Brussels, 10 May 2022
EP negotiators agreed with the Council on new uniform rules for ICT risk management, reporting major ICT-related incidents, resilience testing and sound monitoring of ICT third-party risk.
The new rules primarily aim to harmonise and strengthen the digital operational resilience requirements across the financial services sector, such as the requirements to protect against, detect, contain, recover from and repair information and communication technology (ICT)-related incidents. These requirements would be paired with reporting and digital testing capabilities.
The rules would apply to financial entities regulated at EU level, such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers and to ICT third-party service providers.
Co-legislators have provisionally agreed that the inclusion of statutory auditors and audit firms in the scope of the Regulation will be subject to a review within three years.
Risk preparedness, reporting of major ICT -related incidents and testing
MEPs ensured that the ICT risk management framework should take into account significant differences between financial entities in terms of size, nature, complexity and risk profile. Negotiators agreed that ICT risk management requirements should not hamper financial entities from being innovative when they have to deal with digital operational resilience issues.
Regarding financial entities’ cybersecurity preparedness, negotiators agreed that both internal and external tests have a role to play in advanced testing, therefore one in three tests should be done by an external provider.
In order to achieve a robust ICT-related-incident reporting regime for financial entities with less administrative burden and no reporting overlaps, negotiators agreed that they should report to their competent authorities in a centralised and harmonised manner. They allowed for flexible timelines on ICT-related incidents reporting, provided that there is a justification for deviating from the timeline.
MEPs also assured that establishing a single EU Hub for the reporting of major ICT- related incidents will be explored within two years.
Oversight of ICT third party risk
Financial entities may only enter into a contract with ICT service providers that have appropriate, up-to-date security standards. MEPs stressed that ICT third-party service providers are crucial to the functioning of the financial sector and should therefore be properly overseen at EU level. Negotiators agreed that critical ICT third-party service providers established in a third country should have a subsidiary in the EU and the European supervisory authorities (ESAs) should be informed of any change of its management structure.
MEPs insisted on a review of the functioning and effectiveness of the Joint Oversight Network within five years to ensure the Oversight by the Lead Overseers are consistent (each of the ESAs could be designated as a Lead Overseer for a critical ICT third-party service provider) and that the exchange of information within the oversight framework is efficient.
Finally, negotiators agreed that the rules should apply 24 months after they enter into force.
Additionally, negotiators agreed to carry on with technical work on amendments that bring legal clarity and consistency to existing EU financial services rules and to ensure that the rules in the regulation and the directive are aligned with each other.
Quote
“Today’s provisional political agreement on the Digital Operational Resilience Regulation (DORA) is a key step in building up the EU’s cyber resilience at the point where financial services and ICT interact. The agreement provides for robust ICT risk management, testing and reporting requirements while at the same time future-proofing the legislation, adhering to the principle of proportionality and protecting competition”, said Billy Kelleher (Renew, IE), lead MEP responsible for the regulation.
Further information
S&Ds ensure balanced protection of the EU’s financial system against cyberattacks
The European Union has negotiated a deal to protect the European financial system against cyberattacks. During the negotiations, the S&Ds ensured the legislation is balanced and designed to create a resilient cybersecurity model and to protect the integrity of the European financial system. The legislation is very timely, in particular considering the threats of the Russian war against Ukraine, underlined the Socialists and Democrats, as the provisional agreement on the matter was reached last night*.
S&D MEP Alfred Sant, the negotiator on the single rulebook maximising cybersecurity for financial services in the EU, said:
“The new legislation will make sure that banks, insurers and financial institutions in the European Union are better equipped to prevent, detect and resolve digital operational risks and disruptions.
“The S&Ds have ensured we have balanced legislation with the right amount of flexibility and proportionality. We have also made certain that loopholes are closed. This means that service providers from outside the EU, such as big cloud companies that are crucial for the functioning of the European financial sector, are subject to tight harmonised rules.
“Moreover, the group tried hard to guarantee that the new requirements would also apply to auditors. This would be important because they have a privileged access to the information technology infrastructures of financial entities and hence play an important role in the financial system. At our insistence, a review clause has been introduced to assess the need to include auditors in the legislation in the future.
“We now expect that sufficient resources will be put in place for this new protection to be available as soon as possible. This should be considered an urgent priority. The current geopolitical context means such regulation is critical as cyberattacks are on the rise.”
*Note to editors:
Negotiators from the European Parliament and the EU Council have reached a provisional political agreement on the Digital Operational Resilience Act (DORA). The new rules aim to harmonise and strengthen the requirements across the financial services sector to protect it against incidents related to information and communication technology. The agreement now needs to be formalised by the Parliament and the Council. The rules should apply 24 months after they enter into force.
EU-Abgeordneter Markus Ferber (EVP/CSU) zur Trilog-Einigung DORA
Gestern Nacht wurde eine politische Einigung über die Verordnung über die Betriebsstabilität digitaler Systeme des Finanzsektors (Digital Operational Resilience Act – DORA) erzielt. Der wirtschaftspolitische Sprecher der EVP-Fraktion im Europäischen Parlament Markus Ferber, erklärte dazu:
„Robuste Regeln im Bereich Cyber-Sicherheit sind essentiell, um den europäischen Finanzsektor fit für das 21. Jahrhundert zu machen. Die Digitalisierung des Finanzwesens ist eines der Mega-Themen unserer Zeit. Je stärker die Digitalisierung des Finanzsektors voranschreitet, desto höher sind die Erwartungen an die Cybersicherheit. Mit dem erhöhten Risiko russischer Hacker-Angriffe hat das Thema Cyber-Sicherheit eine neue Dimension gewonnen.
Cyberangriffe machen nicht an der Landesgrenze halt. In einem europäischen Binnenmarkt brauchen wir auch europaweite Standards bei der Cybersicherheit. Mit der Einigung bringen wir hohe einheitliche Mindeststandards für die Cybersicherheit im Finanzwesen auf den Weg. Das stärkt die Finanzstabilität und verbessert den Verbraucherschutz.
Die Einigung verbessert den Kommissionsvorschlag an vielen Stellen und macht ihn vor allem verhältnismäßiger. DORA differenziert nun nach den tatsächlichen Risiken, dem Geschäftsmodell und den Implikationen für die Finanzstabilität – das ist ein vernünftiger Ansatz.“
Renew Europe on DORA: deal secures a flexible, proportional and future-proof cybersecurity regulation for EU´s financial sector
Date:
The Renew Europe Group in the European Parliament welcomes today’s interinstitutional agreement on the Digital Operational Resilience Act (DORA), which seeks to bolster and protect the EU’s financial sector from cyber-attacks and other potential risks it faces due to the ever increasing interaction between it and the Information and Communication Technology (ICT) sector.
Our political Group worked hard during the negotiation process to achieve the implementation of robust ICT risk management, testing and reporting requirements while at the same time future proofing the legislation, adhering to the principle of proportionality and protecting competition.
Likewise, one of Renew Europe’s priorities was to introduce enough flexibility to the oversight framework in order to ensure that the EU remains an attractive jurisdiction for companies to invest it, and that innovation is fostered and promoted. We ensured a differentiated approach to the regulation of small, micro and interconnected entities versus large multinational financial and IT companies.
The final agreement is an important milestone in our campaign to drive the digital competitiveness of the EU’s financial sector while also protecting financial stability and enhancing consumer protection.
MEP Billy Kelleher (Fianna Fáil, Ireland), Renew Europe Group’s rapporteur on DORA, said:“Today’s provisional political agreement on the Digital Operational Resilience ACT (DORA) is a key step in building up the EU’s cyber resilience at the point where financial services and ICT interact. We arrived at a strong, progressive, yet future proofed compromise – a compromise that will protect these crucial sectors in our economy from cyber threats, yet at the same time, will allow EU companies to compete on a global stage.”