Merge pull request #18 from ldelavaissiere/patch-1

Update information_sharing_dora.md
master
Alexandre Dulaunoy 2022-12-30 16:39:34 +01:00 committed by GitHub
commit 819d2d089d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 13 deletions

View File

@ -2,7 +2,7 @@
## Introduction
In light of the cyber threat landscape, European institutions have been working for a number of years on the development of new EU legislation to improve the operational and cyber resilience of the Union's financial sector. On 10<sup>th</sup> November 2022, the European Parliament's plenary session voted the final proposal of **DORA**, a new EU Regulation on **digital operational resilience** for the financial sector. This vote sets DORA to enter into force around early 2023 and into application around early 2025. A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously.
In light of the cyber threat landscape, European institutions have been working for a number of years on the development of new EU legislation to improve the operational and cyber resilience of the Union's financial sector. On 27<sup>th</sup> December 2022, the Official Journal of the European Union published the final text for **DORA**, a new EU Regulation on **digital operational resilience** for the financial sector _(Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector)_. This publication sets DORA to enter into application on 17<sup>th</sup> January 2025. A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously.
DORA will apply to a very wide range of entities, including non-financial sector entities:
@ -10,7 +10,7 @@ DORA will apply to a very wide range of entities, including non-financial sector
- Payment and electronic money institutions
- Account information service providers
- Investment firms
- Crypto-asset service providers as authorized under MiCA and issuers of asset referenced tokens
- Crypto-asset service providers as authorized under MiCA and issuers of asset-referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
@ -29,37 +29,37 @@ DORA will apply to a very wide range of entities, including non-financial sector
## DORA provisions on information sharing
EU co-legislators have dedicated a chapter of DORA to information sharing in an effort to **reinforce the legal grounds** for information sharing arrangements on cyber threat information and intelligence. Under DORA's Art. 40:
EU co-legislators have dedicated a chapter of DORA to information sharing in an effort to **reinforce the legal grounds** for information sharing arrangements on cyber threat information and intelligence. Under DORA's Art. 45:
**Art. 40(1) - Exchange of cyber threat information and intelligence**
**Art. 45(1) - Exchange of cyber threat information and intelligence**
Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence
sharing:
<ol type="a">
<li>aims at enhancing the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats ability to spread, supporting defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages;</li>
<li>aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages;</li>
<li>takes places within trusted communities of financial entities;</li>
<li>is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.</li>
</ol>
**Art. 40(2) - Information sharing arrangements**
**Art. 45(2) - Information sharing arrangements**
For the purpose of Art. 40(1)(c), the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.
For the purpose of Art. 45(1)(c), the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.
**Art. 40(3) - Notification to competent authorities**
**Art. 45(3) - Notification to competent authorities**
Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once the latter takes effect.
## Relationship between DORA and the NIS2 Directive
As regards the interaction of DORA with the Network and Information Security (NIS) Directive (including its revision), financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS Directive and addresses possible overlaps via a _lex specialis_ exemption.
As regards the interaction of DORA with the Network and Information Security (NIS) Directive (including its revision whose final text was published simultaneously to DORA's), financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorisations and operating in different markets within the EU. The NIS directive continues to apply. DORA builds on the NIS Directive and addresses possible overlaps via a _lex specialis_ exemption.
## References
1. [EUR-Lex: Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52020PC0595)
2. [European Parliament's Legislative Train Schedule; Digital operational resilience for the financial sector](https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-cross-sectoral-financial-services-act-1)
3. [French Presidency of the Council of the European Union; Digital finance: Provisional agreement reached on DORA](https://presidence-francaise.consilium.europa.eu/en/news/digital-finance-provisional-agreement-reached-on-dora/)
4. [Wikipedia article on Regulation (European Union)](https://en.wikipedia.org/wiki/Regulation_(European_Union))
1. [EUR-Lex: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2022.333.01.0001.01.ENG&toc=OJ%3AL%3A2022%3A333%3ATOC)
2. [French Presidency of the Council of the European Union; Digital finance: Provisional agreement reached on DORA](https://presidence-francaise.consilium.europa.eu/en/news/digital-finance-provisional-agreement-reached-on-dora/)
3. [Wikipedia article on Regulation (European Union)](https://en.wikipedia.org/wiki/Regulation_(European_Union))
4. [Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2022.333.01.0080.01.ENG&toc=OJ%3AL%3A2022%3A333%3ATOC)
## Contact and Collaboration