DORA Proposal for Cybersecurity Awaits Full Approval by Council and ESAs

The European Parliament has provisionally approved the Digital Operational Resilience Act (DORA) on November 11, in a bid to provide online security to financial institutions, including banks, insurance companies, and investment firms. With DORA , the EU aims to have laws in place and a uniform way to address and report cybercrimes impacting various sectors.

Lawmakers passed the legislation with a majority of 556, while 18 voted against it. The formal acceptance of the DORA framework after getting approval from the Council and the European Supervisory Authorities (ESAs) will help form a law for all EU member states. After this, technical standards will be formed for financial institutions to be followed by the relevant European supervisory authorities. Some of the authorities include the European banking authority, the European Securities and markets authority, and the European insurance and occupational pensions authority.

DORA will offer more uniformity regarding security norms for the financial sector and critical third parties that render information communication technology (ICT) to them, like cloud platforms. The DORA framework would bring the following changes:

1. Full DORA approval would mean that firms must ensure that they can withstand, respond and recover from all kinds of ICT threats and attacks.
2. Although auditors will not be subject to the DORA- framework, they will need to conform to the future review of the regulations.
3. Critical third-country ICT companies associated with financial entities will need to form a subsidiary with the EU to handle oversight. The co-legislators suggested an additional joint oversight network to work on uniformity between the European supervisory authorities between various sectors.
4. At the functioning level, penetration tests would be conducted that will bring in the collaboration of several member states. Under close surveillance, internal auditors may be permitted.
5. Financial entities will need to have complete knowledge of all the relevant and legitimate laws on digital operations, especially for institutes with multiple authorizations and connections within the EU.

DORA is built on the Network and the information security (NIS) directive and it aims to bridge the gap. The commission proposed it on September 24, 2020, for consumer protection and technological development.

“Financial institutions and companies, including in the crypto space, hold extremely sensitive information about customers and it is vital that EU-wide digital security measures are put in place to defeat the threat that exists,” Frances Fitzgerald, a center-right member of the European Parliament who participated in drafting the law, told reporters.

The European Union legislation comes close on the heels of the Australian parliament passing their amended privacy legislation. The new bill stated that there will be heavier penalties for serious or repeated privacy breaches. It also gave more freedom and rights to individuals when it comes to sharing their personal data.