On Tuesday 10 May, the proposed ‘DORA’ regulation on cyber risk management for financial actors will be the subject of interinstitutional negotiations (‘trilogues’) between the European Parliament and the Council of the European Union for the third time.
“We are hoping that it may be the final trilogue”, a source told EUROPE on Monday 9 May.
“But to reach an agreement we will depend on the flexibility of the Parliament, as Member States didn't give the Presidency a lot of margin of manoeuvre to deviate from the Council position”, she said.
On Friday 6 May, the Member States’ ambassadors to the EU (Coreper II) approved the new negotiating position to be defended by the French Presidency of the EU Council.
According to a note obtained by EUROPE, “the Presidency will again strongly insist on the exclusion of auditors, which are not financial firms, and will propose to refer their treatment to the review clause. The Presidency could, however, be open to excluding only medium-sized ancillary insurance intermediaries”. “Finally, the Presidency will insist on not applying the exemptions for micro-enterprises to certain market infrastructures with a high risk profile”, it said.
Concerning the ICT risk management framework, the Presidency could insist on the importance of not restricting certain risk management rules to only the critical and important functions of a financial company, a point that had been debated in the parliamentary committee (see EUROPE 12844/25).
The French Presidency has emphasised the fact that it will continue its efforts to convince the European Parliament of the usefulness of a multi-vendor strategy, but could also show some flexibility of the EU Council on this point.
According to our information, should another trilogue negotiation prove necessary, it will take place around mid-June.
To read the EU Council’s note: https://aeur.eu/f/1k4 (Original version in French by Anne Damiani)