Regulation (EU) 2022/2554 on digital operational resilience for the financial sector

What it is

to lay down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities with a view to achieving a high level of digital operational resilience for the financial sector. PROPOSED ACT: Regulation of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: this proposal is part of the Digital Finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks. The digital finance package includes a new Strategy on digital finance for the EU financial sector with the aim to ensure that the Union’s financial services legislation is fit for the digital age, and contributes to a future-ready economy that works for the people, including by enabling the use of innovative technologies. The Union has a stated and confirmed policy interest in developing and promoting the uptake of transformative technologies in the financial sector, including blockchain and distributed ledger technology (DLT). The Committee on Economic and Monetary Affairs adopted the report by Billy KELLEHER (Renew Europe, IE) on the proposal for a regulation of the European Parliament and of the Council on the digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014. The Commission's proposal for a legislative act on digital operational resilience in the financial sector (DORA) aims to establish uniform requirements for the security of networks and information systems to provide a comprehensive framework that will improve the management of digital risks by financial entities. The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows: The requirements for financial entities will concern: (i) information and communication technology (ICT) risk management; (ii) reporting of major IT-related incidents to the competent authorities; (iii) reporting of major payment-related operational or security incidents by credit, payment and electronic money institutions to the competent authorities; (iv) digital operational resilience testing; (v) information and intelligence sharing in relation to cyber threats and vulnerabilities; and (vi) measures to ensure sound risk management of third-party ICT service providers by financial entities. This Regulation would be without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security. The proposal should apply to insurance intermediaries, that are not micro, small or medium-sized enterprises , with the exception of undertakings which rely exclusively on organised automated sales systems. Statutory auditors and small and medium-sized audit firms would also be excluded from the scope of the Regulation, with some exceptions. The…

Frequently asked

In scope for these industries