United Kingdom (and EU regulation)

Council organises first working group on DORA proposal in 2021

On Thursday, 21 January, the Portuguese presidency of the Council holds its first working group on the review of the European Commission’s proposal for a Regulation on digital operational resilience for the financial sector (DORA). The Council is still in its initial phase of examining the proposal. The Council Presidency Is taking an issue-by-issue approach, discussing a number of specific features of the DORA proposal during each meeting. In this context, it has not yet reached the stage of drafting compromise amendments. It is unlikely that the Council will adopt a general approach on the DORA proposal in the short term.

We understand that the Council Working Group meeting on 21 January will discuss the following aspects of the DORA proposal:

Oversight Framework

Concerning the structure of the Oversight Framework, the Working Group will discuss the function of the Lead Overseer, which will supervise the operational resilience framework at the European level. The discussion will cover the possible designation of an existing European Supervisory Authority (ESA) as the lead overseer. In addition, the working group will discuss the composition of the Oversight Forum, which would consist of the Chairpersons of the ESAs and one high-level representative of the relevant national competent authority (NCA) of each Member State, which will have voting rights. In addition, the executive directors of the ESAs, the European Commission, the ESRB, ECB and ENISA will have a seat as observer. The discussion will cover arrangements for when multiple NCAs cover tasks under DORA and possible information sharing arrangements in this scenario. Lastly, the working group will discuss the arrangements for the follow-up by ICT third party service providers when having received a recommendation by the Lead Observer.

Interaction with the NIS Directive

The DORA Regulation should be considered a lex specialis vis-à-vis the Network and Information Security (NIS) Directive ((EU) 2016/1148). This means that DORA replaces existing obligations for the financial sector to report incidents under the NIS Directive and under substantive obligations under that Directive. The status of DORA in relation to the NIS Directive is not explicitly explained in the DORA proposal, and Member States are asked whether there is a need for a written clarification in the proposal. If so, Member States are asked whether this clarification should be within the Articles of DORA, or rather the recitals.

In the meantime, the NIS Directive itself is under review after the European Commission adopted an amending proposal in December 2020.