On Tuesday 10 May, the Presidency of the Council of the European Union and the European Parliament reached a provisional political agreement on the draft Digital Operational Resilience Act (DORA).
This text lays down uniform requirements for the security of networks and information systems of companies and organisations active in the financial sector as well as of critical third parties providing ICT (Information Communication Technologies)-related services to them.
“Thanks to this agreement, our financial sector will be better protected against ICT risks, including cyber-attacks, which is essential for financial stability”, said Mairead McGuinness, the European Commissioner for Financial Services, in a statement.
“We arrived at a strong, progressive, yet future proofed compromise - a compromise that will protect these crucial sectors in our economy from cyber threats, yet at the same time, will allow EU companies to compete on a global stage”, welcomed Billy Kelleher (Renew Europe, Ireland), the Parliament’s rapporteur on the text, in a statement.
As requested by the French Presidency of the EU Council (see EUROPE 12948/14), auditors will not be subject to the ‘DORA’ regulation. But they will be part of a future review in which a possible revision of the rules could be considered.
Critical service providers established in a third country that provide IT services to financial entities in the EU will be required to establish a subsidiary in the EU, in order to be supervised.
The Parliament has won its case by agreeing with the EU Council on an additional joint oversight network, which will strengthen the coordination between the European supervisory authorities on this cross-sectoral topic.
The provisional agreement still has to be approved by the EU Council and the European Parliament before it can be formally adopted.
The other text regulating crypto-assets, called ‘MiCA’, is still in interinstitutional negotiations (see EUROPE 12910/12). (Original version in French by Anne Damiani)