Digital finance: Council adopts Digital Operational Resilience Act

Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. Today the Council adopted the Digital Operational Resilience Act (DORA) which will make sure the financial sector in Europe is able to stay resilient through a severe operational disruption.

“We live in uncertain times. Banks and other companies which provide financial services in Europe already have plans in place for their IT security, but we need to go one step further. Thanks to the harmonised legal requirements which we adopted today, our financial sector will be better able to continue to function at all times. If a large-scale attack on the European financial sector is launched, we will be prepared for it.”

Zbyněk Stanjura, Minister of Finance of Czechia

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.

Now that the DORA proposal is formally adopted, aspects that require national transposition will be passed into law by each EU member state. At the same time, the relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

Background

The Commission came forward with the DORA proposal on 24 September 2020. It was part of a larger digital finance package, which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In addition to the DORA proposal, the package contained a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT).

This package bridges a gap in existing EU legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU. Thus, the package aims to support innovation and the uptake of new financial technologies while providing for an appropriate level of consumer and investor protection.

The Council adopted its negotiating mandate on DORA on 24 November 2021. Trilogues between the co-legislators started on 25 January 2022 and ended in a provisional agreement on 10 May 2022. Today’s adoption is the final step in the legislative process.