United Kingdom (and EU regulation)

Member States discuss proportionality in DORA

On 12 April 2021 the Portuguese Presidency of the Council held a meeting to continue Member States’ discussions on the proposed regulation on digital operational resilience for the financial sector (DORA). The agenda for the meeting included discussion on proportionality in DORA as well as scope and timeline of specific regulatory technical standards (RTS) and entry into force and application of DORA. Key points to note:

Proportionality: noting that the issue of proportionality in DORA was one of the key issues of concern that were raised by Member States to date, the Presidency plans to address this issue by considering a broader approach and amendments to the text of the DORA proposal in order to further enhance the proportionality principle. To this end, the Presidency proposed certain options for Member States’ consideration, based on horizontal and sectorial approaches, as well as per types of in-scope financial entities.
Entry into force and application of DORA: referring to the previous discussions in the working group the Presidency noted that some Member States supported the extension of the application period for DORA (currently set at 12 months). One of the arguments raised in favour of the extension cited a large number of secondary legislation that will have to be developed after DORA has been finalised, and doing so in a 12-month window is a challenging task – notwithstanding time that the industry will need to prepare their compliance. To this end, the Presidency proposed for Member States’ consideration an option consisting of either a blanket extension of the application deadline for DORA (from 12 to 24 months) or developments of a phase-in calendar per specific issues.
Scope and timeline for RTS: noting a large set of RTS that will have to be adopted in a relatively short period of time, the Presidency proposed for Member States’ consideration the adoption of a sequential approach, whereby certain RTS would be developed 6 months earlier. In terms of the specific RTS to be developed for the purpose of ICT risk management provisions, Member States were asked to provide views whether they were in favour of maintaining a clear mandate for each of the European Supervisory Authorities to develop their own RTS, or whether they should be developed jointly.