The Association for Financial Markets in Europe (AFME) today warned that the Commission’s failure to adopt bold simplification measures on cyber and operational resilience within the Digital Omnibus Package risks creating an ever-growing operational burden for the financial services sector.
In its response to the Commission’s Digital Fitness Check Call for Evidence, which closes today, AFME calls on the European Parliament and Council to encourage the Commission to reconsider its approach ahead of upcoming trilogue negotiations later this year.
Marcus Corry, Director of Technology & Operations at the Association for Financial Markets in Europe (AFME) said: "The Digital Omnibus presents a real chance to simplify EU regulation for financial services, but the Commission has missed a key opportunity by not granting a sectoral exemption from the Cyber Resilience Act. Financial firms are already covered by the Digital Operational Resilience Act (DORA), so adding the Cyber Resilience Act on top creates duplicate rules, extra reporting, and unnecessary complexity without making banks any safer. This is an opportunity to demonstrate the EU commitment to banking competitiveness and policy makers now have a chance to fix this during trilogue negotiations by providing clarity and reducing duplication so banks can focus on strengthening real cyber resilience."
AFME’s response highlights that overlaps between the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA) and other related files are creating additional burdens for firms, without improving resilience. Banks and other financial institutions already manage cyber risks across all their systems, apps, and digital platforms under DORA. Applying overlapping regulation risks creating confusion for industry, inconsistencies between authorities, and duplicative oversight.
AFME has called for a sectoral exemption for financial services from the CRA, following the approach already taken in other sectors with overlapping EU rules, such as aviation and automotives. At a minimum, banks should be exempt from the CRA’s incident reporting obligations, allowing for meaningful simplification while maintaining strong cybersecurity standards under DORA.
The Commission’s proposed incident reporting hub - intended as a single entry point for multiple reports - is a welcome acknowledgement of the burden on firms, but fails to simplify in practice. Financial firms would still need to maintain separate reporting processes for other EU laws and regulations related to digital, cybersecurity, and data protection, including CRA, DORA, NIS2, CER, GDPR, eIDAS, and soon the AI Act. The hub would simply add an extra layer on top, rather than reducing complexity.
AFME therefore urges the European Parliament and Council to take bold action in the upcoming trilogue negotiations, to ensure that digital and cyber regulation for financial services is simplified, efficient, and effective, enabling firms to focus on real operational resilience and security.
– Ends –