.svg)
The European Commission has launched infringement proceedings against 13 EU member states for failing to fully transpose the flagship Digital Operational Resilience Act (DORA) into national law by the January 17 deadline.
In a fresh intervention, the commission has issued formal notices to the group, which varies widely in terms of regional and economic influence.
Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia have all been urged to finalise the transposition of DORA.
The affected countries now have two months to respond and outline how they plan to align their national legislation with the directive.
If they fail to provide a satisfactory response, the commission may escalate the matter by issuing a reasoned opinion, potentially leading to further legal action and financial penalties.
“The DORA Directive aims to establish clear and consistent digital operational resilience rules for financial entities such as banks, insurance companies and investment firms, thereby guaranteeing the smooth functioning of the single market,” the commission said.
The commission warned that “full implementation of the legislation is key to strengthen the digital operational resilience of financial entities across the EU by addressing risks associated with the increasing digitalisation of financial services”.
Vixio contacted the member states in question, with a spokesperson for the Latvian government saying that “Latvia is in the final stage of implementing” DORA.
“As soon as the regulatory enactments related to the implementation of the Digital Operational Resilience Act (DORA) comes into force, Latvia will immediately notify the European Commission,” they said.
It is not uncommon for the commission to take actions such as this — in 2020, for example, it referred Austria, Belgium and the Netherlands to the Court of Justice of the European Union for failing to fully implement EU anti-money laundering (AML) rules.
Taking operational resilience seriously
Recent incidents such as the CrowdStrike outage make the issue of operational resilience incredibly pertinent for jurisdictions such as the EU, which prides itself on high regulatory standards for market players, to the benefit of consumers.
Member states’ failure to implement a framework such as DORA undermines the bloc’s approach to the increasingly digitised economy.
“We now function in a hyper-connected, 24/7 economy, where operational incidents become a matter of national news,” said Richard Albery, head of business growth, Europe, at ACI Worldwide.
Albery added that the “reliance on unmediated channel apps, embedded finance and digital platforms means that previously contained issues are now highly visible and brand-impacting”.
Because of this, he said, there is an always-on expectation from consumers, and operational resilience has transformed into something that is no longer just a matter for internal IT service management.
“A bank’s payment system must be trusted and supported by proportionate controls and oversight measures,” he continued.
“Whilst the emergence of fintech provides a significant opportunity for innovation, this must be built on a solid foundation underpinned by regulations such as DORA.”
