Following the European Commission’s (EC’s) publication of the Digital Omnibus Package, the Association for Financial Markets in Europe (AFME) said that while it strongly supports the policy objective of regulatory simplification, the proposal misses key “low-hanging fruit” and raises concerns that certain elements — particularly the overlap between the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA), as well as the plan for a single EU entry point for cyber and data-breach reporting — could inadvertently increase regulatory complexity.
CRA-DORA overlap
AFME warns that despite being designed as distinct frameworks — product regulation (CRA) versus entity-level regulation (DORA) — the two regimes would, in practice, apply to the same digital systems, applications, and operational tools used across the financial sector, including banking apps, online platforms and onboarding portals. These digital channels are already fully governed by DORA’s holistic lifecycle framework, which covers risk management, incident handling, vulnerability management and customer communications.
Layering CRA requirements on top of DORA would lead to duplicative reporting, overlapping enforcement, and redundant risk assessments, generating substantial operational costs without delivering any meaningful improvement in cyber resilience. The sector is therefore calling for a CRA exemption for financial services, following the precedent set in relation to the Network and Information Systems (NIS) Directive.
In fact, DORA’s suite of operational measures, including incident reporting, third party management, and resilience testing, is proving far more burdensome in practice than envisaged, and warrants refinement and rationalisation. AFME is particularly concerned that the Commission’s attention may now be diverted to the single hub proposal, rather than focusing on simplifying DORA itself.
James Kemp, managing director of Technology & Operations at AFME, said in a statement: “The overlap between the Cyber Resilience Act and DORA risks creating a maze of duplicative requirements for financial institutions already subject to rigorous cyber oversight. In trying to enhance cybersecurity, the Commission is inadvertently layering product regulation on top of entity regulation, capturing the same systems twice. This not only undermines efficiency but contradicts the EU’s goals on competitiveness and regulatory simplification.”
Single point of entry
AFME also raises concerns in response to the plan to create a single EU-wide reporting hub for cyber and data-breach incidents where the proposal carries significant operational and security risks, including:
- the level of resourcing required to operate the hub securely,
- the likelihood that such a hub becomes a high-value target for malicious actors, and
- the limited benefits of centralization when all types of regulatory reporting, including under both the CRA and DORA, as well as General Data Protection Regulation (GDPR) and the Artificial Intelligence (AI) Act all have their own divergent definitions, reporting thresholds and templates.
Kemp said in a statement: “A single hub would be valuable only if it guarantees the aggregation of the reporting which market participants must submit, so that firms have only to triage and collate one report while in the midst of responding to an incident.”
AFME also welcomed the EC’s decision to delay the enforcement of the high-risk AI rules included in the package.
“We note that this delay provides additional time for the finalization of key guidelines and technical standards by EU authorities, as well as the supervision arrangements in member states. This will allow financial institutions to understand the implications for the sector, align with existing risk, resilience and cybersecurity frameworks, and ensure that the AI Act is implemented in an effective and efficient manner,” AFME wrote in a statement.