Digital finance: provisional agreement reached on DORA
The Council presidency and the European Parliament recently reached a provisional agreement on the Digital Operational Resilience Act (DORA). DORA, a directly effective EU regulation, creates a regulatory framework across EU member states, whereby all firms are required to ensure they can withstand, respond to and recover from information communication technologies (ICT) related disruptions and threats. The core aim of DORA is to prevent and mitigate cyber threats.
The European Commission's proposal on DORA is part of a larger digital finance package encompassing, in addition to the DORA proposal, a digital finance strategy, a proposal on markets in crypto-assets (MiCA) and a proposal on distributed ledger technology (DLT). The digital finance package aims to support innovation in the uptake of new financial technologies, such as digital financial instruments, while providing consumer and investor protection.
Almost all financial entities will be subject to DORA. Under the provisional agreement, auditors will not be subject to DORA but will form part of a future review of the regulation.
- developing a robust, risk sensitive framework that boosts the ICT security of the financial sector
- introducing a requirement for critical third-country ICT service providers to EU financial entities to establish an EU subsidiary, to ensure effective EU regulatory oversight
- adoption of an additional joint oversight network, with the aim of strengthening coordination between the European supervisory authorities (ESAs) in respect of this area
- carrying out of penetration tests in functioning mode, with the possible inclusion of several member states' authorities in the test procedures
- restricted use of internal auditors in penetration tests in a number of narrowly defined circumstances and subject to satisfaction of conditions
- building upon the Network and Information Security (NIS) directive, which continues to apply
- providing financial entities with full clarity on the rules on digital operational resilience with which they must comply, i.e. under DORA and/or the NIS directive
The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure (Council meeting and Plenary respectively). The agreed revised text of the proposal has not yet been published. DORA will enter into force 20 days after publication in the Official Journal of the EU, and will be applicable 24 months thereafter. The ESAs will also develop relevant technical standards in due course.
As highlighted in our recent publication, operational resilience and, in particular, cyber-resilience is a priority for the Central Bank of Ireland this year, thus placing increased emphasis on the need for financial institutions to factor this provisional agreement into their horizon scanning board updates and operational risk management plans.
For further information in relation to this topic, please contact Patrick Brandt, Partner, Kevin Allen, Partner, Christopher Martin, Of Counsel, Sian Langley, Knowledge Lawyer or any member of ALG's financial regulation team.
Date published: 25 May 2022