Cyber Resilience Act & DORA Regulation

Seeking a customized implementation of the Cyber Resilience Act (CRA) for the financial industry, the European Association for Financial Markets (AFME) has opened a strategic engagement with European Union regulators. The underlying premise of this proposal is that the essential provisions for "products with digital elements"—which are integral to financial services—are already covered by the Digital Operational Resilience Act (DORA). In order to improve the overall efficacy of cyber resilience measures, AFME is advocating for a sector-specific exemption that would harmonize the financial industry's regulatory structure with that of other heavily regulated industries. The following are the main ideas covered in the AFME full policy briefing:

• Congruence between DORA and the CRA: The significance of acknowledging the congruence between DORA and the CRA is emphasized by AFME. The association firmly supports the preservation of this viewpoint in the final version of the CRA and applauds the European Parliament for its early recognition of this overlap. In order to prevent regulatory redundancy and guarantee that the financial sector can continue to function with clarity and trust in its compliance efforts, it is imperative that such recognition be preserved.
• Clear Guidelines: AFME advocates for the creation of clear guidelines outlining the interplay between the Cyber Resilience Act and current industry-specific laws. This is especially relevant in the context of remote data processing solutions, since digital infrastructures spanning several regulatory environments and jurisdictions are becoming more and more important to financial institutions. A more seamless and secure integration of these solutions within the operational framework of the financial sector would be made possible by clear guidelines in this area.
• Cautious Implementation of Certification Schemes: The group also expresses its reservations about the EU's cybersecurity certification programs being implemented mandatory. Although strengthening cyber security is a commendable goal, AFME warns that such mandates may have unforeseen harmful effects. Tight certification standards run the potential of unintentionally hindering innovation or placing an unfair burden on financial institutions, especially smaller ones that do not have the means to deal with complicated certification procedures.
• Strong Regulatory Landscape: The goal of AFME's position is to support a regulatory framework that is strong and flexible enough to keep up with the quickly changing digital landscape, rather than merely looking for ways to get around regulations or seek exemptions from them. It is critical for the stability of individual institutions as well as the integrity of the European and international financial systems that the financial industry be resilient against cyber threats.

To sum up, AFME's involvement in the EU's Cyber Resilience Act legislative process is a part of a larger industry endeavor to guarantee that cyber resilience laws are astute, focused, and supportive of the high degree of operational resilience already being sought under the Digital Operational Resilience Act. Through highlighting the need of sector-specific exemptions, lucid guidelines, and cautious certification scheme implementation, AFME is actively establishing a regulatory environment that supports innovation and security in the financial industry.

Cyber Resilience Act with DORA Regulation for Financial Institutions

By interacting with EU authorities, the European Association for Financial Markets (AFME) has taken a significant step towards harmonization in the complex regulatory frameworks that oversee Europe's financial markets. Two important pieces of legislation that are at the core of this discussion are the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA). Although the DORA Regulation is primarily designed to meet the operational requirements of the financial industry, the Cyber Resilience Act expands its regulatory scope and may cover the same institutions twice.

An effective and transparent regulatory framework is something that the financial industry is committed to, as demonstrated by AFME's proactive interaction with legislators. This is especially important in light of how quickly cyber risks are evolving, which necessitates a similarly quick reaction from both financial institutions and regulatory agencies. AFME is guiding the discussion toward a more nuanced regulatory approach that steers clear of the pitfalls of redundancy while enhancing the sector's resilience to cyber catastrophes by arguing for the recognition of the congruence between DORA and the CRA.

The Cyber Resilience Act's Impact on Financial Sector Innovation

It is impossible to overestimate the possible effects of the Cyber Resilience Act on the innovation potential of the financial sector. The world of cybersecurity is dynamic, with new threats appearing with frightening regularity and sophistication. In this regard, financial institutions' flexibility may be hampered by the rigidity implying by the cybersecurity certification systems of the EU. These programs might unintentionally put compliance ahead of the development of cutting-edge cybersecurity solutions as they are now envisioned under the CRA.

The core of AFME's worries is striking this fine balance between protecting the financial sector and allowing it to develop. The financial industry is already heavily regulated; the addition of the CRA could make matters more complicated and unintentionally impede the uptake of cutting-edge cybersecurity solutions. As a result, all regulatory measures—including the CRA—must be adaptable enough to encourage the rapid adoption of cutting-edge cybersecurity solutions that can surpass fraudsters' strategies.

Aligning the DORA Regulation with the Broader Cybersecurity Framework

In the banking sector, DORA Regulation has already created a thorough framework for controlling digital risks. Recognizing the systemic dangers that cyber incidents might pose to financial stability, it emphasizes the significance of cybersecurity as a cornerstone of operational resilience. The Cyber Resilience Act, however, creates a possible overlap that AFME is eager to address with thoughtful exclusions and clarifications.

AFME hopes to simplify financial institutions' compliance procedures and free them up to concentrate on their primary objective of securely and effectively delivering financial services by pursuing alignment between DORA and the CRA. Instead of lessening the strictness of cybersecurity standards, the goal is to make sure that laws like the CRA and DORA work together harmoniously, enhancing one another without needless effort duplication or misunderstanding among regulated businesses.

The Way Forward: Strategic Advocacy and Compliance in the Financial Sector

The regulatory reactions to ongoing technical innovations and cybersecurity within the financial sector are closely tied to one other. Financial institutions must make strategic advocacy and compliance efforts as they navigate this changing environment. This entails influencing new laws like the CRA in addition to following current ones like DORA.

Financial institutions need to be aware of impending developments, such as the completion of the DORA Regulation requirements and the complete implementation of the Cyber Resilience Act. In addition to getting ready for these regulations, they also need to get ready to participate in the policy-making process and make sure that the particular requirements and difficulties faced by the financial industry are taken into account.

In conclusion, the Cyber Resilience Act and DORA Regulation outline the future course for the European financial sector, which is at a crossroads. Financial institutions have a very defined priority list that includes upholding the strict cybersecurity regulations and supporting an environment of regulation that fosters innovation and security. The ability of the sector to successfully navigate this route will determine how Europe's financial markets' cybersecurity looks for years to come, as AFME's involvement indicates.

Read More

AFME > News > Views from AFME

The Association for Financial Markets in Europe (AFME) is the voice of Europe’s wholesale financial markets. We represent the leading global and European banks and other significant capital market players.

LogoPeter Tomlinson