The Council of the European Union and the European Parliament have reached a deal provisional with regard to the DORA regulation, on digital operational resilience for financial entities. This text should make it possible to strengthen the IT security of the companies concerned, in the event of a serious operational disruption.
The Union wants more security for financial entities
On May 11, 2022, the Council of the European Union issued a press release to let it be known that this agreement was a great step forward for financial entities. The members of the Council specify that, given the ever-increasing risks of cyberattacksthe European Union “strengthens the IT security of financial entities such as banks, insurance companies and investment firms”.
What should we remember from the CNIL’s latest activity report?
According to the press release, the DORA regulation sets uniform requirements for the security of networks and information systems of companies and organizations active in the financial sector. It allows the establishment of a regulatory framework on digital operational resilience under which all businesses must ensure that they can withstand all types of disruptions and threats from new threats.
The text will be incorporated into the legislation of each Member State
This provisional agreement between the Council of the European Union and the European Parliament constitutes a solid framework which will allow stimulate cybersecurity among financial entities, particularly prone to attacks. At the beginning of 2020, the London Stock Exchange had, for example, been the victim of a cyberattack. More recently, in 2021, the Central Bank of New Zealand was targeted by hackers. In January last year, the Governor of the Central Bank admitted that his establishment had been hacked.
According to the provisional agreement, almost all financial entities will be subject to the new regulations. Even critical providers established in a third country, which provide IT services to financial entities in the Union, will be required to establish a European subsidiary, “so that supervision can be properly implemented”. The agreement also provides for penetration tests to be carried out regularly.
The press release specifies that once the proposed regulation has been formally adopted, it will become part of the legislation of each Member State of the European Union. Then, it will be up to the competent European authorities, namely the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), establish technical standards for financial entities.