Credit unions in Europe will receive proportional treatment when it comes to the requirements of a new EU digital resilience regulation, according to a provisional agreement reached by The European Council presidency and European Parliament last week.
The agreement marks a win for the World Council of Credit Unions (Woccu) and its partner, the European Network of Credit Unions (ENCU), which had called for a proportional approach to be included in the regulation that would allow policymakers to consider the size, nature, scale and complexity of credit union services, activities and operations.
The Digital Operational Resilience Act (DORA) sets out a number of regulatory requirements for financial institutions around security risks for information and communications technology (ICT). These incude implementing governance frameworks to manage risks, carrying out digital resilience testing, managing ICT third-party risk and reporting major ICT-related incidents.
MEP Billy Kelleher, lead MEP responsible for the regulation, described DORA as “a key step in building up the EU’s cyber-resilience at the point where financial services and ICT interact”, adding: “The agreement provides for robust ICT risk management, testing and reporting requirements while at the same time future-proofing the legislation, adhering to the principle of proportionality and protecting competition.”
A key way in which the agreement takes proportionality into account is by allowing member states to establish rules for institutions that are exempt under the EU Capital Requirements Directive.
Woccu’s senior vice president of advocacy and general counsel, Andrew Price, has previously stressed the need for international bodies to allow for the tailoring of regulations when it comes to community-based financial institutions such as credit unions.
Mr Price said: “We thank the European Parliament for listening to our needs and tailoring rules that are appropriate for credit unions, while also accomplishing our mutual goal of protecting our members’ information from ICT breaches and ensuring the safe and sound operations of financial institutions.”
The provisional agreement on DORA must now be approved by the European Parliament before it is formally adopted, and then passed into law by each EU member state. Woccu and ENCU have said they will continue to be engaged throughout the formal adoption process.