The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.
The proposed Regulation would apply to credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, administrators of critical benchmarks, trade repositories, managers of alternative investment funds and other financial market infrastructures and insurance firms. Key proposed provisions include:
- Governance related requirements, covering management bodies’ roles in steering firms’ ICT risk management frameworks;
- ICT risk management requirements, including the identification, prevention, detection of and recovery from ICT risks;
- ICT-related incident reporting, covering the monitoring of ICT-related incidents and the reporting of major incidents to relevant regulators and, in some cases, clients;
- Digital operational resilience testing, requiring periodic testing of ICT tools and systems;
- ICT third-party risk, relating to ICT risk arising from third-party providers; and
- Information sharing, permitting financial entities to establish arrangements to share cyber threat information and intelligence.
The proposed Regulation would function in tandem with the existing EU Directive on security of network and information systems (known as the NIS Directive). The NIS Directive is designed to improve the overall level of cybersecurity across the EU. The financial sector would remain within the scope of the NIS Directive, but be required to comply only with the Regulation in the case of overlaps between the proposed Regulation and the NIS Directive.
The proposed amending Directive would amend the UCITS Directive, the Solvency II Directive, the Alternative Investment Fund Managers Directive, the Capital Requirements Directive, the revised Markets in Financial Instruments Directive and the revised Payment Services Directive to incorporate cross-references to the Commission’s proposed new Regulation on digital operational resilience. The proposed amending Directive also clarifies the legal treatment of crypto-assets qualifying as financial instruments and temporarily exempts distributed ledger technology market infrastructures from certain provisions of MiFID II (complementing the Commission’s separate proposed Regulation on a pilot regime for distributed ledger technology).
The proposed Regulation and Directive form part of the EU’s package of measures on digital finance which are designed to support digital finance innovation while mitigating risks. The Commission has simultaneously published its EU Digital Finance Strategy, setting out its key priorities for the digital transformation of the EU financial sector over the coming years, along with proposed Regulations on markets in crypto-assets and a pilot regime on distributed ledger technology market infrastructure.
View the Commission’s proposed Regulation.
View the Commission’s Impact Assessment on the proposed Regulation.
View the Regulatory Scrutiny Board Opinion of the Impact Assessment on the proposed Regulation.
View the Commission’s proposed Directive.
View details of the EU’s Digital Finance Strategy.
View details of the EU’s proposed Regulation on a pilot regime for distributed ledger technology.