Skip to main content
European Commission logo
enen
Business, Economy, Euro
Finance

Cyber resilience

The framework on digital operational resilience focuses on managing the risks associated with the financial sector relying more on software and digital processes.

What the EU is doing and why

The digital finance sector faces a continuous and evolving cyber threat landscape, where malicious actors constantly devise advanced techniques to exploit vulnerabilities and compromise the security of financial institutions, transactions, and sensitive customer data.

The growing dependency of the financial sector on software and digital processes increases these risks.

Cyber resilience means being prepared for, as well as being capable of enduring, recovering from, and adapting to cyber threats.

The EU adopted a legislative framework the Regulation on Digital Operational Resilience (DORA), in order to strengthen companies’ capacity, not just for preventing incidents but also for minimising disruptions and ensuring swift recovery after ICT-related disruptions. It also includes an oversight mechanism on service providers, such as Big Techs, which provide cloud computing services to financial institutions.

This initiative connects to a wider workstream ongoing at European and international level to strengthen the cybersecurity in financial services and address broader operational risks.

Policy making timeline

  1. 13 March 2024
    Legislation - Digital operational resilience (DORA)

    Adoption of three regulatory technical standards (RTSs) complementing the EU regulatory frameworks on cybersecurity matters for the financial sector.

  2. 22 February 2024
    Legislation - Digital operational resilience (DORA)

    Adoption of 2 delegated acts that specify the criteria for determining whether a third-party provider of ICT services is critical for the EU financial sector and determine the fees for their oversight.

  3. 16 November 2023
    Legislation - Digital operational resilience (DORA)

    Launch of a 4-week feedback process on 2 delegated acts in view of their adoption.
    End date: 14 December 2023

  4. 16 January 2023
    Legislation - Digital operational resilience (DORA)

    The Digital Operational Resilience Regulation (DORA) came into force.

  5. 27 December 2022
    Legislation - Digital operational resilience (DORA)

    Publication of the Digital Operational Resilience Regulation (DORA) in the Official Journal.

  6. 11 May 2022
    Political agreement - Digital operational resilience (DORA)

    Political agreement between the European Parliament and the Council on the legislative initiative on improving resilience against cyberattacks.

  7. 24 September 2020
    Legislative proposal - Digital operational resilience (DoRa) & crypto-assets (MiCa)

    Digital finance package containing

  8. 3 April 2020
    Consultation - Digital finance strategy

    The Commission launched a consultation on a new digital finance strategy for Europe / FinTech action plan.
    End date: 26 June 2020

  9. 19 December 2019
    Consultation - Digital operational resilience & crypto-assets

    The Commission launched two consultations

  10. 10 April 2019
    Technical advice - ICT risks in finance

    Joint technical advice of the European Supervisory Authorities (ESAs) calling for a more coherent approach in addressing ICT risks in finance. This advice is a response to the Commission’s 2018 FinTech action plan.

  12. 8 March 2018
    Action plan - FinTech

    The Commission adopted the FinTech action plan.

Relevant legislation