Chapter IX - Transitional and final provisions (Art. 58-64)

Art. 58 DORA - Review clause arrow_right_alt

By 17 January 2028, the Commission shall, after consulting the ESAs and the ESRB, as appropriate, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal. The review shall include at least the following:
1. the criteria for the designation of critical ICT third-party service providers in accordance with Article 31(2);
2. the voluntary nature of the notification of significant cyber threats referred to in Article 19;
3. the regime referred to in Article 31(12) and the powers of the Lead Overseer provided for in Article 35(1), point (d), point (iv), first indent, with a view to evaluating the effectiveness of those provisions with regard to ensuring effective oversight of critical ICT third-party service providers established in a third country, and the necessity to establish a subsidiary in the Union.
  For the purposes of the first subparagraph of this point, the review shall include an analysis of the regime referred to in Article 31(12), including in terms of access for Union financial entities to services from third countries and availability of such services on the Union market and it shall take into account further developments in the markets for the services covered by this Regulation, the practical experience of financial entities and financial supervisors with regard to the application and, respectively, supervision of that regime, and any relevant regulatory and supervisory developments taking place at international level.
4. the appropriateness of including in the scope of this Regulation financial entities referred to in Article 2(3), point (e), making use of automated sales systems, in light of future market developments on the use of such systems;
5. the functioning and effectiveness of the JON in supporting the consistency of the oversight and the efficiency of the exchange of information within the Oversight Framework.
In the context of the review of Directive (EU) 2015/2366, the Commission shall assess the need for increased cyber resilience of payment systems and payment-processing activities and the appropriateness of extending the scope of this Regulation to operators of payment systems and entities involved in payment-processing activities. In light of this assessment, the Commission shall submit, as part of the review of Directive (EU) 2015/2366, a report to the European Parliament and the Council no later than 17 July 2023.

Based on that review report, and after consulting ESAs, ECB and the ESRB, the Commission may submit, where appropriate and as part of the legislative proposal that it may adopt pursuant to Article 108, second paragraph, of Directive (EU) 2015/2366, a proposal to ensure that all operators of payment systems and entities involved in payment-processing activities are subject to an appropriate oversight, while taking into account existing oversight by the central bank.

By 17 January 2026, the Commission shall, after consulting the ESAs and the Committee of European Auditing Oversight Bodies, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal, on the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience, by means of the inclusion of statutory auditors and audit firms into the scope of this Regulation or by means of amendments to Directive 2006/43/EC of the European Parliament and of the Council (39).

104

Recital 104

The potential systemic cyber risk associated with the use of ICT infrastructures that enable the operation of payment systems and the provision of payment processing activities should be duly addressed at Union level through harmonised digital resilience rules. To that effect, the Commission should swiftly assess the need for reviewing the scope of this Regulation while aligning such review with the outcome of the comprehensive review envisaged under Directive (EU) 2015/2366. Numerous large-scale attacks over the past decade demonstrate how payment systems have become exposed to cyber threats. Placed at the core of the payment services chain and showing strong interconnections with the overall financial system, payment systems and payment processing activities acquired a critical significance for the functioning of the Union financial markets. Cyber-attacks on such systems can cause severe operational business disruptions with direct repercussions on key economic functions, such as the facilitation of payments, and indirect effects on related economic processes. Until a harmonised regime and the supervision of operators of payment systems and processing entities are put in place at Union level, Member States may, with a view to applying similar market practices, draw inspiration from the digital operational resilience requirements laid down by this Regulation, when applying rules to operators of payment systems and processing entities supervised under their own jurisdictions.

Art. 59 DORA - Amendments to Regulation (EC) No 1060/2009 arrow_right_alt

Regulation (EC) No 1060/2009 is amended as follows:

in Annex I, Section A, point 4, the first subparagraph is replaced by the following:

‘A credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*1).

(*1) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;”

in Annex III, point 12 is replaced by the following:

‘12. The credit rating agency infringes Article 6(2), in conjunction with point 4 of Section A of Annex I, by not having sound administrative or accounting procedures, internal control mechanisms, effective procedures for risk assessment, or effective control or safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554; or by not implementing or maintaining decision-making procedures or organisational structures as required by that point.’.

102

Recital 102

Since this Regulation, together with Directive (EU) 2022/2556 of the European Parliament and of the Council ⁽¹⁾, entails a consolidation of the ICT risk management provisions across multiple regulations and directives of the Union’s financial services acquis, including Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, and Regulation (EU) 2016/1011 of the European Parliament and of the Council ⁽²⁾, in order to ensure full consistency, those Regulations should be amended to clarify that the applicable ICT risk-related provisions are laid down in this Regulation.

^{(1) Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector (see page 153 of this Official Journal).

(2) Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014 (OJ L 171, 29.6.2016, p. 1).}

Art. 60 DORA - Amendments to Regulation (EU) No 648/2012 arrow_right_alt

Regulation (EU) No 648/2012 is amended as follows:

Article 26 is amended as follows:
1. paragraph 3 is replaced by the following:

‘3. A CCP shall maintain and operate an organisational structure that ensures continuity
and orderly functioning in the performance of its services and activities. It shall employ appropriate and
proportionate systems, resources and procedures, including ICT systems managed in accordance with Regulation (EU)
2022/2554 of the European Parliament and of the Council (*2).

^{(*2) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14

December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No

1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p.

1).’;”}

1. paragraph 6 is deleted;
Article 34 is amended as follows:
1. paragraph 1 is replaced by the following:

‘1. A CCP shall establish, implement and maintain an adequate business continuity policy
and disaster recovery plan, which shall include ICT business continuity policy and ICT response and recovery plans
put in place and implemented in accordance with Regulation (EU) 2022/2554, aiming to ensure the preservation of its
functions, the timely recovery of operations and the fulfilment of the CCP’s obligations.’;

1. in paragraph 3, the first subparagraph is replaced by the following:

‘3. In order to ensure consistent application of this Article, ESMA shall, after
consulting the members of the ESCB, develop draft regulatory technical standards specifying the minimum content and
requirements of the business continuity policy and of the disaster recovery plan, excluding ICT business continuity
policy and disaster recovery plans.’;

in Article 56(3), the first subparagraph is replaced by the following:

‘3. In order to ensure consistent application of this Article, ESMA shall develop draft
regulatory technical standards specifying the details, other than for requirements related to ICT risk management,
of the application for registration referred to in paragraph 1.’;

in Article 79, paragraphs 1 and 2 are replaced by the following:

‘1. A trade repository shall identify sources of operational risk and minimise them also
through the development of appropriate systems, controls and procedures, including ICT systems managed in accordance
with Regulation (EU) 2022/2554.

2. A trade repository shall establish, implement and maintain an adequate business
continuity policy and disaster recovery plan including ICT business continuity policy and ICT response and recovery
plans established in accordance with Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions,
the timely recovery of operations and the fulfilment of the trade repository’s obligations.’;

in Article 80, paragraph 1 is deleted.
in Annex I, Section II is amended as follows:
1. points (a) and (b) are replaced by the following:

‘(a) a trade repository infringes Article 79(1) by not identifying sources of
operational risk or by not minimising those risks through the development of appropriate systems, controls and
procedures including ICT systems managed in accordance with Regulation (EU) 2022/2554;

(b) a trade repository infringes Article 79(2) by not establishing, implementing or
maintaining an adequate business continuity policy and disaster recovery plan established in accordance with
Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions, the timely recovery of operations and
the fulfilment of the trade repository’s obligations;’;

1. point (c) is deleted.

Annex III is amended as follows:
1. Section II is amended as follows:
  1. point (c) is replaced by the following:
    
    ‘(c) a Tier 2 CCP infringes Article 26(3) by not maintaining or operating an
    organisational structure that ensures continuity and orderly functioning in the performance of its services and
    activities or by not employing appropriate and proportionate systems, resources or procedures including ICT systems
    managed in accordance with Regulation (EU) 2022/2554;’;
  2. point (f) is deleted.
2. in Section III, point (a) is replaced by the following:
  
  ‘(a) a Tier 2 CCP infringes Article 34(1) by not establishing, implementing or
  maintaining an adequate business continuity policy and response and recovery plan set up in accordance with
  Regulation (EU) 2022/2554, aiming to ensure the preservation of its functions, the timely recovery of operations and
  the fulfilment of the CCP’s obligations, which at least allows for the recovery of all transactions at the time of
  disruption to allow the CCP to continue to operate with certainty and to complete settlement on the scheduled
  date;’.

103

Recital 103

Consequently, the scope of the relevant articles related to operational risk, upon which empowerments laid down in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014, and (EU) 2016/1011 had mandated the adoption of delegated and implementing acts, should be narrowed down with a view to carry over into this Regulation all provisions covering the digital operational resilience aspects which today are part of those Regulations.

Art. 61 DORA - Amendments to Regulation (EU) No 909/2014 arrow_right_alt

Article 45 of Regulation (EU) No 909/2014 is amended as follows:

paragraph 1 is replaced by the following:

‘1. A CSD shall identify sources of operational risk, both internal and external, and minimise their impact also through the deployment of appropriate ICT tools, processes and policies set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*3), as well as through any other relevant appropriate tools, controls and procedures for other types of operational risk, including for all the securities settlement systems it operates.

^{(*3) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;”}

paragraph 2 is deleted;
paragraphs 3 and 4 are replaced by the following:

‘3. For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554, to ensure the preservation of its services, the timely recovery of operations and the fulfilment of the CSD’s obligations in the case of events that pose a significant risk to disrupting operations.

4. The plan referred to in paragraph 3 shall provide for the recovery of all transactions and participants’ positions at the time of disruption to allow the participants of a CSD to continue to operate with certainty and to complete settlement on the scheduled date, including by ensuring that critical IT systems can resume operations from the time of disruption as provided for in Article 12(5) and (7) of Regulation (EU) 2022/2554.’;

paragraph 6 is replaced by the following:

‘6. A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operates, as well as service and utility providers, and other CSDs or other market infrastructures might pose to its operations. It shall, upon request, provide competent and relevant authorities with information on any such risk identified. It shall also inform the competent authority and relevant authorities without delay of any operational incidents, other than in relation to ICT risk, resulting from such risks.’;

in paragraph 7, the first subparagraph is replaced by the following:

‘7. ESMA shall, in close cooperation with the members of the ESCB, develop draft regulatory technical standards to specify the operational risks referred to in paragraphs 1 and 6, other than ICT risk, and the methods to test, to address or to minimise those risks, including the business continuity policies and disaster recovery plans referred to in paragraphs 3 and 4 and the methods of assessment thereof.’.