President. – The next item is the joint debate on:
– the report by Billy Kelleher, on behalf of the Committee on Economic and Monetary Affairs, on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (COM(2020)0595 – C9-0304/2020 – 2020/0266(COD)) (A9—0341/2021), and
– the report by Mikuláš Peksa, on behalf of the Committee on Economic and Monetary Affairs, on the proposal for a directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341 (COM(2020)0596 – C9-0303/2020 – 2020/0268(COD)) (A9-0340/2021).
Billy Kelleher, rapporteur. – Madam President, first and foremost, I am delighted to be here presenting this particular report to Parliament.
The financial sector has always been an attractive target for cyberattacks, given the potential lucrative gains, and cybersecurity, as all security has been a long—standing priority for the sector. However, the legal requirements and financial entities across the EU differed, depending on the services they provided or where they were located. There was just a patchwork of rules and regulation. Moreover, as the sector became more digitised, the interconnectivity with, and the reliance on, the tech sector has increased the chances and the risks of a cyberattack.
DORA seeks to address both of these issues and to create a robust and harmonised security framework across the entire EU financial sector. I suppose that due to geopolitical issues, the importance of this framework has unfortunately been thrown into the limelight and become more pertinent since Russia has invaded Ukraine. It does indicate the great risk that we are at, if we have a very aggressive neighbour like Russia that is willing to attack people, destroy electrical infrastructure, to make people cold, to use food as a weapon and to weaponize energy, then be in no doubt that Russia would be willing and very capable of attacking our fundamentals in terms of financial services. We have to be very conscious of that.
I approached this file with three principles. First and foremost, proportionality, then future—proofing and maintaining and encouraging the competitiveness of the EU’s financial services and tech sectors. I think we achieved that in the final text. DORA takes an ambitious approach to third—party ICT providers, such as cloud computing providers to the financial sector, in that it introduces an oversight framework.
It was very important to ensure this oversight framework had robust and just governance, and that we recognise that such oversight is novel and there will be many lessons to be learned from us and expertise to be developed in the period ahead. Therefore, despite some initial reluctance from Member States, the resulting governance structures ensures that all European financial supervisors are involved and that they don’t start working in silos again at Member State level. In other words, there’s a cross—fertilisation of ideas.
I am proud to say that, as co—legislators, we avoided imposing location requirements. This was a quite a contentious issue early on. ICT providers building a ‘fortress Europe’ and making it unattractive for global companies to do business with our European companies will not strengthen the security of EU markets. I would urge the Commission to avoid undermining the approach taken to third—country ICT providers in DORA, for example, and in the upcoming EU Cloud Certification scheme.
The agreement was voted in ECON on 20 July 2022, with 41 in favour, zero against and six abstentions. I have to say that I am extremely disappointed with the ID Group, who have tabled a number of amendments – and I don’t mean to make an overtly political point on this, but time and again we see people on the left and on the very right tabling amendments on an agreed compromise text. I wouldn’t mind if they were involved in the process, but they never engaged in it. My office was as open with every political grouping, and not once was there any engagement from the ID Group. So from that perspective, I am deeply, deeply disappointed that we now see amendments being tabled when there was an opportunity to engage in the process whereby we actually agreed a text between most political groupings. Therefore, I would urge the House to vote against the amendments and stick to the agreed text.
Finally, I would like to thank Mikuláš Peksa, the rapporteur for the DORA amending directive, and my Renew colleague Bart Groothuis, the rapporteur for the NIS Directive, for their cooperation and alignment during the legislative process. Finally, I would like to thank all the shadow rapporteurs, including Frances Fitzgerald, who is also a colleague of mine, and all the others who engaged in the process. I will be summing up later on so will be able to thank you on an individual basis then as well.
Mikuláš Peksa, zpravodaj. – Paní předsedající, vážené kolegyně, vážení kolegové, DORA se snad zdá být na první pohled něčím poměrně technickým, ale ve skutečnosti je to docela zajímavý soubor a přináší poměrně významný pokrok v naší společné kybernetické bezpečnosti. Je to harmonizace, která má potenciál ušetřit poměrně velké množství peněz, a tak je to jeden z dobrých příkladů, proč vlastně pro zajištění bezpečnosti našeho finančního sektoru potřebujeme Evropskou unii a proč mu Evropská unie dává podstatně větší odolnost. Takže čeho jsme dosáhli?
Jednak jsme našli shodu nad několika základními principy, protože pravidla vyžadují jasné řízení a definovanou odpovědnost v řízení IT a mapování kritických a vedlejších funkcí. Pravidelné testy a jasné podmínky znamenají nejen jistotu odolnosti, ale i harmonizovaná pravidla po celé Evropě. Například banky teď nebudou muset pro každou národní pobočku řešit náročné a drahé testování znovu a znovu, ale můžou se spolehnout na tento společný rámec. Co považuji za zásadní: přesun z bezpečnosti typu nikdy nesmí nic proniknout k realističtějšímu modelu vytrvalosti, resilienci. My žádáme minimální časy, po kterých musí být služba připravena znovu fungovat. Zavazujeme banky, aby o útocích rychle reportovaly, a tím umožnily dalším aktérům se připravit na nové typy úderů. A zároveň chráníme práva bank rychle vyměnit nespolehlivého nebo jinak kompromitovaného dodavatele služeb.
Oblast, kde je ještě určitě prostor pro zlepšení, je právě sdílení zkušeností. To rychlé a standardizované reportování je dobrý první krok, ale měli bychom určitě chtít víc, protože podporujeme jednotlivé hráče v tom, aby sdíleli informace, ale měli bychom chtít jít ještě dál a chtít jednotné reportovací centrum v rámci Evropské unie, které by umožnilo rychleji reagovat na hrozby a poskytlo platformu ke sdílení těch citlivých problémů na neutrální půdě. Text zatím nemá žádné vyhodnocení těchto možností, ale určitě lze doufat, že v budoucnu se do nich pustíme a odemkneme další úspory a zvýšení bezpečnosti, protože transparence a důvěra pomáhají a určitě pomáhají snižovat rizika v bankovním sektoru. Obzvlášť tedy vzhledem k té současné bezpečnostní situaci jsou zásadní pravidla pro poskytovatele IT služeb. Zjednodušeně, pokud mají firmy důvěryhodně poskytovat bezpečnost evropským bankám, musí mít jasnou přítomnost v Evropě, protože prostě nemůžeme svěřit naši kritickou infrastrukturu nedůvěryhodným aktérům.
Dosáhli jsme návrhu pravidel pro bezpečnost finančních institucí na jednotném trhu. Určitě jsou v něm body, které se budou po několika letech přehodnocovat. A těžko v tuhle chvíli říkat, jaké to bude, protože DORA je přiznaně první dokument svého druhu na světě. Američané ani nikdo jiný nic podobného nemají. A to je, myslím si, na evropských řešeních podstatné, protože my jsme našli kompromis, který nás posouvá dopředu. Za pár let ho určitě dál zhodnotíme a vylepšíme, ale v tuhle chvíli je to prostě velmi významný krok, který činí náš finanční sektor jedním z nejpokrokovějších a nejbezpečnějších na celém světě.
Mairead McGuinness,Member of the Commission. – Madam President, colleagues, it’s a pleasure to be here for the conclusion of the work on this Digital Operational Resilience Act, or DORA.
My thanks to the honourable Members of the ECON Committee for their work. Of course, in particular, our thanks go to the two rapporteurs – Billy Kelleher, for the DORA Regulation, and you’ve just heard from the rapporteur on the DORA Directive, Mikuláš Peksa – and all of the shadow rapporteurs.
DORA is really a cornerstone of our work on digital finance in the European Union, making sure that we support innovation and do it in a safe way. This work began just over two years ago and in fact it’s become much more urgent as the digitalisation of the financial sector continues apace.
Financial institutions are more and more dependent on technology. More and more people and businesses are managing their finances online. So protecting the financial system from cyberattacks and cyber—fraud is vital.
So, when I look at the objectives, DORA aims to strengthen the overall digital operational resilience of all firms in the EU financial sector. It creates a regulatory framework on digital operational resilience for all financial companies. So these companies will need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. DORA requires financial entities to set up a management process to monitor, classify and report major ICT-related incidents.
Financial entities will need to regularly test their risk-management capabilities to ensure that they can identify weaknesses and address problems.
Finally, DORA will, for the first time, give financial supervisors direct oversight over ICT providers that are critical to the EU financial system.
I welcome the amendments to the proposal by the European Parliament steered by the honourable Members I’ve mentioned. You strengthen proportionality in DORA. You have introduced additional flexibility for financial entities in terms of resilience testing and you have provided for a coordinated approach to oversight through the Joint Oversight network.
Given the rapid digitalisation of our financial system, strengthening its operational resilience is absolutely essential. President, honourable Members, I look forward to the rest of our discussion this evening.
PREDSEDÁ: MICHAL ŠIMEČKA podpredseda
Frances Fitzgerald, on behalf of the PPE Group. – Mr President, Commissioner, colleagues, it is not possible to talk about security without talking about digital. Today, the threats to society and our way of life exist just as much online as they do on a battlefield. We are it seeing right now with the ever-increasing number of cyberattacks coming from places like Russia and China – we’re seeing it right now.
In Ireland last year, we saw an enormous and unprecedented cyberattack on our health service, with the personal data of thousands of people compromised. Imagine the same happening to an entire financial system. European citizens must be able to have confidence in the systems they use to save and invest their money. This is why this regulation is so important and essential. We need to implement it very quickly because of all the sensitive data that is held by our EU-wide financial services.
Robust cybersecurity rules are essential to help the digitalisation of European finance and make this a sector fit for the 21st century. I want to thank all of the rapporteurs that we worked with, and in particular I would like to say that my colleague Billy Kelleher led so very well on this file and worked so cooperatively with all of us.
If Europe wants to become a leading centre for financial services investment, we do need urgently a cybersecurity system in which people can have full and total confidence. It is an essential part of dealing with the future we are all facing.
Alfred Sant, on behalf of the S&D Group. – Mr President, two years of work are being concluded, and thanks go to our rapporteur, Mr Kelleher.
DORA will now set common rules for cybersecurity protocols and for good behaviour for all financial services in the EU. It aims to ensure that all companies which manage our finances have the tools by which to withstand all types of ICT-related disruptions and operational threats.
For the financial sector, cyber—risks are being countered by performance and procedural requirements, and not only, as up to now, by regulatory guidelines defining how much funds to attach to cybersecurity. The latter is a moving target. As complex cyber—threats develop, new risks will emerge. As new technologies become part of the financial system, new opportunities will emerge as well. DORA should create a common market in financial security with harmonised ICT risk-management tools, testing procedures and testing reporting methods.
From the beginning, proportionality was essential to our approach, clarifying the definitions of ICT incidents and critical functions to avoid adding unnecessary heaviness. DORA will now carry several challenges. Until now, big data and the cloud have been regulated from a data perspective. They will henceforth be strictly treated as extensions of financial entities if they provide critical services. Banks and financial services rely, in fact, on a few cloud service providers. The oversight over the latter must be rigorous. When the structure of the subsidiary changes, cloud providers will have to inform the supervisory authority. This ensures that DORA is enforced without restriction on geographical location.
Still, while we must deploy DORA with maximum commitment, European financial institutions need to be able to access all possible new technologies available globally as well as outside European borders. Clearly, this constitutes – and will constitute – a considerable new workload for supervisors.
Regarding the input impact of DORA on SMEs, although proportionality is embedded in DORA, in reality SMEs interfacing with banks and financial services could need stringent levels of cybersecurity compliance as they might otherwise pose a risk. The greatest care must be taken in this measure to avoid crippling SMEs.
Stéphanie Yon-Courtin, au nom du groupe Renew. – Monsieur le Président, Madame la Commissaire, après le vote sur le règlement sur les cryptomonnaies et celui pour faciliter le développement de la chaîne de blocs, c’est un pas de plus vers la souveraineté numérique de l’Europe que nous franchissons aujourd’hui. Avec ce nouveau règlement sur la résilience opérationnelle numérique du secteur financier, nous parachevons le paquet sur la finance numérique, et il était temps d’assurer la cyberrésilience de notre écosystème financier.
Ce nouvel encadrement de la finance numérique va à la fois protéger les investisseurs européens et préparer les entreprises du secteur financier contre les cyberattaques. C’est bien la capacité d’innovation de l’Europe et son autonomie stratégique qui se jouent ici. Les cyberattaques peuvent ébranler notre démocratie et elles touchent également notre système financier, pourtant au cœur de nos sociétés.
En renforçant la cyberrésilience des banques, nous leur permettons notamment de ne plus être dépendantes des fournisseurs informatiques. Alors que nous avons voté le règlement sur les marchés numériques pour limiter les comportements anticoncurrentiels des géants du numérique, nous réduisons désormais la dépendance des banques face à ces grandes entreprises technologiques.
Bogdan Rzońca, w imieniu grupy ECR. – Panie Przewodniczący! Pani Komisarz! W imieniu grupy ECR także wyrażam pozytywną opinię dla projektu ustawy na temat odporności operacyjnej i cyfrowej odporności operacyjnej. Chcę też powiedzieć, że pan przewodniczący Billy Kelleher bardzo transparentnie prowadził obrady. Mogliśmy wszyscy zgłaszać uwagi. Każdy, kto chciał zabrać głos, wypowiedział swoje uwagi. To, co cenne, to to, iż uprościliśmy trochę ten pierwotny system. Wprowadziliśmy kilka ważnych poprawek, np. co do niepotrzebnego, naszym zdaniem, uszczegóławiania. Udało się ominąć te zapisy, także co do zabezpieczenia własności prywatnej, do stosowania środków do poziomu ryzyka. To wszystko było przedmiotem naszych obrad.
Mam nadzieję, że właśnie cały ten projekt pozwoli zwiększyć zdolność firm do przetrwania w razie hybrydowych ataków, zakłóceń czy różnego rodzaju problemów z cyberatakami. Wiemy wszyscy, że cyberbezpieczeństwo jest kluczowym elementem wspierającym stabilność europejskiego systemu finansowego, i dlatego grupa ECR popierać to rozwiązanie.
José Gusmão, em nome do Grupo The Left. – Senhor Presidente, o DORA é uma iniciativa importante no sentido de reforçar a resistência das instituições financeiras a ciberataques e é uma iniciativa que, apesar de não ser tão ambiciosa como nós gostaríamos, nomeadamente nos deveres de informação das instituições financeiras aos reguladores, vai no sentido correto, no sentido de valorizar a regulação pública do setor financeiro para proteger o setor financeiro propriamente dito e os cidadãos, que são as primeiras vítimas do colapso do sistema financeiro.
É uma iniciativa que vai, infelizmente, ao arrepio da tendência mais geral para a desregulação do sistema financeiro que, essa sim, é um risco real para as instituições financeiras e para os Estados e os contribuintes. Convém sublinhar que os colapsos financeiros dos últimos anos não tiveram nada a ver com ciberataques, tiveram a ver com a gestão dos bancos e com a política da desregulação financeira. E convém que tenhamos aprendido essas lições.
Ivan Vilibor Sinčić (NI). – Poštovani predsjedavajući, kod pojave kriptovaluta ljudi su pohrlili jer su osjetili da tamo mogu biti slobodni od konvencionalnog financijskog sustava, koji je u suštini centraliziran, dužnički i nepravedan.
Digitalna imovina i digitalni novac sada mogu ići u jednom od dva smjera: ili kao alati oslobođenja ili porobljavanja. Možemo živjeti u svijetu gdje će se lako doći do kapitala, olakšati financiranje malih poduzeća i ideja, gdje će se vrijednost lako i sigurno moći prenijeti s jednog kraja svijeta na drugi - ili - druga verzija je svijet u kojem će centralizirani entiteti kontrolirati što možemo kupiti, ili smijemo kupiti, i koja prava imamo sukladno socijalnom kreditu i biometrijskom nadziranju. Svijet u kojem će nam na temelju nepodobnih statusa na društvenim mrežama biti blokiran račun, digitalni kavez. Kripto tržište treba regulirati, ali na način kako bi došlo do što ranije implementacije i prihvaćanja kriptovaluta. Međutim, ovdje predložena regulacija će zahtijevati mjere koje podrivaju samu prirodu i ideju kriptovaluta - ideju o slobodi i decentralizaciji - što usporava, a ne potiče razvoj.
Želimo sigurnost, ali ne pod cijenu slobode, nikada pod cijenu slobode. Također, građanima za plaćanje treba ostaviti pravo izbora. Apsolutno sam protiv toga da se ograničava, pa i ukida, plaćanje gotovinom. Bez gotovine, nemamo kontrolu mi, nego banke i država.
Postup prihlásenia sa o slovo zdvihnutím ruky
Stanislav Polčák (PPE). – Pane předsedající, já velmi sleduji tuto bitvu o balíček, který má posloužit k posílení naší finanční stability. A je dobře, že po nařízení DORA sledujeme i další aktivity. Jsem přesvědčen o tom, že digitalizace finančního sektoru je krok správným směrem, ale přináší také významná rizika, zejména v podobě kryptoměn.
Já osobně jsem přesvědčen o tom, že představují skutečně vážné ohrožení našeho finančního sektoru a je dobré, že na to reagujeme. Pro nás je prioritou stabilita finančního sektoru, a zejména bezpečnost. Musíme klást jasné podmínky pro finanční instituce při zajištění jejich služeb, ale také při zajištění transparentnosti jejich vystupování a bezpečnosti procedur, které provádí, protože jejich kroky mají dopad na všechno, dokonce na stabilitu měnového systému, samozřejmě na malé a střední podniky. Je důležité testovat také odolnost bank a samozřejmě předcházet hybridním útokům. To všechno se tento balíček snaží postihnout a já jsem rád, že jej mohu za toto podpořit.
(Ukončenie postupu prihlásenia sa o slovo zdvihnutím ruky)
Mairead McGuinness,Member of the Commission. – Mr President, I think I can be brief and just say a sincere thank you to all of the honourable Members for this evening’s debate. It is absolutely essential that we protect ourselves and our system against attack, and those financial entities in scope will be part of this process. There will be oversight also by EU supervisory authorities of big critical ICT providers to the sector.
And I think this is really stepping up, taking responsibility. As more and more of us use online financial products and services, we need to have trust in the system and have the confidence to make sure that there is supervision and checks on ICT providers and that the financial system is required to check that they are not vulnerable to these attacks, which could be so damaging for the system itself, for individuals and for businesses. So again, my appreciation to the Members and indeed to the rapporteurs.
Billy Kelleher, rapporteur. – Mr President, just again, to acknowledge Frances Fitzgerald, Alfred Sant, Bogdan Rzońca and José Gusmão as shadow rapporteurs for their cooperation and help on this file. This is about ensuring the integrity of our financial services, it’s about protecting the financial systems, but more importantly, it’s about protecting citizens. It’s about ensuring that citizens have confidence that their information, that their money, that the systems that they use every day in a modern, functioning, digitised world has the integrity at its heart in terms of cybersecurity protections.
So from that perspective, I would urge the regulators now that are charged with the responsibility to engage with the major stakeholders and industry to ensure that they can bring forward second-tier proposals and guidance to ensure that we have seamless understanding of the obligations that will be placed on ICT third-party providers, on financial entities themselves, and all those regulated in the European Union to ensure that we have a swift move to where we need to get to, to ensure that that integrity, as I said, is there.
We do also have to ensure that resources are made available, Commissioner. We need the regulators to be able to regulate, to be able to oversee. And in doing that, that requires resources. Also, Member States must be conscious of their obligations. And what we don’t want is for regulators, even though we did put in an overarching framework, we don’t want regulators and Member States to become siloed again. We want to have uniformity across the entire European Union in terms of regulation, in terms of oversight, in terms of obligations on financial entities and third-party critical providers as well.
So in thanking everybody, I hope that over the next number of years we will see an evolving, exciting, enthusiastic engagement by regulators and the broader industry to ensure future-proofing, that our competitiveness is protected, but most importantly, that we have robust systems against cyber-attacks from nefarious actors who are willing to hurt us.
Mikuláš Peksa, zpravodaj. – Pane předsedající, já bych chtěl tedy této příležitosti ještě jednou využít k tomu, abych poděkoval jak paní komisařce, tak všem svým kolegům, zpravodajům, panu kolegovi Kelleherovi i všem ostatním, kteří se na přípravě tohoto dokumentu podíleli, i vám všem, kteří jste vystupovali nyní v debatě. Já věřím, že evropští občané to ocení, protože tohle je jeden z nejdůležitějších dokumentů pro zajištění bezpečnosti našeho finančního sektoru a přispívá k němu významným dílem, jak je ve zbytku světa nesporně nezvyklé.
Predsedajúci. – Spoločná rozprava sa týmto skončila. Hlasovanie sa uskutoční zajtra.
Písomné vyhlásenia (článok 171)
Andżelika Anna Możdżanowska (ECR), na piśmie. – Prace nad operacyjną odpornością cyfrową to jedna z wielu spraw związanych z cyfryzacją finansów, którymi się obecnie zajmujemy. Postęp w tej dziedzinie, ilość oferowanych rozwiązań, a także zmiany w mentalności i zmiany nawyków konsumentów – wszystko to wymaga od nas szybkiej reakcji w celu zapewnienia bezpieczeństwa klientów i instytucji finansowych oraz przeciwdziałania praniu pieniędzy. Na ostateczną decyzję Parlamentu czekają m.in. dwa inne rozporządzenia, w pracach nad którymi miałam przyjemność brać udział: o rynkach kryptoaktywów (MiCA) oraz o informacjach towarzyszących transferom środków pieniężnych (FTR). Obie regulacje mają na celu dostosowanie reguł gry do nowych realiów i „ucywilizować” obrót kryptoaktywami. Co charakterystyczne – największą trudność w tych pracach stanowiło wypracowanie odpowiednich definicji: mechanizmy spotykane w świecie finansów cyfrowych bardzo odbiegają od tradycyjnych i wymagają przemyślanych rozwiązań.
W tle naszej dyskusji wciąż pozostają kwestie cyfrowego euro, które jest postrzegane także jako szansa na wzmocnienie znaczenia europejskiej waluty. W tym kontekście warto zauważyć, że cyfrowe euro mogłoby wesprzeć innowacje, cyfryzację gospodarki oraz stanowić bezpieczniejszą alternatywę dla kryptowalut. W pracach nad nim należy jednak brać pod uwagę potrzebę zapewnienia bezpieczeństwa i prywatności konsumentów: zwiększona kontrola z całą pewnością nie jest tym, czego obywatele UE od nas chcą i czego oczekują.