Article 49

Financial cross-sector exercises, communication and cooperation


TL;DR The Digital Operations Resilience Act from the EU establishes mechanisms to enable the sharing of effective practices across financial sectors to enhance situational awareness and identify cyber-related vulnerabilities and risks. It also develops crisis management and contingency exercises involving cyber-attack scenarios with a view to developing communication channels and coordinated response at Union level in the event of a major cross-border ICT-related incident. Competent authorities, ESAs and the ECB are mandated to cooperate and exchange information to carry out duties, identify and remedy breaches of the Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation, and provide cross-jurisdictional assessments.
  1. The ESAsEuropean Supervisory Authority, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 and in collaboration with competent authoritiesas defined in Article 46, resolution authorities as referred to in Article 3 of Directive 2014/59/EU, the ECB, the Single Resolution Board as regards information relating to entities falling under the scope of Regulation (EU) No 806/2014, the ESRB and ENISA, as appropriate, may establish mechanisms to enable the sharing of effective practices across financial sectors to enhance situational awareness and identify common cyber vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited and risks across sectors.

    They may develop crisis management and contingency exercises involving cyber-attacka malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset scenarios with a view to developing communication channels and gradually enabling an effective coordinated response at Union level in the event of a major cross-border ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity or related threat having a systemic impact on the Union’s financial sector as a whole.

    Those exercises may, as appropriate, also test the financial sector’s dependencies on other economic sectors.

  2. Competent authoritiesas defined in Article 46, ESAsEuropean Supervisory Authority and the ECB shall cooperate closely with each other and exchange information to carry out their duties pursuant to Articles 47 to 54. They shall closely coordinate their supervision in order to identify and remedy breaches of this Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation and provide cross-jurisdictional assessments in the event of any disagreements.