In a previous alert, Too Important To Fail? Further Light on When EU and Non-EU Technology Providers Will Become Subject To DORA, we discussed the EU Digital Operational Resilience Act (DORA). We have also set up a microsite to address DORA and the similar regime in the UK: Financial Regulations for Critical Third-Party Technology Providers in the EU and UK.
DORA came into force on 16 January 2023, and will apply starting on 17 January 2025. In addition to the provisions of DORA that apply to EU financial entities, such as banks, broker-dealers, and insurers, DORA will also apply to critical third-party providers (CTPPs) that provide services such as information and communication technology to EU financial entities. As we have noted before, DORA can apply to non-EU CTPPs, including those in the US and UK, that provide services to EU financial entities.
On 18 September 2023, the EU Commission published a communication — Communication from the Commission – Commission Guidelines on the application of Article 4 (1) and (2) of Directive (EU) 2022/2555 (NIS 2 Directive) or “the Communication” — setting out guidelines on the application of provisions in EU in the Network and Information Security Directive (Publications Office [NIS 2]) to EU financial entities that are within the scope of DORA.
We noted the developments connected with NIS 2 in our recent update EU/UK Privacy & Cybersecurity News Roundup – Week of June 26, 2023. NIS 2 came into force on 16 January 2023. NIS 2 aims to modernise the existing EU-wide legal framework (NIS 1) on cybersecurity by extending the scope of cybersecurity rules to new sectors and entities and strengthening the resilience and incident-response capacities of public and private entities. In particular, NIS 2 recognises that financial institutions must ensure the continuous availability of their networks and information systems, because any disruption can have serious consequences for their clients and the wider financial system. EU member states have until 17 October 2024, to transpose NIS 2 requirements into national law, with these taking effect on 18 October 2024.
The Communication seeks to clarify the application of provisions on cybersecurity risk-management measures or incident-reporting requirements for financial entities covered by both NIS 2 and DORA.
The Communication makes it clear that that the following DORA provisions, rather than the similar NIS 2 provisions, will apply to financial entities within the scope of both DORA and NIS 2:
- Information and communication technology risk management — DORA, Article 6
- Management of incidents related to information and communication technology (ICT), especially major ICT-related incident reporting — DORA, Article 17
- Digital operational-resilience testing — DORA, Article 24
- Information-sharing arrangements — DORA, Article 25
- ICT third-party risk — DORA, Article 28
Although these provisions apply to EU financial entities, rather than CTPPs, CTPPs that provide cybersecurity solutions and other services to EU financial entities will need to note their content because EU financial-sector entities will have to comply with those provisions and apply the appropriate contractual obligations on CTPPs.
The Commission’s preference for sector-specific legislation, such as DORA, to prevail over general legislation is also significant, if not unsurprising. In other areas, such as the regulation of artificial intelligence, for which the EU is seeking to establish general standards (see Primer on the EU AI Act: An Emerging Global Standard for Artificial Intelligence), this trend may continue, especially in areas in which the sector-specific regulatory authorities, such as the European Banking Authority, are charged with supervising member state compliance.