MEPs expected to vote on final DORA text in September

The EU’s proposed new Digital Operational Resilience Act (DORA) would  effectively codify requirements around ICT security risk management and outsourcing that are contained in a suite of guidelines produced by EU authorities, enhancing requirements financial institutions face in areas such as business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as in relation to contractual arrangements they put in place with ICT third-party service providers.

DORA also envisages direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance. A similar regime impacting ‘critical third parties’, which is expected to impact cloud computing providers and other technology suppliers, is anticipated in the UK.

DORA was first proposed by the European Commission in September 2020. Since then, the proposals have been subject to scrutiny and amendment by the EU’s two law-making bodies – the European Parliament and Council of Ministers.

The Parliament and Council reached provisional agreement on the DORA text in May and the ‘finalised’ text agreed on was subsequently published in June. Last week, DORA hit another milestone in its passage into EU law when MEPs in the Committee on Economic and Monetary Affairs (ECON) adopted the draft legislation, with 41 MEPs voting in favour and none against. There were six abstentions. 

The ECON’s vote paves the way for DORA to be put to a vote in a plenary session of the European Parliament where all MEPs will decide whether the text should be adopted. A similar vote of the Council – the umbrella body that brings together representatives of the national governments of EU member states – is also necessary for draft legislation to become EU law. A European Parliament spokesperson confirmed to Out-Law that the plenary vote on DORA will probably take place in September, but that no final date has been set yet.

“The financial services sector will welcome the negotiation period for DORA coming to an end and obtaining some clarity around the EU's approach to data security incident response requirements, third party risk management and what impact in practice the close supervision of the largest critical ICT third-party providers will have on their approaches to risk management,” said Luke Scanlon of Pinsent Masons who specialises in the application of technology law in the financial services sector.

“The regulation has changed significantly from the position first published by the European Commission. Regulated entities therefore now need to undertake the task of comparing how their approaches towards digital operational resilience and third party risk management, which have been developed to meet current regulatory requirements, will need to be revised to address the requirements of DORA,” he said.