Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms.
Yesterday evening the Council
presidency and the European Parliament reached a provisional agreement
on the Digital Operational Resilience Act (DORA), which
will make sure the financial sector in Europe is able to maintain
resilient operations through a severe operational disruption.
DORA sets uniform requirements for the security of network and
information systems of companies and organisations operating in the
financial sector as well as critical third parties which provide ICT
(Information Communication Technologies)-related services to them, such
as cloud platforms or data analytics services. DORA creates a regulatory
framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.
Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.
Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors
will not be subject to DORA but will be part of a future review of the
regulation, where a possible revision of the rules may be explored.
Critical third-country ICT service providers to financial
entities in the EU will be required to establish a subsidiary within the
EU so that oversight can be properly implemented.
As regards the oversight framework, the
co-legislators agreed to opt for an additional joint oversight network
which will strengthen the coordination between the European supervisory
authorities on this cross-sectoral topic.
Under the provisional agreement, penetration tests
shall be carried out in functioning mode, and it will be possible to
include several member states’ authorities in the test procedures. The
use of internal auditors will be possible only in a number of strictly
limited circumstances, subject to safeguard conditions.
As regards the interaction of DORA with the Network and Information Security (NIS) directive,
under the provisional agreement financial entities will have full
clarity on the different rules on digital operational resilience they
need to comply with, in particular for those financial entities holding
several authorisations and operating in different markets within the EU.
The NIS directive continues to apply. DORA builds on the NIS directive
and addresses possible overlaps via a lex specialis exemption.
The provisional agreement reached yesterday evening is subject to
approval by the Council and the European Parliament before going through
the formal adoption procedure.
Once the DORA proposal is formally adopted, it will be passed into
law by each EU member state. The relevant European Supervisory
Authorities (ESAs), such as the European Banking Authority (EBA), the
European Securities and Markets Authority (ESMA) and the European
Insurance and Occupational Pensions Authority (EIOPA), will then develop
technical standards for all financial services institutions to abide
by, from banking to insurance to asset management. The respective
national competent authorities will take the role of compliance
oversight and enforce the regulation as necessary....
more at Council
© Council of the European Union
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article