|
DORA proposal: critical ICT third-party providers must be established in the EU
On 11 November, the European Commission (DG FISMA) organised a webinar on its new proposal on cyber-resilience in the financial sector, namely the Digital Operational Resilience Act (DORA). This future Regulation establishes cybersecurity requirements for financial entities (for more information, see our previous briefing here).
During the webinar, the Commission’s speakers confirmed that the proposed Regulation stipulates that critical ICT third party providers (e.g. cloud services) must be established in the EU. Ruxandra-Gabriela Adam (DG FISMA) explained that this is necessary for the European supervision, as supervisors must be able to access the premises and the documents of the third-party providers. This obligation of EU localisation is for enforceability purposes.
On the link with the NIS Directive, financial entities will not be obliged to follow the NIS reporting obligations in case of ICT-related incidents, but they will have to follow the DORA reporting requirements which are more precise. Financial entities will have to report to the financial competent authority and not to the NIS single point of contact.
Please click on the link below to access the slides of the webinar.
|
