The legislative bodies of the European Union, the Council of the European Union (the Council) and the European Parliament (Parliament), are getting closer to reaching their individual positions on the proposed regulation on digital operational resilience for the EU financial sector (DORA). The proposal was published by the European Commission (Commission) in September 2020 and has been under discussion in both institutions over the past year. We expect the Parliament and the Council to reach their positions by the beginning of 2022, and trilogue discussions to reach a compromise between the co-legislators in spring or early summer 2022. Please find an update of current discussions in the sections below.
The proposed DORA framework is part of the Commission digital finance package. The package sets out the EU’s ambition on how it can support the digital transformation of finance in the coming years, while regulating its risks. It aims to remove fragmentation in the Digital Single Market, to adapt the EU regulatory framework to facilitate digital innovation, promote data-driven finance and address the challenges and risks with digital transformation, including by enhancing the digital operational resilience of the financial system. Besides the DORA proposal, there are two main legislative initiatives under the digital finance package, being the proposed regulation on markets in crypto-assets (MiCA), and a proposed regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLTR).
We understand that the Slovenian Presidency of the Council has circulated a new draft general approach on the proposed DORA. The draft general approach, dated 12 November 2021, is understood to be the first compromise proposal on DORA circulated since June 2021. The draft compromise proposal contains a large number of proposed amendments to the Commission’s proposal. Set out below is an overview of the Presidency’s main proposed amendments.
- The Council Presidency proposes to give Member States the opportunity to exclude from the scope of DORA institutions that are also explicitly excluded from the scope of the Capital Requirements Directive (2013/36/EU). This possibility also exists in the Payments Services Directive ((EU) 2015/2366) (PSD II).
- The Council Presidency also proposes amendments on the oversight framework. Following discussions in the Council Working Group on which European Supervisory Authority (ESA) should become competent to be the single Lead Overseer of critical ICT third-party service providers, the Slovenian Presidency now proposes to return to the original Commission proposal. In Article 28 of the original DORA proposal, the Joint Committee of the ESAs would be responsible for deciding which of the three ESAs would be appointed as Lead Overseer for each critical ICT third-party service provider. This decision would be based on the kind of financial entities that mainly make use of a given critical ICT third-party service provider.
- In Article 28(5), the Council Presidency adds wording to ensure that ICT third party service providers that only provide ICT services in a single EU Member State to financial entities, which are also only active in that same Member State, cannot be designated as a critical ICT third party service provider.
- European Parliament
On the Parliament side, rapporteur Billy Kelleher (Renew, IE) has circulated new compromise amendments dated 5 November 2021. Kelleher’s proposed compromises were circulated among other members of the Economic and Monetary Affairs (ECON) Committee to gain support for the adoption of its legislative report. The compromises mainly concern Chapters V (managing of ICT third-party risk), VI (information sharing arrangements) and VII (competent authorities):
- Kelleher proposes to exclude micro-enterprises from the obligation to set up a digital operational resilience testing programme in line with Article 21.
- Similarly, Kelleher proposes to exclude micro-enterprises from the requirement to adopt a strategy on third-party ICT risk under Article 25(3).
- With regard to the appointment of a Lead Overseer of critical ICT third-party service providers, Kelleher keeps the wording in line of the original proposal, thereby avoiding a possible contentious point of discussion during future negotiations with the Council (see above). When designating a Lead Overseer, however, an amendment has been added requiring the ESAs to consult the European Union Agency for Cybersecurity (ENISA)
- To give in-scope entities more time to implement the DORA requirements, and the ESAs to develop delegated acts, Kelleher proposes to extend the date of application of DORA from 12 months to 24 months after its entry into force.