We understand that the Council of the European Union (the Council) is getting closer to reaching a general approach on the proposed regulation on digital operational resilience for the EU financial sector (DORA). The Council, which consists of the EU Member States, has been discussing the proposal since September 2020. In advance of the Council Working Group meeting on 26 May 2021, the Portuguese Presidency circulated a draft compromise proposal. The draft compromise proposal contained a large number of proposed amendments to the Commission’s proposal. Set out below is an overview of the Presidency’s main proposed amendments.
- Scope and definitions
- The scope of DORA is expanded to also include the reporting of major operational or security payment-related incidents to Member State competent authorities by credit institutions, payment institutions and electronic money institutions.
- In Recital 22, a new paragraph is added to clarify that existing reporting obligations concerning incidents under the Payment Services Directive II (Directive (EU) 2015/2366) (PSD2) are completely transferred to DORA as regards financial entities simultaneously subject to DORA and PSD2.
- A number of new definitions are included, aimed at clarifying the scope and framework of DORA. This includes the definitions for “major operational or security payment-related incident” and “significant cyber threat”. Definitions for “subsidiary’, ‘group’ and ‘ parent undertaking’ are now included in Article 2 as well.
- ICT risk management
- A new Article 3a is included at the start of Chapter II (ICT risk management), section I to explicitly include the proportionality principle, providing that “Financial entities other than those referred to in Article 14a shall implement the rules on ICT risk management in this Chapter in accordance with the principle of proportionality, by taking into account the size of their undertaking, the nature, scale and complexity of their services, activities and operations, and their overall risk profile.” The proportionality principle was previously embedded in Article 4(1) of the Commission’s proposal.
- In Article 7, there are proposed amendments to the wording in paragraph 1 to take into account the concern that the identification of business functions might be restricted to only those functions that are ICT related, in terms of the organizational structure of the financial entity. This way, all functions that are, to some extent, supported by ICT and therefore relevant for the purpose of this requirement would be taken into account.
- A new Article 14a is added to provide proportionality for small and non-interconnected firms. They are exempted from Articles 4 to 14 but need to abide by a number of limited standards listed in Article 14a
- ICT third-party risk
- The Presidency also proposes to include explicit wording on the proportionality principle in provisions that give powers to the European Supervisory Authorities (ESAs) to draft delegated acts. In Article 27(4), the Presidency adds a subparagraph stating that the ESAs should take into account the size, nature, scale, complexity and overall risk profile of the financial entities when drafting delegated measures detailing the elements financial entities should consider when subcontracting critical or important functions to ICT third-party service providers.
- It is proposed that the date of application be delayed from 12 to 24 months after the entry into force of DORA.
- The obligations with regard to advanced testing of ICT tools, systems and processes based on threat led penetration testing and the requirements for testers laid down in Articles 23 and 24 would also become applicable after 24 months following the entry into force of DORA. The original proposal stated that these provisions would apply after 36 months following the entry into force of DORA.
EU Member States need to provide their comments to the draft compromise proposal by 3 June 2021.
The proposed DORA framework is part of the European Commission digital finance package. The package, which was published in September 2020, sets out the EU’s ambition on how it can support the digital transformation of finance in the coming years, while regulating its risks. It aims to remove fragmentation in the Digital Single Market, to adapt the EU regulatory framework to facilitate digital innovation, promote data-driven finance and address the challenges and risks with digital transformation, including by enhancing the digital operational resilience of the financial system. Besides the DORA proposal, there are two main legislative initiatives under the digital finance package, being the proposed regulation on markets in crypto-assets (MiCA), and a proposed regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLTR). All three legislative initiatives are at present being discussed by the Council and the European Parliament.
On 14 April 2021, the European Parliament rapporteurs discussed their draft reports on these proposals, including DORA, in the European Parliament Economic and Monetary Affairs (ECON) Committee. The ECON Committee intends to vote on the draft reports before the Summer recess.