On May 11, EU CNCL and EP reached provisional agreement on DORA.
EU CNCL, EP reached provisional Digital Operational Resilience Act (DORA) agreement.
Follows EC Sep. 2020, adopted digital finance, retail payments strategies, see #86899.
Provisional Agreement
Council Presidency and the EP have reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.
DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT-related services to them, e.g. cloud platforms/data analytics.
Creates framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to/recover from all types of ICT-related disruptions.
Requirements are homogenous across all states; core aim is to prevent cyber threats.
IT Security
New rules will constitute robust framework that boosts IT security of financial sector.
The efforts asked from financial entities will be proportional to the potential risks.
Auditors
Almost all financial entities will be subject to the new rules; but under the provisional agreement, auditors will not be subject to DORA, but will be part of a future review of the regulation, where a possible revision of the rules may be explored.
Third-country ICT Providers
Critical third-country ICT service providers to financial entities in EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
Oversight Framework
As regards the oversight framework, the co-legislators agreed to opt for an additional joint oversight network which will strengthen the coordination between the ESAs.
Penetration Tests
Under provisional agreement, penetration tests shall be carried out in functioning mode, and will be possible to include several states’ authorities in the test procedures.
Use of internal auditors will be possible only in strictly limited circumstances.
NIS Directive
As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with.
In particular for those financial entities holding several authorizations and operating in different markets within the EU; the NIS directive continues to apply; DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption.
Effectiveness
Provisional agreement reached yesterday evening is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.
Once DORA proposal is formally adopted, it will be passed into law by each EU state.
The relevant European Supervisory Authorities (ESAs), the EBA, ESMA and the EIOPA, will then develop technical standards for all financial services institutions to abide by.
NCAs will take role of compliance oversight and enforce the regulation as necessary.
On Nov. 10, 2022, EP issued legislative resolutions adopting position at first reading in respect of the proposals for a directive and regulation on digital operational resilience.
Nov. 14, 2022 EU CNCL Note
On Nov. 14, 2022, EU CNCL issued information notes confirming that the EP's position on proposed directive and regulation reflects what had been previously agreed.
Council should therefore be in a position to approve the Parliament's position; the acts would then be adopted in the wording which corresponds to the Parliament's position.
Nov. 17, 2022 EU CNCL Final Text
On Nov. 17, 2022, EU CNCL issued the final texts of the DORA directive (PE-CONS 42/22) and regulation (PE-CONS 41/22) for adoption; directive and regulation shall enter into force on the twentieth day following publication in the EU Official Journal.
Regulation shall apply from 24 months from the date of its entry into force.
Nov. 18, 2022 EU CNCL Note
On Nov. 18, 2022, EU CNCL issued item notes on adoption of directive and regulation.
COREPER asked to confirm its agreement and to suggest that the Council approve EP's positions, as set out in PE-CONS 41/22 and PE-CONS 42/22, as an "A" item at a forthcoming meeting; if the Council approves, legislative act will be adopted.
Nov. 28, 2022 EU CNCL Adoption
On Nov. 28, 2022, EU CNCL announced adoption of DORA that will make sure financial sector in Europe is able to stay resilient through a severe operational disruption.
DORA core aim is to prevent, mitigate cyber threats so creates regulatory framework on digital operational resilience, its requirements are homogenous across all EU States.
Now that formally adopted, aspects requiring national transposition will be included in national laws, relevant ESAs to develop technical standards for financial services firms.
I.e. institutions from banking, insurance to asset management; national authorities will take role of compliance oversight and enforce the regulation as necessary.
EU CNCL adoption is final step in legislative process so will be officially published soon.
Dec. 15, 2022 Adopted Text
On Dec. 15, 2022, EU CNCL issued final adopted texts of the directive and regulation.
Directive shall enter into force on the 20th day following that of publication in the OJ.
Regulation shall enter into force on the 20th day following that of its publication in the OJ; shall apply from 24 months from the date of entry into force of the regulation.
Dec. 27, 2022 Official Journal
On Dec. 27, 2022, EU CNCL issued final Dir 2022/2556 and Reg 2022/2554 on digital operational resilience for the financial sector in the European Official Journal.
By Jan. 17, 2025, Member States shall adopt and publish the measures necessary to comply with the directive; they shall apply those measures from Jan. 17, 2025.
Directive shall enter into force on the twentieth day following that of its OJ publication.
Regulation enters into force on 20th day after issue in OJ; applies from Jan. 17, 2025.
In Jan. 2023, EBA issued EC's request for advice on criteria and fees, see #158516.
In Feb. 2023, ESMA issued SMSG advice on DORA implementation, see #163365.
In May 2023, EBA issued Banking Stakeholder Group paper on DORA, see #171777.
