EU Agrees on Cybersecurity Laws to Protect Financial Sector

EU vote

The European Parliament, the Council of the European Union and the European member states voted to pass two important pieces of legislation that will tighten cybersecurity requirements for firms to reduce the risks of cyber attacks. 

On Wednesday (May 11), the EU Parliament and the Council reached a provisional agreement on the Digital Operational Resilience Act (DORA), and even though the deal still needs to be approved in plenary session; this is normally seen as a formality once there is political consensus. 

“The new legislation will make sure that banks, insurers and financial institutions in the European Union are better equipped to prevent, detect and resolve digital operational risks and disruptions,” said MEP Alfred Sant in a press release

DORA sets uniform requirements for the security of network and information systems of companies in the financial sector, as well as critical third parties that provide information and communications technology (ICT) services. This means that cloud platforms such as Microsoft, Google or Amazon will have to comply with this bill.

DORA also creates a regulatory framework on digital operational resilience, mandating that all firms ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The core aim is to prevent and mitigate cyber threats. 

Cloud providers and other critical third-country ICT service providers, such as data analytic services, will need to establish a subsidiary within the EU. This is to ensure proper oversight, according to the EU Parliament press release. Under the new rules, the European Supervisory Authorities (ESAs) will be authorized to access critical ICT third-party service providers directly — and sanction them if necessary.  

DORA partially covers the same risks addressed by the other cybersecurity law approved Friday (May 13), the Network and Information Security (NIS) directive.

The main difference is that DORA applies to financial services and critical third-country ICT providers, while the NIS directive applies to most firms and sectors. The provisional agreement shed a bit of light about the different rules on digital operational resilience that financial entities need to comply with. DORA builds on the NIS directive and addresses possible overlaps via a lex specialis exemption, meaning that in case of conflict between the provisions, DORA applies first. 

Companies will still have time to prepare their cybersecurity systems and compliance departments as these rules will only go into effect after 24 months. 

Read more: EU Oversight of Microsoft, Amazon Cloud Business Goes Beyond Antitrust 

On Friday (May 13), the European Parliament and the EU member states also reached a political agreement on the NIS 2 Directive, measures for a high common level of cybersecurity across the union. The NIS 2 Directive also strengthens cybersecurity requirements imposed on the companies, addresses the security of supply chains and supplier relationships and introduces accountability of top management for non-compliance with the cybersecurity obligations. 

The NIS 2 Directive now covers medium and large entities from more sectors that are critical for the EU, including providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration, both at the central and regional levels. 

Like DORA, this political agreement is now subject to formal approval. Once approval is granted, European member states will have 21 months to work it into national law.

See also: EU to Boost Cybersecurity Rules as Risk of Cyberattacks Looms