On 19 December 2019, the European Commission (Commission) published an inception impact assessment on a proposal for a regulation on digital operational resilience for the financial services sector.

The impact assessment has been published alongside a public consultation requesting feedback on how the financial services sector can be improved to be more secure and resilient to cyber-attacks.

The consultation welcomes input from stakeholders in four main areas:

  • requirements on ICT and security risk management in the legislative acquis applicable to the financial sector;
  • incident reporting requirements;
  • digital operational resilience testing framework; and
  • oversight of ICT third party providers to the financial institutions.

At this stage, the Commission is considering several policy options to achieve its objective. One option would be to have targeted amendments to EU financial services legislation (such as the possible revision of the directive on security of network and information systems) and a general yet bespoke legal framework addressing the digital operational resilience for all regulated entities, applying across the different financial sectors taking into account, where relevant, specific needs arising for financial services sectors.

The deadline for comments to the impact assessment is 16 January 2020 and the deadline for comments on the consultation is 12 March 2020. The Commission intends to adopt a proposal for a regulation establishing digital operational resilience for the financial services sector by Q3 2020.