The European Association of CCP Clearing Houses (EACH), the European Central Securities Depositories Association (ECSDA), and the Federation of European Securities Exchanges (FESE) have expressed concerns regarding the implementation of the Digital Operational Resilience Act (DORA). The associations underscore the importance of proportionate cybersecurity rules and argue that current regulatory drafts may impose impractical demands on financial market infrastructures (FMIs).

Key points raised include the necessity for a proportional approach in DORA’s application. The associations assert that the European Securities and Markets Authority (ESMA) and national competent authorities (NCAs) should avoid excessively detailed requirements, particularly in areas such as threat-led penetration testing and sub-outsourcing monitoring, which could lead to high compliance costs and operational difficulties.

Decrease in cyber resilience

The associations also highlight the potential risks of over-reporting and the burden of administrative tasks. They caution that the current draft requirements for major incident reporting are overly detailed and could result in misleading information if assessments are made prematurely.

PostTrade 360 Nordic 2024

Furthermore, the groups are concerned about the tight timeline for implementing DORA’s Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). They argue that the industry may not have sufficient time to comply with new requirements by January 2025, risking a decrease in cyber resilience.

Clear transitioning

Additionally, the associations call for clear transitioning from existing regulations to DORA to avoid legal uncertainties and duplication of efforts. They emphasise the need for guidance on how existing sector-specific rules will be repealed or adapted.

To facilitate compliance, the associations suggest building upon existing frameworks and practices, rather than imposing a one-size-fits-all approach. They also stress the importance of effective coordination among supervisory authorities and the protection of sensitive business data during the implementation process.

The industry groups urge regulators to consider these suggestions to ensure that DORA enhances, rather than hinders, the digital operational resilience of Europe’s financial sector.