A new step in the adoption of the Digital Finance Package

A digital finance package (the “Package”) which aims at further enabling and supporting the potential of digital finance in terms of innovation and competition while mitigating the risks is partially adopted by the EU institutions.

The Package includes the following four texts:

  • Regulation (EU) 2022/858 of the European Parliament and of Council of 30 May 2022 on a pilot regime for market infrastructures based on distributed ledger technology (DLT Pilot regime);
  • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA);
  • Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 as regards digital operational resilience for the financial sector;
  • Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets (MiCAR).

On 27 December 2022, DORA was published in the Official Journal of the European Union, together with Directive (EU) 2022/2556.

DORA creates a regulatory framework on digital operational resilience pursuant to which all firms must ensure that they can withstand, respond to and recover from all types of information and communication technology (“ICT”) related disruptions and threats. The new rules will provide a strong framework to strengthen IT security in the financial sector. More specifically, DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities and applies to twenty categories of financial entities and to ICT third-party service providers. The main requirements pertain to internal governance and control framework and ICT risk management framework.

Financial entities have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in order to achieve a high level of digital operational resilience.

Financial entities have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.

Financial entities define, establish and implement an ICT-related incident management process to detect, classify, manage and notify ICT-related incidents and cyber threats Financial entities report major ICT-related incidents to the relevant competent authority and in certain cases to their clients. They may, on a voluntary basis, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients. Such requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.

DORA sets out digital operational resilience testing programme that follows a risk-based approach and is undertaken by independent parties, whether internal or external. Financial entities carry out at least every 3 years advanced testing by means of threat-led penetration testing.

Financial entities manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and have in place contractual arrangements for the use of ICT services to run their business operations, which follows an assessment process.

Regarding Directive 2022/2256, it amends several financial directives, including Directive 2013/36 on Capital requirements (CRD) and Directive 2014/64 on Markets in financial instruments (MiFID II) to address ICT risks, notably where financial institutions use technologies enabling digital representations of value or of rights to be transferred and stored electronically, using distributed ledger or similar technology (crypto-assets), and of services related to those assets and to ensure a consistent implementation of the new framework on digital operational resilience for the financial sector.

The requirements for contingency and business continuity plans set out in CRD are amended to include business continuity plans and response and recovery plans concerning ICT risk, in accordance with the requirements laid down in DORA and in the Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process issued by the European Banking Authority.

The provisions of MiFID II are aligned with DORA as regards continuity and regularity in the provision of investment services and in the performance of investment activities, operational resilience, the capacity of trading systems, and the effectiveness of business continuity arrangements and risk management.

On 17 January 2025, Regulation 2022/2554 applies, and Directive 2022/2556 shall be implemented into national laws.

Further information upon DLT Regime and MiCAR are available on our website.

Aurélia Viémont
Partner | Avocat à la Cour

Sarah Hantscher
Managing Associate | Avocat à la Cour

Mélanie Poirrier
Managing Associate, Luxembourg

Anne Picot-Guillot
Professional Support Lawyer