Article 42 Digital Operational Resilience Act (DORA), Cooperation With Structures And Authorities Established By Directive (EU) 2016/1148

Sep 12, 2024

The Digital Operational Resilience Act (DORA) serves as a cornerstone in the European Union's efforts to enhance the resilience of the financial sector against cyber threats and information and communication technology (ICT) risks. Article 42 of DORA emphasizes the importance of fostering cooperation and facilitating supervisory exchanges between the competent authorities designated under DORA and the structures and authorities established by Directive (EU) 2016/1148, commonly known as the NIS Directive. This article outlines the mechanisms through which these entities can collaborate to strengthen the EU's overall cyber resilience framework.

Article 42 Digital Operational Resilience Act (DORA), Cooperation With Structures And Authorities Established By Directive (EU) 2016/1148

Enhancing Cooperation Through the Cooperation Group

The NIS Directive, which aims to achieve a high common level of security across the EU for network and information systems, established the Cooperation Group under Article 11. This group is a key platform for facilitating strategic cooperation and the exchange of information among EU Member States to ensure effective cybersecurity measures.

Under Article 42 of DORA, the European Supervisory Authorities (ESAs) and competent authorities responsible for overseeing financial entities' compliance with DORA are encouraged to actively engage with the Cooperation Group. This engagement is crucial for aligning the efforts of financial sector regulators with broader EU cybersecurity initiatives. To facilitate this, the ESAs and competent authorities may request to be invited to participate in the workings of the Cooperation Group.

The inclusion of ESAs and competent authorities in the Cooperation Group’s activities is a strategic move to enhance cross-sector collaboration. By participating in these discussions, financial sector regulators can gain insights into the cybersecurity challenges faced by other sectors and share their own experiences and best practices. This cross-pollination of ideas is essential for developing a comprehensive approach to cybersecurity that takes into account the interdependencies between different sectors.

Moreover, the active participation of financial sector regulators in the Cooperation Group helps ensure that the specific needs and challenges of the financial sector are considered in broader EU cybersecurity initiatives. Given the financial sector's critical role in the economy and its attractiveness as a target for cyberattacks, it is vital that its interests are adequately represented in discussions about EU-wide cybersecurity strategies.

DORA Compliance Framework

Consulting with National Cybersecurity Structures

In addition to fostering cooperation at the EU level, Article 42 of DORA also emphasizes the importance of collaboration at the national level. Competent authorities responsible for supervising financial entities under DORA are encouraged to consult, where appropriate, with the single point of contact (SPOC) and the national Computer Security Incident Response Teams (CSIRTs) established by the NIS Directive.

The SPOC, as outlined in Article 8 of the NIS Directive, serves as the primary liaison between the national authorities and the Cooperation Group. By consulting with the SPOC, competent authorities can ensure that their supervisory activities are aligned with national cybersecurity strategies and that they are aware of any relevant developments or threats identified at the national level.

Similarly, the national CSIRTs, referred to in Article 9 of the NIS Directive, play a critical role in responding to cybersecurity incidents and managing risks. By consulting with the CSIRTs, competent authorities can leverage the expertise and resources of these specialized teams to enhance their own supervisory activities. This collaboration is particularly important in the context of managing and mitigating the impact of cyber incidents that affect financial entities.

Furthermore, consulting with the SPOC and CSIRTs allows competent authorities to ensure that their actions are coordinated with other national authorities and that they are contributing to a unified national response to cyber threats. This coordination is essential for avoiding duplication of efforts and ensuring that resources are used effectively.

Strengthening the EU's Cyber Resilience Framework

Article 42 of DORA represents a significant step forward in the EU's efforts to create a more integrated and cohesive approach to cybersecurity across different sectors. By fostering cooperation between financial sector regulators and the structures established by the NIS Directive, the EU is laying the groundwork for a more resilient and secure digital environment.

The emphasis on cross-sector cooperation reflects a recognition that cybersecurity is not just a concern for individual sectors but a challenge that affects the entire economy. The financial sector, given its critical importance and its reliance on digital technologies, has a unique role to play in this broader cybersecurity ecosystem. By engaging with the Cooperation Group and consulting with national cybersecurity structures, financial sector regulators can ensure that their efforts are aligned with those of other sectors and that they are contributing to the overall resilience of the EU.

Conclusion

Article 42 of DORA underscores the importance of collaboration at both the EU and national levels to enhance the digital operational resilience of the financial sector. Through active participation in the Cooperation Group and consultation with national cybersecurity structures, competent authorities can strengthen their supervisory activities and contribute to a more robust and coordinated response to cyber threats across the EU. This approach not only benefits the financial sector but also supports the broader goal of achieving a high level of cybersecurity across all sectors of the EU economy.

DORA Compliance Framework