Cyber Resilience Act & DORA Regulation

AFME seeks harmonisation between the EU's Cyber Resilience Act and DORA Regulation, underlining the need for clarity and avoiding regulatory duplication to balance cybersecurity with innovation in the financial sector.

Cyber Resilience Act & DORA Regulation
IN Cybersecurity Regulation

Cyber Resilience Act: AFME Sectoral Exemption for Financial Services

Association for Financial Markets in Europe Keywords Cyber Resilience Act DORA Regulation

The European Association for Financial Markets (AFME) has initiated a strategic dialogue with European Union regulators, seeking a tailored approach to the Cyber Resilience Act (CRA) for the financial sector. This request is deeply rooted in the belief that the Digital Operational Resilience Act (DORA) already encapsulates the necessary provisions for "products with digital elements" that are intrinsic to financial services. AFME's advocacy for a sector-specific exemption is aimed at harmonizing the financial industry's regulatory framework with that of other stringently regulated sectors, thereby enhancing the overall effectiveness of cyber resilience measures. The key points outlined in the AFME detailed policy briefing are:

  • Congruence between DORA and the CRA: AFME underscores the importance of recognizing the congruence between DORA and the CRA. The association commends the European Parliament for its initial acknowledgment of this overlap and strongly encourages the maintenance of this perspective in the definitive version of the CRA. The preservation of such recognition is crucial for avoiding regulatory duplication and ensuring that the financial sector can continue to operate with clarity and confidence in its compliance efforts.
  • Clear Guidelines: AFME champions the development of explicit guidelines that delineate the relationship between the Cyber Resilience Act and existing sector-specific legislation. This is particularly pertinent in the context of Remote Data Processing Solutions, where financial institutions are increasingly reliant on digital infrastructures that span across various jurisdictions and regulatory environments. Clear guidance in this area would facilitate a more streamlined and secure integration of these solutions within the financial sector's operational framework.
  • Cautious Implementation of Certification Schemes: The association also brings to light its concerns regarding the mandatory implementation of the EU’s cybersecurity certification schemes. While the intent to bolster cyber defenses is laudable, AFME cautions that such mandates could lead to unintended negative consequences. There is a risk that stringent certification requirements may inadvertently stifle innovation or impose disproportionate burdens on financial institutions, particularly smaller entities that may lack the resources to navigate complex certification processes.
  • Strong Regulatory Landscape: AFME's stance is not just about seeking exemptions or easing regulatory pressures; it is about advocating for a regulatory landscape that is both robust and agile enough to adapt to the rapidly evolving digital landscape. The financial sector's resilience against cyber threats is paramount, not only for the stability of individual institutions but also for the integrity of the European and global financial systems.

In conclusion, AFME's engagement with the EU's legislative process on the Cyber Resilience Act reflects a broader industry effort to ensure that cyber resilience regulations are smart, targeted, and conducive to the high level of operational resilience already being pursued under the Digital Operational Resilience Act. By emphasizing the need for sectoral exemptions, clear guidelines, and cautious implementation of certification schemes, AFME is actively shaping a regulatory environment that fosters both security and innovation within the financial sector.


Cyber Resilience Act with DORA Regulation for Financial Institutions


In the labyrinth of regulatory frameworks that govern Europe's financial markets, the European Association for Financial Markets (AFME) has taken a decisive step towards harmonization by engaging with EU regulators. The Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) are two pivotal pieces of legislation at the center of this dialogue. While DORA Regulation has been tailored specifically to the operational needs of the financial sector, the Cyber Resilience Act casts a wider net, potentially enveloping the same institutions within a duplicative regulatory scope.


AFME’s proactive engagement with policymakers serves as a prime example of the financial sector’s commitment to an efficient, clear regulatory environment. This is particularly salient given the rapid evolution of cyber threats, which demands an equally dynamic response from regulatory bodies and financial institutions alike. By advocating for a recognition of the congruence between DORA and the CRA, AFME is steering the conversation towards a more nuanced regulatory approach, one that avoids the pitfall of redundancy while bolstering the sector's resilience to cyber incidents.


The Cyber Resilience Act's Impact on Financial Sector Innovation


The potential implications of the Cyber Resilience Act on the financial sector's capacity to innovate cannot be overstated. Cybersecurity is not a static field; new threats emerge with alarming frequency and sophistication. In this context, the rigidity implied by the EU's cybersecurity certification schemes could hinder the agility of financial institutions. These schemes, as currently envisaged under the CRA, may inadvertently prioritise compliance over the pursuit of cutting-edge cybersecurity solutions.


This delicate balance between securing the financial sector and enabling it to innovate is at the heart of AFME's concerns. Financial institutions are already operating in a highly regulated environment; adding another layer with the CRA could compound the complexity and inadvertently slow down the adoption of innovative cybersecurity technologies. Therefore, any regulatory measures, including the CRA, must be flexible enough to support the quick adoption of advanced cybersecurity solutions that can outpace the tactics of cybercriminals.


Aligning the DORA Regulation with the Broader Cybersecurity Framework


DORA Regulation has already established a comprehensive framework for managing digital risks in the financial sector. It underscores the importance of cybersecurity as a cornerstone of operational resilience, recognizing the systemic risks that cyber incidents can pose to financial stability. However, the advent of the Cyber Resilience Act introduces a potential overlap, which AFME is keen to resolve through strategic exemptions and clarifications.


By seeking alignment between DORA and the CRA, AFME aims to streamline the compliance process for financial institutions, freeing them to focus on their core mission of providing financial services securely and efficiently. The objective is not to dilute the rigor of cybersecurity standards but to ensure that regulations like DORA and the CRA operate in concert, each complementing the other without unnecessary duplication of efforts or confusion among regulated entities.


The Way Forward: Strategic Advocacy and Compliance in the Financial Sector


The future of cybersecurity regulation within the financial sector is inextricably linked to ongoing technological developments and the regulatory responses to these changes. As financial institutions navigate this evolving landscape, strategic advocacy and compliance efforts become crucial. This means not only adhering to existing regulations like DORA but also shaping future ones like the CRA.


Financial institutions must be alert to changes on the horizon, such as the full implementation of the Cyber Resilience Act and the finalization of DORA Regulation requirements. They must prepare not only to meet these regulations but to engage in the policy-making process, ensuring that the unique needs and challenges of the financial sector are addressed.


In conclusion, the European financial sector stands at a crossroads, with the Cyber Resilience Act and DORA Regulation framing the path ahead. For financial institutions, the priority is clear: maintain the rigor of cybersecurity measures while advocating for a regulatory environment that promotes both security and innovation. As AFME's engagement demonstrates, the industry's ability to effectively navigate this path will shape the cybersecurity landscape of Europe's financial markets for years to come.




Read More

AFME > News > Views from AFME
The Association for Financial Markets in Europe (AFME) is the voice of Europe’s wholesale financial markets. We represent the leading global and European banks and other significant capital market players.




Grand is Live

Check out our GPT4 powered GRC Platform

Sign up Free

Reduce your
compliance risks