MEPs voted on rules to protect financial bodies like banks, payment providers and investment firms from information and communication technology-related incidents.
The new rules, agreed with EU governments in May 2022, will harmonise and strengthen digital operational resilience requirements for the EU’s financial services sector. The bill sets up requirements to protect against, detect, contain, recover from, and repair information and communication technology (ICT)-related incidents. These requirements will be paired with reporting and digital testing capabilities.
The new rules adopted with 556 votes to 18 and 38 abstentions will apply to banks, payment providers, electronic money providers, investment firms, crypto-asset service providers as well as to ICT third-party service providers that are regulated at EU level.
The regulation enters into force on the twentieth day following its publication in the Official Journal of the EU and will apply from 24 months after the date of entry into force.
In a separate vote, MEPs will approve changes to the EU directive on Digital Operational Resilience requirements aligning these new rules to existing financial services legislation. The text was adopted with 553 votes to 19 and 40 abstentions.
The directive enters into force on the twentieth day following its publication in the Official Journal of the EU. After its adoption, member states will have 24 months to make changes in national law in order to comply with it.