Your browser does not support JavaScript!

Digital operational and cyber-resilience:  are EU proposals fit-for-purpose? (DORA, NIS…)?

Day 1 Afternoon

Wednesday 08 September

Room :

Plenary Room 2


Joachim Wuermeling
Member of the Executive Board - Deutsche Bundesbank
Public Authorities
Christopher P. Buttigieg
Chief Officer Supervision, Chief Executive Officer ad-interim - Malta Financial Services Authority (MFSA)
Billy Kelleher
MEP - Committee on Economic and Monetary Affairs, European Parliament
Ana Teresa Moutinho
Head of the Supervisory Processes Department - European Insurance and Occupational Pensions Authority (EIOPA)
Industry Representatives
Matthew Field
Executive Director, Head of Cyber and Tech Policy & Partnerships - JPMorgan Chase & Co.
Jason Harrell
Executive Director and Head of Business and Government Cybersecurity Partnerships - The Depository Trust & Clearing Corporation (DTCC)
Lorelien Hoet
Director EU Government Affairs - Microsoft

This session will first discuss the development of information and communications technology (ICT) risks in the financial sector and the main areas of improvement of ICT risk management. The panel will also assess whether the DORA legislative proposal is fit-for-purpose for tackling ICT risks and the risks arising from the management of ICT third-party service providers, the main priorities and potential issues raised by these proposals.

Points of discussion

  1. Are ICT risks developing in the financial sector and if so what are the main characteristics of these evolutions? Is the framework proposed by DORA for the mitigation of ICT risks appropriate? Do certain measures need adjusting or clarifying, do some pose implementation issues? Do these proposals easily reconcile with existing EU and domestic rules concerning ICT risks and cyber-resilience?
  2. How significant are ICT third-party risks in the financial sector and how are they expected to develop in the coming years? Does DORA propose an adequate framework for the management of third-party ICT risks? Are the measures proposed for mitigating the risks from critical third-party providers appropriate? Do these proposals easily reconcile with the work underway at the international level?