On 11 May 2022, it was announced that the Council presidency and the European Parliament had reached provisional agreement on the Digital Operational Resilience Act (DORA). The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.

The European Parliament’s press release on the provisional agreement notes that:

• Co-legislators have provisionally agreed that the inclusion of statutory auditors and audit firms in the scope of the Regulation will be subject to a review within three years.
• MEPs ensured that the ICT risk management framework should take into account significant differences between financial entities in terms of size, nature, complexity and risk profile. Negotiators agreed that ICT risk management requirements should not hamper financial entities from being innovative when they have to deal with digital operational resilience issues.
• Negotiators agreed that critical ICT third-party service providers established in a third country should have a subsidiary in the EU and the European supervisory authorities should be informed of any change of its management structure.
• Negotiators agreed that the rules should apply 24 months after they enter into force.