EU: Council and Parliament reach agreement on new cybersecurity rules for financial sector
The Council of the European Union announced, on 11 May 2022, that it had reached a provisional agreement with the European Parliament on the Digital Operational Resilience Act ('DORA'). In particular, the Council highlighted that DORA aims to prevent and mitigate cyber threats and ensure resilient operations across EU financial entities such as banks, insurance companies, and investment firms. To achieve this, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector, as well as critical third parties which provide ICT-related services to them, such as cloud platforms or data analytics services. In addition, the Council outlined that, under the provisional agreement, critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
With regard to the interaction of DORA with the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), the Council highlighted that, under the provisional agreement, financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. More specifically, the Council noted that the NIS Directive continues to apply, with DORA building on the NIS Directive and addressing possible overlaps via a lex specialis exemption. Relatedly, the Council also announced, on 13 May 2022, that it had reached a provisional agreement with the Parliament on a revised Directive on Security of Network and Information Systems ('NIS 2 Directive'), which will replace and update the NIS Directive.
FInally, the Council clarified that once DORA is adopted and passed into law by EU Member States, EU supervisory authorities will then develop technical standards for all financial services institutions to abide by, whilst the respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.
The provisional agreement is now subject to approval by the Council and the European Parliament before going through the formal adoption procedure.
You can read the press release here.