FIA welcomes the European Commission's stakeholder engagement to ensure improved and fit-for-purpose cyber risk management rules apply to financial entities.
FIA recommends cyber risk management rules should apply from one ruleset if there is overlap and/or the same objectives. The Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA) overlap and apply to the same financial services. The CRA uses product terminology and applies concepts to financial services that are uncertain due to the financial sector being separately regulated and supervised.
The CRA further applies another cyber incident reporting regime to financial services despite DORA's objective to harmonise incident reporting in the financial sector. The CRA introduces new enforcement mechanisms and regulators, through market surveillance authorities, now have a purview over financial services. The CRA creates unclear expectations and would result in a significant implementation burden due to substantial guidance being produced during the implementation period.
Read full response here.
