On Wednesday 1 December, the European Parliament’s Economic Affairs Committee adopted its negotiating position with the Council of the European Union on the proposed ‘DORA’ regulation, which aims to prevent and mitigate cyber risks to the financial sector.
The regulation sets out obligations for financial entities (banks, investment firms, crypto-asset providers, audit firms) to be able to detect and withstand all types of information and communication technology (ICT) risks. At the request of the EPP and Renew Europe groups, insurance companies and small pension funds have been excluded from the scope of the legislation, while the European Commission will need to assess the appropriateness of including payment system operators.
The obligations that will be placed on financial actors include: - the creation of an internal function dedicated to ICT-related cyber risks; - the obligation for entities to verify that third-party companies to which they outsource IT tasks also manage ICT risks in accordance with the provisions of the Regulation; - the obligation to keep a record of all ICT-related incidents that have an impact on the continuity and quality of the financial services provided.
In terms of transparency, the minimum step that financial entities will have to take is to communicate about major incidents they have had to deal with. The European Commission will be asked to study the feasibility of creating a European register of ICT incidents that have been detected.
The ‘DORA’ Regulation also establishes a supervisory framework for ICT service providers to whom financial entities delegate certain activities, such as cloud computing.
Supported by the S&D and The Left groups, an amendment from the Greens/EFA group that sets out minimum requirements for third-party ICT service providers deemed to be critical was nevertheless rejected (21 votes in favour, 27 against, 5 abstentions). This was despite the fact that the European supervisory authorities had alerted MEPs to the shortcomings of the original legislative proposal.
The rapporteur, Billy Kelleher (Renew Europe, Ireland), is said to be in favour of including this issue in negotiations with the EU Council, whereas the negotiating position of the Member States, which was finalised last week, does not include such provisions (see EUROPE 12841/2). (Original version in French by Mathieu Bion)