|
[To Eurosmart members only]
Cybersecurity in the financial sector: DORA is being finalised
On 10 May, the European Parliament and the Council reached a provisional agreement on a key proposal setting cybersecurity requirements in the financial sector. The Commission proposed this Digital Operational Resilience Act (DORA) in September 2020.
DORA will set uniform requirements for the security of network and information systems of companies operating in the financial sector. Nearly all financial entities will be subject to the new rules.
Interestingly, DORA will also cover critical ICT service providers to financial entities in the EU, including cloud providers. Cloud providers will be subject to a new oversight system and will have to pay for scrutiny. If they do not cooperate, they could be fined. They will have to establish a subsidiary within the EU if they originate from a third country.
The European Banking Authority (EBA), the European Securities and Markets Authorities (ESMA) and the European Insurance and Occupational Pension Authority (EIOPA) will coordinate their supervisory activities. They will also draft the regulatory technical standards, the implementing standards, the guidelines and the recurring reports. However, in a joint letter, these organisations recently warned that they do not have sufficient resources and expertise to deliver all these technical documents in 12 months – as envisaged in DORA.
Next steps
The European Parliament and the Council need to adopt the deal formally.
DORA will take effect in 2024.
|
