The European Council and the Parliament reach an agreement on the DORA law on digital operational resilience | Hogan Lovells
On 11 May 2022, the European Council announced in a press release that it had reached a provisional agreement with the European Parliament on DORA, a piece of legislation aimed at strengthening the operational resilience of the financial sector in Europe in the face of disruptions and incidents. . A wide range of entities such as banks, payment providers, investment firms, crypto-asset service providers and ICT service providers will need to be prepared for these new rules. While we wait for the publication of the final text of DORA, we take a look at what can be expected.
Context of DORA
DORA was originally proposed by the European Commission on September 24, 2020, as part of a broader digital finance package which aims to develop a harmonized European approach to fostering technological development and ensuring financial stability and consumer protection. . In addition to the DORA proposal, the package contains a digital finance strategy, a proposal on crypto-asset markets (MiCA) and a proposal on distributed ledger technology (DLT).
Key aspects of DORA
- DORA establishes uniform requirements for the security of networks and information systems of companies and organizations operating in the financial sector. Some of DORA’s requirements include maintaining a well-documented ICT risk management framework, reporting major ICT incidents, and performing digital operational resilience testing (including penetration testing).
- The range of financial entities that will be subject to the new rules set out in DORA is extremely wide and, more importantly, the critical third parties that provide ICT-related services to financial entities (such as cloud platforms or data) will be brought within the regulatory framework. We can expect the final DORA text to confirm the approach to fines imposed on non-compliant ICT service providers (which was expressed in the initial proposed DORA text as a daily penalty payment of 1% of global daily average in the previous financial year).
- While statutory auditors and audit firms fell within the scope of the original DORA proposal published in 2020, the European Council confirmed that auditors would not be subject to DORA. The inclusion of auditors in the scope of DORA will be reconsidered in a future revision of the regulation.
- In addition, providers of essential ICT services from third countries to EU financial entities will be required to establish a subsidiary within the EU to allow for appropriate regulatory oversight.
How will DORA interact with the Directive on Security of Networks and Information Systems (the “NIS Directive”)?
- The NIS Directive is European cybersecurity legislation and came into force in 2016, helping to achieve a common high level of network and information system security across the EU.
- The Council stated that financial entities will have full clarity on the different digital operational resilience rules they must comply with, in particular financial entities holding multiple licenses and operating in different markets within the EU .
- Specifically, the Council noted that the NIS directive continues to apply, with DORA building on the NIS directive and addressing potential overlaps through a lex specialis exemption (i.e. where more specific rules apply to more general rules) .
- It should be noted that on May 13, 2022, the European Parliament and the Council reached a political agreement on a revised NIS Directive (“NIS Directive 2”), which will replace and update the current NIS Directive.
The revised DORA text has not yet been made public as of the date of this article. The provisional agreement reached is now subject to the approval of the Council and the European Parliament before going through the formal adoption procedure. Once DORA is adopted and enacted by EU member states, designated European Supervisory Authorities will develop technical standards with which financial services institutions must comply, while national competent authorities will oversee compliance and enforce regulations. if necessary. It is expected that the new rules will apply 24 months after their entry into force.