Following the European Commission’s publication of the Digital Omnibus Package today, AFME strongly supports the policy objective of regulatory simplification and welcomes several measures. However, the financial services sector regrets that the proposal misses key “low-hanging fruit” and raises concerns that certain elements—particularly the overlap between the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA), as well as the plan for a single EU entry point for cyber and data-breach reporting—could inadvertently increase regulatory complexity.
Overlap Between DORA and the Cyber Resilience Act
The Association for Financial Markets in Europe (AFME) warns that despite being designed as distinct frameworks—product regulation (CRA) versus entity-level regulation (DORA)—the two regimes would, in practice, apply to the same digital systems, applications, and operational tools used across the financial sector, including banking apps, online platforms and onboarding portals. These digital channels are already fully governed by DORA’s holistic lifecycle framework, which covers risk management, incident handling, vulnerability management and customer communications.
Layering CRA requirements on top of DORA would lead to duplicative reporting, overlapping enforcement, and redundant risk assessments, generating substantial operational costs without delivering any meaningful improvement in cyber resilience. The sector is therefore calling for a CRA exemption for financial services, following the precedent set in relation to the Network and Information Systems (NIS) Directive.
In fact, DORA’s suite of operational measures, including incident reporting, third party management, and resilience testing, is proving far more burdensome in practice than envisaged, and warrants refinement and rationalisation. AFME is particularly concerned that the Commission’s attention may now be diverted to the single hub proposal, rather than focusing on simplifying DORA itself.
James Kemp, Managing Director of Technology & Operations, at AFME said: “The overlap between the Cyber Resilience Act and DORA risks creating a maze of duplicative requirements for financial institutions already subject to rigorous cyber oversight. In trying to enhance cybersecurity, the Commission is inadvertently layering product regulation on top of entity regulation, capturing the same systems twice. This not only undermines efficiency but contradicts the EU’s goals on competitiveness and regulatory simplification.”
Concerns Over a Single EU Entry Point for Cyber and Data-Breaches
AFME also raises concerns in response to the plan to create a single EU-wide reporting hub for cyber and data-breach incidents where the proposal carries significant operational and security risks, including:
- the level of resourcing required to operate the hub securely,
- the likelihood that such a hub becomes a high-value target for malicious actors, and
- the limited benefits of centralisation when all types of regulatory reporting, including under both the CRA and DORA, as well as GDPR and the AI Act all have their own divergent definitions, reporting thresholds and templates.
James Kemp said: “A single hub would be valuable only if it guarantees the aggregation of the reporting which market participants must submit, so that firms have only to triage and collate one report while in the midst of responding to an incident.”
Welcome Delay to AI Rules
AFME also welcomes the Commission’s decision to delay the enforcement of the high-risk AI rules included in the package. We note that this delay provides additional time for the finalisation of key guidelines and technical standards by EU authorities, as well as the supervision arrangements in Member States. This will allow financial institutions to
understand the implications for the sector, align with existing risk, resilience and cybersecurity frameworks, and ensure that the AI Act is implemented in an effective and efficient manner.
AFME looks forward to working constructively with policy makers as the Digital Omnibus moves into the next phase.
– Ends –
