross-cutting issue.
In light of provisional agreement the, DORA interacted with the Network and Information Security (NIS) Directive in order to provide financial institutions with full clarity on the different digital operational resilience standards they have to comply with. This will also prepare financial institutions holding multiple authorisations and operating in different EU markets. The NIS policy will continue to apply. DORA is based on the NIS Directive and addresses possible overlapping through a lex specialis exemption.
The provisional agreement reached is subject to approval by the European Council and Parliament before going through the formal adoption procedure.
Once the DORA proposal is formally approved, each EU member state will also approve it. European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) will develop technical standards for all financial institutions, from banking to insurance and asset management. The respective competent national authorities will take on the task of compliance monitoring and will enforce the regulations when necessary.
This package fills a gap in existing EU legislation and ensures that the current legal framework does not pose barriers to the use of new digital financial instruments. It also ensures that the new technologies and products fall within the scope of financial regulation and operational risk management arrangements for companies active in the EU. Thus, the package aims to support innovation and the adoption of new financial technologies, while providing an adequate level of consumer and investor protection.