Wed. Jun 19th, 2024

Brussels, 10 May 2022

EP negotiators agreed with the Council on new uniform rules for ICT risk management, reporting major ICT-related incidents, resilience testing and sound monitoring of ICT third-party risk.

The new rules primarily aim to harmonise and strengthen the digital operational resilience requirements across the financial services sector, such as the requirements to protect against, detect, contain, recover from and repair information and communication technology (ICT)-related incidents. These requirements would be paired with reporting and digital testing capabilities.

The rules would apply to financial entities regulated at EU level, such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers and to ICT third-party service providers.

Co-legislators have provisionally agreed that the inclusion of statutory auditors and audit firms in the scope of the Regulation will be subject to a review within three years.

Risk preparedness, reporting of major ICT -related incidents and testing

MEPs ensured that the ICT risk management framework should take into account significant differences between financial entities in terms of size, nature, complexity and risk profile. Negotiators agreed that ICT risk management requirements should not hamper financial entities from being innovative when they have to deal with digital operational resilience issues.

Regarding financial entities’ cybersecurity preparedness, negotiators agreed that both internal and external tests have a role to play in advanced testing, therefore one in three tests should be done by an external provider.

In order to achieve a robust ICT-related-incident reporting regime for financial entities with less administrative burden and no reporting overlaps, negotiators agreed that they should report to their competent authorities in a centralised and harmonised manner. They allowed for flexible timelines on ICT-related incidents reporting, provided that there is a justification for deviating from the timeline.

MEPs also assured that establishing a single EU Hub for the reporting of major ICT- related incidents will be explored within two years.

Oversight of ICT third party risk

Financial entities may only enter into a contract with ICT service providers that have appropriate, up-to-date security standards. MEPs stressed that ICT third-party service providers are crucial to the functioning of the financial sector and should therefore be properly overseen at EU level. Negotiators agreed that critical ICT third-party service providers established in a third country should have a subsidiary in the EU and the European supervisory authorities (ESAs) should be informed of any change of its management structure.

MEPs insisted on a review of the functioning and effectiveness of the Joint Oversight Network within five years to ensure the Oversight by the Lead Overseers are consistent (each of the ESAs could be designated as a Lead Overseer for a critical ICT third-party service provider) and that the exchange of information within the oversight framework is efficient.

Finally, negotiators agreed that the rules should apply 24 months after they enter into force.

Additionally, negotiators agreed to carry on with technical work on amendments that bring legal clarity and consistency to existing EU financial services rules and to ensure that the rules in the regulation and the directive are aligned with each other.


“Today’s provisional political agreement on the Digital Operational Resilience Regulation (DORA) is a key step in building up the EU’s cyber resilience at the point where financial services and ICT interact. The agreement provides for robust ICT risk management, testing and reporting requirements while at the same time future-proofing the legislation, adhering to the principle of proportionality and protecting competition”, said Billy Kelleher (Renew, IE), lead MEP responsible for the regulation.

Forward to your friends